| Entries |
| Document | Title | Date |
|---|
| 20080201759 | VERSION-RESILIENCE BETWEEN A MANAGED ENVIRONMENT AND A SECURITY POLICY - A method and system for enforcing a security policy that is version-independent of a managed environment when loading custom code for a host application is provided. A security system of the managed environment receives an identifier of custom code to be loaded by the host application. Before loading the identified custom code, the managed environment enforces the security policy using the security system. The security system applies the security policy expressed using a version-independent indication of identifiers of untrusted custom code. If the security system determines that the trust of the custom code is unknown, then the security system requests a trust manager associated with the host application to enforce a host application-specific security policy. When the custom code is trusted, the managed environment loads the custom code. | 08-21-2008 |
| 20080201760 | SYSTEM AND METHOD FOR THE AUTOMATIC EVALUATION OF EXISTING SECURITY POLICIES AND AUTOMATIC CREATION OF NEW SECURITY POLICIES - The present invention relates to methodologies for combining policy analysis and static analysis of code and thereafter determining whether the permissions granted by the policy to the code and to the subjects executing it are appropriate. In particular, this involves the verification that too many permissions have not been granted (wherein this would be a violation of the Principle of Least Privilege), and that the permissions being granted are sufficient to execute the code without run-time authorization failures, thus resulting in the failure of the program to execute. | 08-21-2008 |
| 20080201761 | Dynamically Associating Attribute Values with Objects - Embodiments are provided to dynamically associate an attribute and an associated value to an object, including attribute-value sets to an object, but the embodiments are not so limited. In an embodiment, a system includes a directory component that can be configured to dynamically assign different values, for a set attributes, to an object. In one embodiment, a directory application can be configured to select an attribute-value set for an object based in part on a group membership determination, and a precedence parameter associated with an attribute-value, set, or other grouping. Other embodiments are available. | 08-21-2008 |
| 20080201762 | METHOD AND SYSTEM FOR SECURELY EXTENDING A PATH OF A MOBILE AGENT WITHIN A NETWORK SYSTEM - The present description refers in particular to a method, a system, and a computer program product for access control using resource filters for a strict separation of application and security logic. The computer-implemented method for access control may include receiving at least one access request to at least one resource from an application; providing a resource hierarchy for the at least one resource, the resource having at least one resource class, wherein the resource hierarchy is defined in a single resource; providing a policy comprising at least one access control rule for accessing at least one element of the at least one resource class; verifying the at least one access request based on the policy through an authorization service; and processing the at least one access request through a service interface. | 08-21-2008 |
| 20080201763 | Method and system for securing wireless local area networks - A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point. | 08-21-2008 |
| 20080209501 | System and method for implementing mandatory access control in a computer, and applications thereof - Provided are systems and methods for implementing mandatory access control in a computer, and applications thereof. An embodiment provides a security policy generator that generates security policies for one or more machines of a network based on a single set of enterprise configuration parameters. This single set of enterprise configuration parameters comprises relatively few lines of text compared to a typical security policy file. The present invention makes it possible to easily configure, change, and adapt mandatory access control security policies to enforce application-specific security goals across many networked systems to create a single, distributed, secure enterprise. With the present invention, a network administrator, for example, can set familiar network and file configuration options that automatically result in security changes without requiring extensive knowledge of the operating system kernel or how to develop a mandatory access control security policy. | 08-28-2008 |
| 20080209502 | ASSOCIATING RIGHTS TO MULTIMEDIA CONTENT - A method and software to implement a method comprising receiving digital content such as multimedia content, and either ascertaining whether at least a part of the digital content has previously been associated with one or more matched referenced works or searching a store of fingerprint data of referenced works for a match. The searching includes determining a fingerprint of at least part of the digital content, e.g., multimedia content; and searching the store of fingerprint data of referenced works for a match. In the case that is has been ascertained that the work has previously been associated, or the searching has produced a match to one or more matched referenced works, associating association data to the one or more matched referenced works. Ownership data to the matched referenced works is included in the association such that use of the digital content can take into account such ownership rights. The associating of the association data is carried out in a secure manner. | 08-28-2008 |
| 20080209503 | METHOD AND SYSTEM FOR MANAGING LICENSE OBJECTS TO APPLICATIONS IN AN APPLICATION PLATFORM - Systems and methods are provided for managing license objects to applications in an application platform database system. The method includes associating an LMA with an application installed to the application platform by a developer, notifying a license manager to which the license manager application is installed of the installation of the application to the application platform, and managing subscriber access to the application using the license manager application. | 08-28-2008 |
| 20080209504 | GENERALIZED NETWORK SECURITY POLICY TEMPLATES FOR IMPLEMENTING SIMILAR NETWORK SECURITY POLICIES ACROSS MULTIPLE NETWORKS - The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network. | 08-28-2008 |
| 20080209505 | Policy-based physical security system for restricting access to computer resources and data flow through network equipment - Embodiments are directed to systems and methods for integration and normalization of physical security data, states and events to and from disparate physical security systems to maintain in real-time rules based policy state information to enforce physical security policies uniformly across network and information technology (IT) systems. Moreover it pertains specifically to such apparatus for providing an integration platform, methods and processes for normalizing data from physical security systems, to maintain physical security states, mapping to network access and either directly affecting the network equipment through standard programming commands or providing interfaces for network equipment and IT applications to query and determine physical security access states thus enforcing rules in real-time based on security systems data and events. | 08-28-2008 |
| 20080209506 | Physical access control and security monitoring system utilizing a normalized data format - Embodiments disclose a system and method for the integration of data and events to and from physical access control and security monitoring systems that is normalized to standardized definition for enforcement of standardized rules, created through a visual policy editor, affecting persistence, propagation of data and generation of alerts and notifications for physical security, network and IT systems. Data from disparate physical security systems is normalized for visual rule creation by rule object shapes representing normalized security systems, data and processes. A rules-based policy engine enforces security policies and generates actionable events. The overall system provides an integration platform, methods and processes for normalizing data from physical security systems, representation of physical security systems, data and processes for visual creation of rules using defined stencil objects, generating formatted rules, and enforcing these rules in real-time on security systems data and events. | 08-28-2008 |
| 20080209507 | MOBILE AUTHORIZATION USING POLICY BASED ACCESS CONTROL - An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device. | 08-28-2008 |
| 20080216147 | Data Processing Apparatus And Method - There is a described a method of certifying compliance with a designated process defined by a plurality of rules which are specified in a public template, wherein at least one rule associated with a process includes a certification requirement which requires compliance with that rule to be certified by a rule certifying authority. A processing apparatus operating in a secure environment receives rule compliance data and checks the received rule compliance data to verify that any certification requirement has been satisfied. If the processing apparatus confirms that all the rules specified in the public template are satisfied, then the processing apparatus issues a process compliance certificate which is digitally signed by the process certifying authority. | 09-04-2008 |
| 20080216148 | Systems and methods for policy-based service management - Systems and method for policy-based service management are provided. An exemplary system includes a rule definition interface module configured to receive a plurality of rule definitions and a separate policy management interface module configured to allow a user to define a rule instance from an existing rule definition instance and to define a policy instance based on the defined rule instance. A policy may be simply expressed via the policy management interface as “perform the following set of action if all of the following rule instances are true unless any of the following rule instances are true.” Additionally, policies may be associated with a context at a specific a level in a context hierarchy having multiple levels. The policy may therefore inherit rules from contexts at a higher level in the hierarchy. | 09-04-2008 |
| 20080216149 | Digital Authentication with Analog Documents - Security of photographic identification documents is enhanced by embedding within the photographic image encoded information that may be correlated to other information pertaining to the individual represented by the image, such other information being, for example, printed on the document adjacent to the photograph. | 09-04-2008 |
| 20080216150 | Offload Processing for Secure Data Transfer - Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques. Offload components can be controlled from the kernel, an SSL layer or an application. | 09-04-2008 |
| 20080222692 | DEVICE-INITIATED SECURITY POLICY - A method and system for executing a security policy at a mobile terminal is provided. The mobile terminal may contact an authentication entity based on the security policy. The mobile terminal may receive a response from the authentication entity indicative of a security status of the mobile terminal. The mobile terminal may execute a security action based on the received response. | 09-11-2008 |
| 20080222693 | Multiple security groups with common keys on distributed networks - A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly, various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy. | 09-11-2008 |
| 20080222694 | System, server, and program for access right management - Each domain is provided with an access right management device which creates a resource-sharing policy and performs processing for resource-sharing policy negotiation between a plurality of domain administrators. An access right management device that has created a resource-sharing policy identifies, for each policy unit included in the resource-sharing policy, an access right management device that is a negotiating partner to negotiate with about the policy unit in question. The access right management device generates negotiation information including an identification name of the identified negotiating-partner access right management device and the policy unit in question and sends the negotiation information to the negotiating-partner access right management device. Only when all policy units are agreed on by respective identified negotiating-partner access right management devices, the resource-sharing policy is set on shared resources. | 09-11-2008 |
| 20080222695 | Key management for content protection - A method for content access control operative to enable authorized devices to access protected content and to prevent unauthorized devices from accessing protected content, the method comprising: providing a plurality of authorized devices; dividing the plurality of authorized devices into a plurality of groups, each of the plurality of authorized devices being comprised in at least one of the plurality of groups, no two devices of the plurality of authorized devices being comprised in exactly the same groups; determining whether at least one device of the plurality of authorized devices is to be prevented from having access to the protected content and, if at least one device is to be prevented, removing all groups comprising the at least one device from the plurality of groups, thus producing a set of remaining groups; and determining an authorized set comprising groups from the set of remaining groups, such that each device of the plurality of authorized devices which was not determined, in the determining whether step, to be prevented from having access is comprised in at least one group of the authorized set. | 09-11-2008 |
| 20080222696 | System, Method, Apparatus, and Computer Program Product for Facilitating Digital Communications - A computer-implemented method and apparatus prevents unsecured access to a computer over a network by a client running on a remote computer. In one aspect of the present invention, a client policy is stored on the remote computer. The client policy includes a configuration of the remote computer that reduces the likelihood of a security breach of the computer as a result of the remote computer accessing the computer. A request is received from a user for access to the computer. It is verified that the remote computer conforms with the client policy, and the client is connected to said computer. | 09-11-2008 |
| 20080222697 | Application Server Object-level Security for Distributed Computing Domains - Objects on application servers may be defined into classes which receive different levels of security protection, such as definition of user objects and administrative objects. Domain-wide security may be enforced on administrative objects, which user object security may be configured separately for each application server in a domain. In a CORBA architecture, IOR's for shared objects which are to be secured on a domain-wide basis, such as administrative objects, are provided with tagged components during IOR creation and exporting to a name server. Later, when the IOR is used by a client, the client invokes necessary security measures such as authentication, authorization and transport protection according to the tagged components. | 09-11-2008 |
| 20080222698 | Secure Computer Communication - A method of improving the security of computer communications over a connecting network comprising the steps, carried out before a data packet enters the connecting network from a user domain, of tagging the data packet from a user domain with a security level marking and appending the tagged data packet with a string formed from a check-sum made over the data packet and security level marking tag to form a datagram. The integrity of the data is protected and the method can be used to prevent the mis-routing of data packets to user domains of lower security classification. | 09-11-2008 |
| 20080229381 | SYSTEMS AND METHODS FOR MANAGING APPLICATION SECURITY PROFILES - Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching. | 09-18-2008 |
| 20080229382 | MOBILE ACCESS TERMINAL SECURITY FUNCTION - Provided are a method, wireless communication device, and wireless communications system for managing packet data transmissions. The method includes receiving a set of security policies ( | 09-18-2008 |
| 20080229383 | CREDENTIAL CATEGORIZATION - The user can associate metadata with information cards. The metadata can include, among other possibilities, string names, icons, user policies, containers, and hierarchies. The metadata is stored by the computer system. The metadata can then be used to filter the set of information cards that can satisfy a security policy from a relying party. | 09-18-2008 |
| 20080229384 | POLICY-BASED AUDITING OF IDENTITY CREDENTIAL DISCLOSURE BY A SECURE TOKEN SERVICE - A user defines an audit policy. The audit policy identifies one or more triggers that, when related information is included in a security token, trigger the performance of the audit. The audit can include notifying the user in some manner that the trigger occurred. The audit can require in-line confirmation of the audit, so that the security token is not transmitted until the user confirms the audit. | 09-18-2008 |
| 20080229385 | Mobility Aware Policy and Charging Control in a Wireless Communication Network - One embodiment of the present invention provides a method for implementation in a policy control and charging rules functional entity in a wireless communication system. The method includes receiving, from at least one of a source policy and charging enforcement function in a source access network or a target policy and charging enforcement function in a target access network, information indicative of a mobile unit that has handed off from the source access network to the target access network. The method also includes establishing a first session for communicating policy and charging rules associated with the mobile unit. The first session is concurrent with a second session for communicating policy and charging rules associated with the mobile unit. The second session was previously established with the source policy and charging enforcement function in the source access network. The method further includes transmitting at least one policy and charging rule to the target policy and charging enforcement function using the first session. | 09-18-2008 |
| 20080229386 | Substrate processing apparatus - The object of the present invention is to provide a substrate processing apparatus and a substrate processing system capable of performing an appropriate processing in response to the operating condition of the substrate processing apparatus and of realizing an improvement in the availability rate of the apparatus. The substrate processing apparatus includes: storage section for storing a plurality of recipes describing a procedure for processing a substrate and operating authorities of a user corresponding to the plurality of recipes; and display section for displaying an authority setting screen for setting the operating authorities of the user to the respective recipes and an edition screen for editing a recipe stored in the storage section on the basis of the operating authority set via the authority setting screen. The substrate processing apparatus can edit the authority setting screen displayed by the display section and can set different operating authorities to the recipe between when the operating condition of the substrate processing apparatus is online and when the operating condition of the substrate processing apparatus is offline. | 09-18-2008 |
| 20080229387 | Drm System - A method of and system for digital rights management, in which access to a piece of content is granted in accordance with a license owned by a license owner to a client who is a member of a domain. This requires successfully verifying that a membership relation exists between the client and the domain as reflected in a first state variable, and that an association relation exists between the license owner and the domain as reflected in a second state variable. Both relationships are revoked by executing an online protocol between the parties in the relationship after which both remove the corresponding state variable. The domain controller propagates the state administration relating to the domain is propagated to the client so that the client can update its state administration. | 09-18-2008 |
| 20080229388 | DEVICE AGENT - Device agents and methods are disclosed. In one embodiment, the method comprises monitoring, at an access device, at least a subset of device activity. The method further comprises detecting an activity satisfies at least one condition specified by a policy and executing at least one action in the policy associated with the satisfied condition. | 09-18-2008 |
| 20080235754 | Methods and apparatus for enforcing launch policies in processing systems - A processing system has a processing unit, nonvolatile storage, and secure nonvolatile memory with inherent access control. The nonvolatile storage includes an authenticated code (AC) module, a launch policy setting, and a second code module. The secure nonvolatile memory includes an integrity metric for the launch policy setting. When executed by the processing unit, the AC module computes a new integrity metric for the launch policy setting, and uses the new integrity metric for the launch policy setting and the integrity metric for the launch policy setting to determine whether the launch policy setting should be trusted. The AC module may also compute a new integrity metric for the second code module, and may use the launch policy setting and the new integrity metric for the second code module to determine whether the second code module should be allowed to execute. | 09-25-2008 |
| 20080235755 | Firewall propagation - Methods and systems for propagating data security policies and rules up a chain of network components, for example, from an end-user device having a firewall, to a network component at the “edge” of the network, such as a so-called “edge” firewall server, from where a policy statement can be transmitted to a service provider, such as an ISP, are described. A device, such as a computer or mobile phone, has, as part of its firewall software, a policy propagation file, that communicates with pre-existing firewall software. The firewall software creates a policy statement upon detecting a triggering event, which is transmitted from the device to the next data security component up the chain, “upstream,” in the network. In some cases this device may be a firewall server or a firewall policy server. The firewall server may combine policy statements from numerous end-user type devices and transmit the policy statement to an external network component, such as an ISP firewall server or similar device. The ISP or other service provider may then use the policy statement to implement date security rules for the devices in the network. In this manner, the firewall operated by the ISP implements rules and policies of a network owner or the owner of a stand-alone device, thereby preventing unwanted traffic from entering the network. | 09-25-2008 |
| 20080235756 | Resource authorizations dependent on emulation environment isolation policies - A system, method, computer program product, and carrier are described for obtaining a resource authorization dependent upon apparent compliance with a policy of causing an emulation environment to isolate a first software object type from a second software object type; and signaling a decision whether to comply with the policy of causing the emulation environment to isolate the first software object type from the second software object type. | 09-25-2008 |
| 20080235757 | Detecting attempts to change memory - A system and method for detecting changes of memory state. In accordance with one embodiment, memory locations to be observed are determined, and pages of these locations are marked as read-only. Then, guest instructions execute during a trial period. During the trial period, guest instructions attempting to write to the identified memory locations cause page faults which result in identifying the instructions. At the end of the trial period, the pages are returned to a writable status, and attempts to modify the memory locations by the guest code are detected based on the instruction identifier. The system and method can be used for efficient frame list topology monitoring, such as in a virtual USB controller of a virtual machine. | 09-25-2008 |
| 20080235758 | Method for processing securities data - A method for processing securities data comprises: analyzing a plurality of fields of a plurality of securities data in order to respectively conclude the statistic distribution summary of the values of each field of each securities data; defining a grouping and encoding process for the fields according to the distribution summary, and unifying the grouping and encoding processes for all fields into an encoding rule; and encoding the other securities data according to the encoding rule. The encoding rule can greatly reduce the amount of data and it comprises: classifying and rearranging number according to the codes of securities data in order to reduce the size of the transmission serial codes; indicating the relative price for the price of the securities data; indicating the relative time difference for the securities data which have any trading records in the previous one minute; and offering suitable field width and encoding process according to the size of each securities data to indicate its amount. | 09-25-2008 |
| 20080235759 | Methods and Systems for Transparent Data Encryption and Decryption - A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine. | 09-25-2008 |
| 20080235760 | Confidential Content Reporting System and Method with Electronic Mail Verification Functionality - A confidential content reporting system and method with electronic mail verification functionality are provided. With the system and method, a security compliance search engine is provided for searching items of information to identify items containing confidential content and security violations with regard to this confidential content. Results of the search may be reported to a user via a graphical user interface (GUI) that identifies the item of information, the security violations detected, and suggested corrective actions, such as encryption. A user may interact with the GUI to apply security mechanisms in accordance with the suggested corrective actions. Moreover, the searching and reporting mechanism may be used to search electronic mail messages and their attachments prior to distribution of the electronic mail messages. Automatic modification of the electronic mail message to modify distribution lists and/or content of the electronic mail message may be performed using the mechanisms of the illustrative embodiments. | 09-25-2008 |
| 20080235761 | AUTOMATED DISSEMINATION OF ENTERPRISE POLICY FOR RUNTIME CUSTOMIZATION OF RESOURCE ARBITRATION - A system and method for disseminating policies to multiple policy-based components includes a policy producer which generates a group of policies to be enforced. A policy disseminator classifies each policy with a type, and for each policy type, the policy disseminator identifies policy-based components that handle a corresponding policy type. The policy disseminator sends specific policy types from the group of policies to each policy-based component that can handle that specific policy type. | 09-25-2008 |
| 20080244685 | Method and Apparatus for Providing Dynamic Security Management - Methods and devices provide dynamic security management in an apparatus, such as a mobile telephone terminal. The apparatus includes a platform for running an application; a security manager for handling access of the application to functions existing in the apparatus; an application interface (API) between the platform and the application; a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface. Methods can include downloading into the apparatus an object containing access permissions applicable to at least one function; verifying the object; and installing the access permissions together with the existing permissions. | 10-02-2008 |
| 20080244686 | Systems and Methods for Enhancing Security of Files - Systems and methods for enhancing security of files are provided. A representative method includes: associating information with a file, the information identifying contents of the file; monitoring the information and the file contents; detecting a lack of correlation between the information and the file; and responsive to detecting the lack of correlation, storing information corresponding to a modification of the file separately from the file. | 10-02-2008 |
| 20080244687 | FEDERATED ROLE PROVISIONING - In various embodiments, techniques for federated role provisioning are provided. A federated role definition for a resource is constructed and distributed. The federated role definition includes a role hierarchy having role assignments and constraints for dynamically resolving and binding a resource to particular ones of the role assignments. A resource may have role assignments statically bound to its identity and dynamically bound to its identity. Furthermore, some role assignments may be inherited from the role hierarchy. | 10-02-2008 |
| 20080244688 | VIRTUALIZED FEDERATED ROLE PROVISIONING - In various embodiments, techniques for virtualized federated role provisioning are provided. An entire policy and role provisioning environment is packaged in a first environment and sent to a second environment. The second environment authenticates and initiates the policy and role provisioning environment as a virtualized federated role provisioning service or a shared policy decision point service. The shared policy decision point service dynamically resolves policy, roles, and constraints for requesting resources within the second environment and supplies this information to a local policy enforcement point service that enforces roles on the resources. | 10-02-2008 |
| 20080244689 | Extensible Ubiquitous Secure Operating Environment - The present invention provides a portable and secure computer operating system, and applications that can be used securely on virtually any computer system regardless of its security state (i.e., regardless of the presence of computer viruses, Trojan code, keylogging software, or any other malicious mobile code that may exist on host computer system). The present invention is embodied within three (3) components including 1) the client desktop or server software, 2) the appliance-based management server, and 3) the media (i.e., including but not limited to USB thumb drive or CDROM) on which the client desktop or server software is installed. | 10-02-2008 |
| 20080244690 | DERIVING REMEDIATIONS FROM SECURITY COMPLIANCE RULES - Systems and methods that automatically generate remediation processes such as acts performed as part of a benchmark model, to improve and update compliance of a machine with security policies compliance. A remediation component can automatically determine processes that are required to change and increase compliance of a machine with a security policy, and hence improve security level thereof. | 10-02-2008 |
| 20080244691 | Dynamic threat vector update - A security manager aggregates various security components into a unified user interface. For each security component, the security manager may obtain an updated policy description that defines specific groups of settings for the component in terms of several threat conditions. Using the groups of settings, the security manager may classify a current state of a security component into a category. Some embodiments may use a standardized schema for an interface between a security component and the security manager. The schema may be implemented with an adapter that translates the specific settings of a security component into data for the security manager. In some embodiments, the adapter may also receive updated policy descriptions and perform a classification of the current settings. | 10-02-2008 |
| 20080244692 | SMART WEB SERVICES SECURITY POLICY SELECTION AND VALIDATION - A computer-implemented method to select a web service security policy alternative can comprise selecting a web service security policy alternative at runtime based on previously collected data concerning web service and using the selected web service security policy alternative for a web service message. In addition, a computer-implemented method to prevent intrusion can use a honey policy that can be defined by the administrator in order to attract and closely monitor the hackers. | 10-02-2008 |
| 20080244693 | SMART WEB SERVICES POLICY SELECTION USING MACHINE LEARNING - A computer-implemented method to select a Web Service policy alternative can use previously collected data concerning Web Service to select a desirable Web Service policy alternative at runtime. The selected Web Service policy alternative can then be applied to a Web Service message such as a SOAP message. | 10-02-2008 |
| 20080244694 | Automated collection of forensic evidence associated with a network security incident - An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint's understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted. | 10-02-2008 |
| 20080244695 | Total system for preventing information outflow from inside - Disclosed is a system for monitoring data flow for security including: a computing device for executing an application program and creating human-readable print-out data; and a control unit for receiving information, which is associated with the human-readable print-out data from an application program, and controlling a printing device based on the received information, wherein the information has an attribute of the human-readable print-out data to be output. The attribute of the human-readable print-out data is provided by a security program which is installed in the computing device, the attribute includes at least user's IP of the computing device, and the information is merged into the human-readable print-out data by the printing device. | 10-02-2008 |
| 20080244696 | Dynamic Access Control in a Content-Based Publish/Subscribe System with Delivery Guarantees - Improved access control techniques for distributed messaging systems such as content-based publish/subscribe systems are disclosed. For example, a method for providing access control in a content-based publish/subscribe system, wherein messages are delivered from publishing clients to subscribing clients via a plurality of brokers, includes the following steps/operations. One or more changes to an access control policy are specified. An access control version identifier is associated to the one or more changes. The one or more changes are sent to one or more brokers of the plurality of brokers that have a publishing client or a subscribing client associated therewith that is affected by the one or more changes. The access control version identifier associated with the one or more changes is sent to each of the plurality of brokers. | 10-02-2008 |
| 20080244697 | Security Objects Controlling Access To Resources - Controlling access to resources through use of security objects including creating a security object in dependence upon user-selected security control data types, the security object comprising security control data and at least one security method; receiving a request for access to the resource; receiving security request data; and determining access to the resource in dependence upon the security control data and the security request data. Creating a security object includes storing in the security object a resource identification for the resource; storing in the security object an authorization level of access for the resource; storing in the security object user-selected security control data types; and storing in the security object security control data for each user-selected security control data type. Embodiments include deploying the security object on a security server or on a client device. | 10-02-2008 |
| 20080250471 | PARENTAL CONTROL USING SOCIAL METRICS SYSTEM AND METHOD - A parent defines friend rules for on-line association with their child. Upon a request of an on-line stranger to be a new friend of the child, stranger information about the on-line stranger is retrieved and compared to the friend rules to determine whether the stranger is allowed, blocked or restricted from being a friend with the child. Accordingly, the parent only has to use a minimal amount of time in establishing the friend rules to protect the parent's child from on-line strangers. | 10-09-2008 |
| 20080250472 | INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD AND COMPUTER READABLE MEDIUM - An information processing system includes: an information processing apparatus includes: an acceptance unit that accepts selection of a function and a start command of processing relating to the selected function; a determination unit that determines element processing executed to provide the selected function; and a request unit that makes an execution permission request of the element processing determined in association with the selected function before the start command of processing relating to the selected function is accepted; and a permission management apparatus that accepts the execution permission request of processing from the information processing apparatus, determines whether or not the execution is permitted, and informs the information processing apparatus of the determination result. | 10-09-2008 |
| 20080250473 | METHOD, SYSTEM AND COMPUTER PROGRAM FOR CONFIGURING FIREWALLS - A solution (A1-A16) is proposed for distributing a software product to a set of data processing entities (such as endpoints) in a data processing system; the system includes a set of security applications (such as firewalls), which are adapted to control communications of the entities. A corresponding method starts with the step of determining a target configuration of the security applications for allowing execution of the software product on the entities. A software package (or more), being adapted to enforce the software product and the target configuration, is then built (A11). The method continues by distributing (A12-A16) the software package in the system, so as to cause the application of the software package for enforcing the software product on each entity and the target configuration of each security application. | 10-09-2008 |
| 20080250474 | Collaborative Email With Delegable Authorities - Writing a collaborative email document with hierarchical authorities including establishing a collaborative email document on an administrator's computer, identifying one or more signatories for the document, identifying one or more collaborators who are authorized to view and edit the document, providing to the collaborators copies of the document for viewing and editing, where the collaborators' copies reside on collaborators' computers, updating the copies of the document on collaborators' computers with revisions from the collaborators, and sending the collaborative email document from the administrator's computer to addressees when the document bears valid digital signatures from all signatories. Typical embodiments also include providing at least one user authority to delegate signature authority, establishing a hierarchy of delegation authority for signatures, establishing at least one authority delegation policy including at least one rule for automated delegation of signature authority among signatories and delegating signature authority from at least one signatory to another. | 10-09-2008 |
| 20080256592 | Managing Digital Rights for Multiple Assets in an Envelope - Techniques enable building a collection of data that defines an asset, with the data possibly having differing data types. These techniques are then capable of assigning arbitrary policy to that asset, regardless of which data types are present within the asset. In addition, these techniques enable packaging of this first asset with one or more additional assets in a self-contained envelope. Each asset within the envelope may similarly include data of differing data types. Furthermore, each of these assets may be assigned a policy that may be different than the policy assigned to the first asset. This envelope, or a collection of envelopes, may then be provided to a content-consuming device to consume the assets in accordance with each asset's specified policy. | 10-16-2008 |
| 20080256593 | Policy-Management Infrastructure - Described herein are one or more implementations of a policy-management infrastructure that provides a universal policy-based solution across a spectrum of scenarios in a computing environment. At least one implementation of the policy-management infrastructure defines how policy-based data is structured or layered relative towards the data in other layers. Furthermore, a described implementation provides a mechanism for determining “overlap” and “conflicts” in policies. | 10-16-2008 |
| 20080256594 | Method and apparatus for managing digital identities through a single interface - Method and apparatus for managing digital identities through a single interface is described. One aspect of the invention relates to managing digital identities related to a user. An identity policy of an entity is obtained. At least one relevant digital identity is selected from the digital identities. Each relevant digital identity includes information required by the identity policy. A selected digital identity is obtained from the relevant digital identity or identities. A representation of the selected digital identity is provided to the entity that complies with the identity policy. | 10-16-2008 |
| 20080256595 | METHOD AND DEVICE FOR VERIFYING THE SECURITY OF A COMPUTING PLATFORM - Method and device for verifying the security of a computing platform. In the method for verifying the security of a computing platform a verification machine is first transmitting a verification request via an integrity verification component to the platform. Then the platform is generating by means of a trusted platform module a verification result depending on binaries loaded on the platform, and is transmitting it to the integrity verification component. Afterwards, the integrity verification component is determining with the received verification result the security properties of the platform and transmits them to the verification machine. Finally, the verification machine is determining whether the determined security properties comply with desired security properties. | 10-16-2008 |
| 20080263624 | Contents Using Device, and Contents Using Method - A contents using device (or a terminal device) | 10-23-2008 |
| 20080263625 | METHOD AND SYSTEM FOR ACCESS CONTROL USING RESOURCE FILTERS - The present description refers in particular to a method, a system, and a computer program product for access control using resource filters for a strict separation of application and security logic. The computer-implemented method for access control may include receiving at least one access request to at least one resource from an application; providing a resource hierarchy for the at least one resource, the resource having at least one resource class, wherein the resource hierarchy is defined in a single resource; providing a policy comprising at least one access control rule for accessing at least one element of the at least one resource class; verifying the at least one access request based on the policy through an authorization service; and processing the at least one access request through a service interface. | 10-23-2008 |
| 20080263626 | Method and system for logging a network communication event - A method of logging a network communication event includes a step of identifying a network communication event within a communication leaving a computer network. The method also includes steps of identifying a network address associated with the communication, and associating a user identity with the network address. It should be appreciated that the network address may include a dynamic network address. In addition, information is logged associating the user identity with the network communication event. | 10-23-2008 |
| 20080263627 | System and Method for Identifying a Cookie as a Privacy Threat - A system and method for identifying a cookie as a privacy threat is disclosed. The system and method include receiving a request to install a cookie. A privacy policy associated with the cookie is also received, and that privacy policy may be evaluated against a set of predefined criteria. Based on this evaluation, the cookie may be determined to be a privacy threat. | 10-23-2008 |
| 20080263628 | MANAGING COMMUNICATIONS BETWEEN ROBOTS AND CONTROLLERS - The present disclosure is directed to a system and method for managing communications with robots. In some implementations, a computer network, where operators interface with the network to control movement of robots on a wireless computer network includes a network arena controller and a plurality of robot controllers. The network arena controller is configured to provide firewall policies to substantially secure communication between robot controllers and the associated robots. Each controller is included in a different robot and configured to wirelessly communicate with the network arena controller. Each robot controller executes firewall policies to substantially secure wireless communication. | 10-23-2008 |
| 20080271109 | PHYSICAL SECURITY TRIGGERED DYNAMIC NETWORK AUTHENTICATION AND AUTHORIZATION - A unified access control component (UACC) can maintain information relating to network access information and physical location information associated with respective users who may access a network that can include network resources (e.g., applications, information). The UACC can cross reference the network access information (e.g., user network access events, credentials, and policy) and physical location information (e.g., user physical access events, credentials, and policy) and can generate and enforce a unified network access policy based on network access information and physical location information associated with a particular user. After network access privileges have been granted to a user, the UACC can continue to monitor the user. The UACC can include a dynamic authentication component that can request a user re-authenticate if a change in the physical location and/or network access associated with the user is detected, such that a re-computation of network access privileges is desired. | 10-30-2008 |
| 20080271110 | Systems and Methods for Monitoring Compliance With Standards or Policies - In one embodiment, a system or method pertain to accessing a model that comprises a computer-readable version of a standard or policy, identifying rules or requirements specified by the model that pertain to compliance with the standard or policy, and automatically generating questions relevant to the identified rules or requirements, the questions being intended to query intended respondents as to compliance with the identified rules or requirements. | 10-30-2008 |
| 20080271111 | EFFICIENT POLICY CONFLICT DETECTION - A method and computer program product for detecting a policy conflict in a managed system includes examining a plurality of policy rules for overlapping policy targets, in response to finding no overlapping policy targets, reporting that the policy rules do not conflict, and in response to finding overlapping policy targets, examining the plurality of policy rules for at least two rules having a same condition and a same event, and, in response to not finding at least two rules having a same condition and a same event, reporting that the policy rules do not conflict. | 10-30-2008 |
| 20080271112 | AUTOMATIC FILE TRANSFER - A computer-readable medium contains software that, when executed by a processor, causes the processor to perform various actions. For example, as a result of a user-initiated event, the software causes the processor to automatically select at least one file from among a plurality of files based on a policy, and to automatically transfer the selected at least one file across a network. | 10-30-2008 |
| 20080271113 | POLICY CONTROL IN A NETWORK - There are disclosed measures for policy control in a network, including an authorization check. Namely, a method of policy control in a network comprises obtaining, at an application function entity of the network, a request for a service, determining, at the application function entity, whether service information associated with the requested service requires an authorization check or a configuration of a policy enforcement entity of the network, and providing, depending on the determining result, an indication from the application function entity to a policy control entity of the network, whether or not the policy enforcement entity is to be configured for the requested service information, together with that requested service information. | 10-30-2008 |
| 20080271114 | SYSTEM FOR PROVIDING AND UTILIZING A NETWORK TRUSTED CONTEXT - A system for establishing a connection between a data server and a middleware server is disclosed. The system includes defining a plurality of trust attributes corresponding to a trusted context between the middleware server and the data server and validating the plurality of trust attributes against a plurality of attributes corresponding to the middleware server. The plurality of attributes provided in a connection request. The system also includes establishing the trusted context based on the validating the plurality of trust attributes. | 10-30-2008 |
| 20080276294 | LEGAL INTERCEPT OF COMMUNICATION TRAFFIC PARTICULARLY USEFUL IN A MOBILE ENVIRONMENT - Methods, structures, and systems are disclosed for implementing legal intercept of data which provide real-time correlation of broadband user information to network addresses (or other identifiers) across multiple and different authentication systems and user databases. In certain embodiments, an intercept coordinator module interacts with each authentication system to determine real-time a target address for a target user device, which it then uses to update mediation devices, external databases, etc., involved in performing a lawful intercept under the CALEA process. Probes are not required within the network to perform authentication system captures. A modular interface system provides support for existing CALEA equipment, and support for implementing additional interface modules for new or updated CALEA equipment. Exemplary intercept coordinator modules may communicate with multiple AAA systems, in multiple different sub-nets or networks, including geographically distant networks, and provides for pooling of common CALEA equipment resources for use in multiple networks simultaneously. | 11-06-2008 |
| 20080276295 | NETWORK SECURITY SCANNER FOR ENTERPRISE PROTECTION - A method of monitoring levels of security conformity and preparedness of a plurality of network connected computing machines, obtains a report by remotely scanning the machines in segments. The machines might already be connected to commercial security software and a patch dispenser. The report includes definition dates and any files quarantined by the commercial security software, patch-management-software communication present and the patches received. The method uses the report and software (not installed on the scanned machines) to produce a Network Security Scanner for Enterprise Protection output to perform a security-preparedness audit of the scanned machines. The audit non-intrusively ascertains. If the scanned machines conform to user-defined fields and policies, and assists in selective security updating of the machines. The scanning, unrecognized by the scanned machines may be configured to suit their OS, and done periodically as desired. A computer readable medium executing the method is included. | 11-06-2008 |
| 20080276296 | MANAGEMENT OF USER AUTHORIZATIONS - A method of determining unauthorized user access requests in a data processing system, the method comprising the steps of accessing a record of role managed authorizations and a record of manually assigned authorizations, receiving a record of user authorization requests from a plurality of data processing systems, and comparing the record of user authorization requests to the record of role managed authorizations and to the record of manually assigned authorizations to identify any unauthorized authorizations. | 11-06-2008 |
| 20080276297 | System And Method For Intrusion Prevention In A Communications Network - A method and system for monitoring UDP communications and for preventing unauthorized UDP communications within a computer network. A method for managing access to a resource comprises assigning a unique user identifier to each authorized user, upon initiation of a UDP communication initialed by a specific authorized user for access to a specific resource, appending the unique user identifier of the specific authorized user to each UDP packet of the UDP communication, intercepting the plurality of UDP packets within the computer network, extracting the unique user identifier from each UDP packet to identify the specific authorized user associated with the respective UDP packet, and allowing each respective UDP packet to reach the specific resource as a function of the unique user identifier extracted from the respective UDP packet. | 11-06-2008 |
| 20080282313 | MULTI-PROFILE INTERFACE SPECIFIC NETWORK SECURITY POLICIES - Computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy. The data structure includes a first data field including data defining a parameter to be applied based on the network security policy. The network security policy defines at least one of the following: a firewall rule and a connection security rule. The data structure also includes a second data field having data specifying restrictions of the parameter included in the first data field. The parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed. The network security policy manages communications between a computing device and at least one other computing device. | 11-13-2008 |
| 20080282314 | Firewall with policy hints - A firewall helps a user make a decision regarding network access for an application executing on a computing device by providing “hints” to the user about an appropriate network access policy. If at least one previously set firewall policy for the application exists in a context different from a current context, the user may be presented with information based on a previously set firewall policy. The information may be prioritized based on a source of the previously set firewall policy and other factors, to provide the user with a hint that facilitates making the decision appropriate in the current context. A programming interface to the firewall allows third party applications to specify a format in which hints are provided to the user. | 11-13-2008 |
| 20080282315 | Host control of partial trust accessibility - Various technologies and techniques are disclosed for providing host control of partial trust accessibility. A framework allows libraries to be identified as partial trust callers allowed to indicate that the libraries are allowed to be called from partially trusted code by default. The framework allows libraries to be identified as partial trust callers enabled to indicate the libraries could be called from partially trusted code, but not by default. A hosting application is notified that a particular library has been loaded. If the particular library has been identified as partial trust callers allowed, then a determination is received from the hosting application on whether to remove or keep partial trust accessibility for the particular library. If the particular library has been identified as partial trust callers enabled, then a determination is received from the hosting application on whether or not to enable partial trust accessibility for the particular library. | 11-13-2008 |
| 20080282316 | Information processing apparatus, program and method for transmitting content in security scheme according to license policy - An information processing apparatus is connectable to a user device over a network. The apparatus includes a processor. The processor transmits, in response to reception of a request for a particular item of content, an identification of a security scheme which is applicable to transmission of the particular item of content in accordance with a license policy. When the item of content can be received by the user device in the security scheme, the processor transmits the item of content in the security scheme. | 11-13-2008 |
| 20080282317 | METHOD AND APPARATUS FOR CONVERTING A LICENSE - A method of converting a license is provided. The method includes obtaining a domain policy from a domain to which content is to be transmitted, determining whether license information that is information for a content usage limitation and the domain policy coincide, and then based on the determination result, selectively converting a license. | 11-13-2008 |
| 20080282318 | WORKFLOW AUTHORIZATIONS EVALUATION IN MULTI-LAYERED APPLICATIONS - There is provided a computer-implemented method, computer-program product, system and security index structure for a security enforcement strategy for a composite application. The method comprises providing a workflow for the composite application, wherein the composite application is constructed from a set of sub-applications and wherein at least a plurality of the sub-applications has a policy. A consolidated workflow policy is generated for the workflow by combining the policies of the sub-applications and by taking into account a control flow of the workflow, wherein the control flow provides an order in which the set of sub-applications are performed. The consolidated workflow policy is enforced by providing a security index structure for the consolidated workflow policy adapted for checking authorization in the workflow. | 11-13-2008 |
| 20080282319 | System for Managing Access Control - A content distribution system ( | 11-13-2008 |
| 20080282320 | Security Compliance Methodology and Tool - An apparatus is provided for evaluating risk to an organization. The apparatus includes a plurality of governmental rules directed to protecting shareholders, a plurality of security domains of the organization wherein each security domain is associated with a different asset of the organization and a request for an information risk assessment within at least one of the plurality of security domains of the organization formed under the plurality of governmental rules from a set of initializing inputs. The apparatus further includes a information risk assessment plan formed from the request for the information risk assessment, a set of information assessment templates and test cases formed from the information risk assessment plan, a set of information risk assessment tests conducted on the IT system using the assessment templates and test cases, a set of test results generated by the risk assessment tests, one or more security control gaps identified by the assessment responses and one or more gap remediation plans formed from the identified security gaps. | 11-13-2008 |
| 20080282321 | SYSTEM AND METHOD OF MANAGING DATA PROTECTION RESOURCES - Herewith disclosed a method and system for computerized managing a plurality of data protection (DP) resources. The computerized management comprises obtaining data related to at least part of the DP resources among said plurality of DP resources, wherein at least part of data is obtained by automated collecting; accommodating the obtained data in a data repository thus giving rise to accommodated data; processing the accommodated data, said processing resulting in at least one of the following: a) identifying one or more data protection (DP) schemes characterizing DP resources and/or relationship thereof; and b) identifying one or more data protection (DP) gaps. | 11-13-2008 |
| 20080288999 | INFORMATION PROCESSING APPARATUS FOR AUTHENTICATION SETTING OF MODEL THAT REQUIRES CONFIDENTIALITY - The present disclosure provides an information processing apparatus and the like, which allow a service developer, who develops a service requiring confidentiality in a service-oriented architecture, to easily create authentication settings for the service model. The present disclosure provides an information processing apparatus for developing a service requiring confidentiality in a service-oriented architecture. The information processing apparatus includes: an input unit for inputting an annotation for a service; a storage unit for storing an Authentication Infrastructure Model of a machine node on which the service is executed; and an Authentication Policy generation unit for generating an Authentication Policy by using the annotation and the Authentication Infrastructure Model. | 11-20-2008 |
| 20080289000 | METHOD AND ELECTRONIC DEVICE FOR MANAGING APPLICATIONS - The present invention provides a method for managing an application at an electronic device ( | 11-20-2008 |
| 20080289001 | POLICY PROXY - In a system with a policy server, a first device able to communicate with the policy server and a second device able to communicate with the first device and unable to communicate with the policy server, the first device is to act as a policy proxy. The policy server may push to the first device a policy for the second device, and the first device may push the policy to the second device. | 11-20-2008 |
| 20080295144 | Network client validation of network management frames | 11-27-2008 |
| 20080295145 | IDENTIFYING NON-ORTHOGONAL ROLES IN A ROLE BASED ACCESS CONTROL SYSTEM | 11-27-2008 |
| 20080295146 | Integrated privilege separation and network interception | 11-27-2008 |
| 20080295147 | Integrated Security Roles | 11-27-2008 |
| 20080295148 | System And Method For Crawl Policy Management Utilizing IP Address and IP Address Range | 11-27-2008 |
| 20080295149 | METHOD AND SYSTEM FOR GENERATING AND USING DIGITAL FINGERPRINTS FOR ELECTRONIC DOCUMENTS | 11-27-2008 |
| 20080301754 | Management of Mandatory Access Control For Graphical User Interface Applications - Granular policy management is provided based upon an active status of a process and the display status of an associated visual display. A policy is constructed and applied to a process by a combination of individual control policy parameters associated with the status of a process or a graphical user interface. Each active policy is dynamically adjusted in response to a change in at least one policy condition. | 12-04-2008 |
| 20080301755 | Flexible Access Control Policy Enforcement - A method and system for applying access-control policies. In particular implementations, a method includes determining one or more policies, and a prioritization order for the determined policies, based on the one or more parameters; accessing an indirection table to create an entry for the client, wherein the entry indicates the prioritization order of the determined policies; and creating one or more entries in one or more policy data structures for the one or more determined policies. | 12-04-2008 |
| 20080301756 | Systems and methods for placing holds on enforcement of policies of electronic evidence management on captured electronic - Systems and methods for placing a hold on captured electronic evidence are provided, the captured electronic evidence having one or more associated policies that are applied to the captured electronic evidence. The captured electronic evidence is stored in a repository. The exemplary systems and methods determine whether to place a hold on the captured electronic evidence, and indicate the captured electronic evidence as being on hold. The exemplary systems and methods place the one or more policies of electronic evidence management associated with the captured electronic evidence indicated as being on hold in a pending state. | 12-04-2008 |
| 20080301757 | Systems and methods for policy enforcement in electronic evidence management - Systems and methods are provided for policy enforcement on electronic evidence captured from at least one source. The contents of the captured electronic evidence are indexed, and the captured electronic evidence is classified based on the indexed contents by associating the electronic evidence with one or more classes. It is determined whether one or more policies apply to the classified captured electronic evidence. When two or more policies apply to the classified captured electronic evidence, a conflict between the two or more policies is resolved to select the one or more policies to enforce. The systems and methods also enforce the selected one or more policies on the classified captured evidence. | 12-04-2008 |
| 20080301758 | Distributed knowledge access control - Techniques for distributed knowledge access control are disclosed herein. These techniques may enable access control information to be provided in the form of a statement that includes an assertion and a construct that targets the assertion to one or more intended entities. By targeting the statement to intended entities, the construct may help protect resources from unauthorized use and may also help protect the issuer of the statement from accountability resulting from misuse of the statement. | 12-04-2008 |
| 20080301759 | APPARATUS AND METHOD FOR APPLYING NETWORK POLICY AT VIRTUAL INTERFACES - Methods and apparatus are disclosed for applying network policy to communications originating at operating system virtual interfaces. In an example embodiment, a network device is networked with a switch. The network device may include a first operating system interface, a virtualization adapter, and an input output port. In an example embodiment, the virtualization adapter receives a first frame from the first operating system interface. The virtualization adapter may tag the first frame to indicate an association between the first frame and the first operating system interface. The first frame may then be transmitted with a second frame being associated with a second operating system interface, to the switch via the input output port. In an example embodiment, the switch is configured to receive the frame, examine a tag and then to enforce a network policy upon the first frame, based on the tag. | 12-04-2008 |
| 20080301760 | Enforcing Universal Access Control in an Information Management System - A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server. | 12-04-2008 |
| 20080301761 | Information Management System - An information management system is described comprising one or more workstations running applications to allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyzer, which monitors transmission data that the application is about to transmit to the network or about to receive from the network and which determines an appropriate action to take regarding that transmission data. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage in a database; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission data is in force, and determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made. The analyzer may consult a policy data containing a policy to govern the workstations in order to make its determination. The information management system provides many advantages in the eCommerce environment to on-line trading companies, who may benefit by being able to regulate the transactions made by their staff according to their instructions in a policy data, automatically maintain records of passwords and business conducted on-line, avoid paying for unnecessary checks on the validity of digital certificates and ensure that transmissions of data made by their staff are always protected at an agreed strength of encryption. | 12-04-2008 |
| 20080301762 | Information Management System - An information management system is described comprising one or more workstations running applications to allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyzer, which monitors transmission data that the application is about to transmit to the network or about to receive from the network and which determines an appropriate action to take regarding that transmission data. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage in a database; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission data is in force, and determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made. The analyzer may consult a policy data containing a policy to govern the workstations in order to make its determination. The information management system provides many advantages in the eCommerce environment to on-line trading companies, who may benefit by being able to regulate the transactions made by their staff according to their instructions in a policy data, automatically maintain records of passwords and business conducted on-line, avoid paying for unnecessary checks on the validity of digital certificates and ensure that transmissions of data made by their staff are always protected at an agreed strength of encryption. | 12-04-2008 |
| 20080301763 | SYSTEM AND METHOD FOR MONITORING COMPUTER SYSTEM RESOURCE PERFORMANCE - According to the present invention, policies are prepared for a plurality of resources residing in a computer system comprising a storage system for copying data from a copy source volume to a copy target volume, and an evaluation is carried out for an evaluation-target resource of the plurality of resources for determining whether or not to execute a predefined action based on the policy of this evaluation-target resource. A policy corresponding to a resource related to copying of the plurality of resources is determined based on a time period related to the copying. | 12-04-2008 |
| 20080301764 | PORTABLE ELECTRONIC ENTITY, HOST STATION AND ASSOCIATED METHOD - A host station includes:
| 12-04-2008 |
| 20080301765 | ANALYSIS OF DISTRIBUTED POLICY RULE-SETS FOR COMPLIANCE WITH GLOBAL POLICY - A method for analysis of distributed device rule-sets for compliance with global policies includes enabling an administrator to specify a network topology with intercommunicating elements and parameters required to secure the intercommunication with access control elements of the network topology; establishing connections to the access controls elements to capture a snapshot configuration of device rule-sets of the access control elements; enabling the administrator to specify a set of global access constraints with reference to the access control elements; enabling the administrator to select between exhaustive analysis and statistical analysis; conducting the selected analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential network paths; and providing results of the selected analysis to the administrator through a graphical user interface (GUI) as the results are obtained. | 12-04-2008 |
| 20080301766 | CONTENT PROCESSING SYSTEM, METHOD AND PROGRAM - Access control for each part in an HTML document constituting a Web page is performed according to the origin of the part in the document. Thereby, a content provided by a malicious user or server is prevented from fraudulently reading and writing other parts in the HTML document. More precisely, on a server side, each content (including a JavaScript program) is automatically provided with a label indicating the domain that is the origin of the content. Thereby, the control of accesses to multiple domains (cross domain access control) can be performed on a client side. Under this configuration, a combination of the contents, metadata and the access control policy is transmitted from the server side to the client side. | 12-04-2008 |
| 20080307486 | ENTITY BASED ACCESS MANAGEMENT - The subject disclosure pertains to systems and methods that facilitate entity-based for access management. Typically, access to one or more resources is managed based upon identifiers assigned to entities. Groups of identifiers can be assigned to access rights. An authority component can manage an exclusion group that excludes an entity, regardless of the identifier utilized by the entity. Access control components can utilize exclusion groups in access policies to define access rights to a resource. | 12-11-2008 |
| 20080307487 | System and method of network access security policy management for multimodal device - A system and method are provided for management of access security for access by a multimodal device to a converged fixed/mobile network. An inter-technology change-off monitoring entity (ICME) is provided to monitor an inter-technology change-off of the multimodal device and to notify a policy manager of the inter-technology change-off. The policy manager looks up in a policy database, security policies applicable to the user of the multimodal device and the particular technology being used by the multimodal device. The policy manager conveys to various policy enforcement points throughout the converged fixed/mobile network the applicable security policies which take into account the user's identity and the access technology being used. | 12-11-2008 |
| 20080307488 | Systems And Methods For Enterprise Security With Collaborative Peer To Peer Architecture - Systems and methods authenticate a device to operate within an enterprise system with an enterprise policy. An agent, installed on the device, analyzes the device to determine profile information of the device. The determined profile information is sent to a type 2 super peer that verifies whether the profile information conforms to the enterprise policy. If the profile information conforms to the enterprise policy, an agent trust credential is generated, within the type 2 super peer, for the agent, based upon the profile information, and issued to the agent. Authenticity of the device is verified based upon the agent trust credential. If the device is authenticated, communications with the device are permitted. If the device is not authenticated, communications with the device is prevented. In another embodiment, a method restores a device to conform to a system policy. A snapshot of critical components of the device is taken while the device is in compliance with the system policy. The critical components are monitored to identify critical components that differ from the critical components of the snapshot. If differing critical components are detected, the device is restored to conform with system policy by replacing differing critical components based upon the snapshot. | 12-11-2008 |
| 20080307489 | SYSTEM AND METHOD FOR ADDING CONTEXT TO PREVENT DATA LEAKAGE OVER A COMPUTER NETWORK - Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Data is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information | 12-11-2008 |
| 20080307490 | METHODS AND APPARATUS FOR BUILDING AND EXECUTING NATURAL LANGUAGE WORKFLOW FUNCTIONS - The present disclosure provides methods and apparatuses for building and executing natural language policies. Using the methods and apparatus herein, users can easily program policies in a natural language intuitive manner. The user can program the natural language policy without needing to have technical knowledge of the underlying systems and without the assistance of a technical specialist. | 12-11-2008 |
| 20080307491 | SECURE SYSTEM AND METHOD FOR ENFORCEMENT OF PRIVACY POLICY AND PROTECTION OF CONFIDENTIALITY - The invention includes various systems, architectures, frameworks and methodologies that can securely enforce a privacy policy. A method is included for securely guaranteeing a privacy policy between two enterprises, comprising: creating a message at a first enterprise, wherein the message includes a request for data concerning a third party and a privacy policy of the first enterprise; signing and certifying the message that the first enterprise has a tamper-proof system with a privacy rules engine and that the privacy policy of the first entity will be enforced by the privacy rules engine of the first enterprise; sending the message to a second enterprise; and running a privacy rules engine at the second enterprise to compare the privacy policy of the first enterprise with a set of privacy rules for the third party. | 12-11-2008 |
| 20080307492 | SECURITY POLICY GENERATION - The invention provides security policy generation methods and devices for generating a security policy that is set up for an information processing apparatus comprises a step of generating an application model having a transmitter and a receiver of a message decided, for each of a plurality of messages that are communicated, a step of storing in advance a plurality of security patterns with a signer of electronic signature appended to the message as an undecided parameter, a step of selecting a security pattern that is a model of security policy to be setup for the transmitter or receiver of the message, corresponding to each of the plurality of messages included in the application model, and a step of substituting the identification information of the transmitter or receiver of each message included in the application model for the undecided parameter of the security pattern selected corresponding to the message. | 12-11-2008 |
| 20080307493 | Policy specification framework for insider intrusions - This disclosure provides a policy specification framework to enable an enterprise to specify a given insider attack using a holistic view of a given data access, as well as the means to specify and implement one or more intrusion mitigation methods in response to the detection of such an attack. The policy specification provides for the use of “anomaly” and “signature” attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, or the like) is then implemented. | 12-11-2008 |
| 20080313698 | APPARATUS AND METHODS FOR NEGOTIATING A CAPABILITY IN ESTABLISHING A PEER-TO-PEER COMMUNICATION LINK - Apparatus and method to negotiate parameters of a policy in establishment of a peer-to-peer link are described herein. In an embodiment, a security policy is negotiated in establishment of a peer-to-peer link in a wireless mesh network. | 12-18-2008 |
| 20080313699 | Information Rights Management - Information rights management (IRM) systems enable information to be protected after it has been accessed by or delivered to an authorized individual. For example, this might be to allow an email to be viewed for a limited time by specified individuals but to prevent that email from being forwarded. However, existing IRM systems are limited in the situations in which they may operate. An IRM server is provided which communicates with one or more policy evaluators which are independent of the IRM server. Results from the different policy evaluators may be combined by the IRM server and one or more identity providers may be used in conjunction with each policy evaluator. By enabling the IRM server to act as a broker between authors, recipients and policy evaluators situations in which IRM systems may operate are greatly extended. | 12-18-2008 |
| 20080313700 | METHOD TO ALLOW ROLE BASED SELECTIVE DOCUMENT ACCESS BETWEEN DOMAINS - An improved solution for allowing role based selective access to a document between a plurality of domains is provided. In an embodiment of the invention, a method for allowing selective access to a document between a plurality of domains includes: obtaining a composed section of the document at a first domain; applying a security policy at the first domain to the composed section of the document; distributing the security policy from the first domain to a second domain, wherein the second domain is different than the first domain; and applying the security policy to the document at the second domain. | 12-18-2008 |
| 20080313701 | SYSTEM AND METHOD FOR MANAGING NETWORK BY VALUE-BASED ESTIMATION - A system and method for managing a network by value-based estimation is provided. A network device requesting communication is defined as an active point and a network device receiving a request for communication is defined as a passive point. A value of a network device is determined according to the number of active points connected to the corresponding network device, and a value of a network device that is in a path of communication between network devices is determined based on a value of a network device passing through the corresponding network device. When a policy for changing a network environment is transferred in a state where the values of the network devices have been estimated, a policy conflict test is performed on the basis of the estimated values of the network devices, thereby determining application of the policy in due consideration of the values and significance of the network devices. | 12-18-2008 |
| 20080313702 | INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND RECORDING MEDIUM - An information processing system which includes a compound content generation apparatus and a compound content consumption apparatus and processes a plurality of protected contents, the compound content generation apparatus comprising a compound content generation unit configured to generate a compound content from a plurality of protected contents, and the compound content consumption apparatus comprising a composite policy generation unit configured to generate a composite policy by obtaining an intersection of condition values of policies set for the respective protected contents contained in the compound content, and a compound content consumption unit configured to consume the compound content in accordance with the composite policy. | 12-18-2008 |
| 20080320548 | PROXY-BASED MALWARE SCAN - A system that employs out-of-process (‘out-of-proc’) architectures with respect to malware scanning related to network services applications is provided. The ‘out-of-proc’ malware (e.g., virus) scanning is employed in connection with a web conferencing server. This architecture enables more versatile options related to scanning, for example, selective bypass in a crisis situation. | 12-25-2008 |
| 20080320549 | Method and System for Determining Policy Similarities - A method for determining similarity of two policies includes providing a first policy with n rules and a second policy with m rules, wherein each rule is structured into a plurality of identifiable elements, categorizing the rules in each policy based on an action, for each pair of rules finding those predicates whose attribute names match, computing an attribute similarity score for the attribute values, summing the attribute similarity scores for all pairs to obtain an element similarity score, and computing a rule similarity score for the pair of rules from a weighted sum of said element similarity scores. | 12-25-2008 |
| 20080320550 | PERFORMING POLICY CONFLICT DETECTION AND RESOLUTION USING SEMANTIC ANALYSIS - A method and system for managing a policy includes, in response to determining the presence of a conflict, determining a semantic equivalence between a component of a policy rule and at least one additional policy rule. The determining a semantic equivalence is performed by using a semantic reasoning algorithm that includes the steps of determining a first policy target of a first policy rule and a second policy target of a second policy rule, determining a meaning of the first policy target and a meaning of the second policy rule, assigning a confidence value based on the determined meaning of the first policy, assigning a confidence value based on the determined meaning of the second policy, performing a semantic comparison between the first policy target and the second policy target, and determining, based at least in part on the semantic comparison, the presence of a conflict between the first and second policy targets. | 12-25-2008 |
| 20080320551 | Controlling access to multiple pieces of content of a presentation - In one or more embodiments, a license associated with a first piece of content can grant rights with respect to a second and/or additional pieces of content. That is, language that is included in a first license can express a policy that is interpreted by a client-side device. This policy can establish rights with respect to additional pieces of content. Accordingly, policy enforcement with respect to licensed content can take place on the client-side device and can establish how different content is to be played relative to one another. | 12-25-2008 |
| 20080320552 | ARCHITECTURE AND SYSTEM FOR ENTERPRISE THREAT MANAGEMENT - Enterprise threat assessment and management provides both physical and logical security. Physical access control systems are configured to identify physical events in the physical domain, and logical access control systems are configured to identify logical events in the logical domain. Connectors establish uninterrupted coupling to the physical and logical access control systems. Event middleware is configured to selectively subscribe only to those events that correspond to defined policies. The policies define a correlation of the physical and logical events, actions are initiated depending upon the correlated physical and logical events defined by the policies. | 12-25-2008 |
| 20080320553 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Methods are provided for managing hierarchically organized subscriber profiles. According to one embodiment of the present invention, a subscriber connection is created with a virtual router operable within a telecommunications system of a service provider. A connection request is received from a subscriber of multiple subscribers of the service provider at a subscriber manager of the virtual router. The virtual router maintains a database of hierarchically organized profile identifiers, including multiple lower-level profile identifiers, which explicitly define subscriber services, and multiple first-level profile identifiers, which define service contexts representing combinations of services available to subscribers when connected by (i) explicitly defining the subscriber services or (ii) referring to one or more of the multiple lower-level profile identifiers. If the subscriber is successfully authenticated, a connection is created by creating and configuring a virtual interface within the virtual router for the subscriber connection based on the subscriber's first-level profile identifier. | 12-25-2008 |
| 20090007217 | COMPUTER SYSTEM FOR AUTHENTICATING A COMPUTING DEVICE - A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. A unique identity is assigned to each device, user and application to provide security services. A communications session is established between two devices using an authentication service that authenticates the device that is initiating the establishment of the communications session with another device. After authenticating the initiating device, the authentication service provides to the initiating device the network address of the other device and an authentication credential for use in the communications session between the initiating device and the other device. | 01-01-2009 |
| 20090007218 | Switched-Based Network Security - Traffic sent from a network endpoint is redirected and the network endpoint is tested for compliance with a security policy. If the network endpoint is in compliance with the security policy, an access policy is generated to allow the network endpoint to access the network without any traffic redirection. | 01-01-2009 |
| 20090007219 | Determining a merged security policy for a computer system - Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy. | 01-01-2009 |
| 20090007220 | THEFT OF SERVICE ARCHITECTURAL INTEGRITY VALIDATION TOOLS FOR SESSION INITIATION PROTOCOL (SIP)-BASED SYSTEMS - A device prevents theft of service attacks on a Session Initiation Protocol (SIP)-based device using an identity assurance protection mechanism, a multiple end-points protection mechanism, and an intrusion detecting protection mechanism. | 01-01-2009 |
| 20090007221 | Generation and use of digital contents - Provided are the generation and the use of user generated contents (UGC) to which a creative commons license (CCL) is applied. In a method of generating digital contents, a user interface window including a clause for managing digital contents copyright information and displaying the user interface window is generated, and digital contents including copyright information selected from the displayed user interface window is generated. | 01-01-2009 |
| 20090007222 | APPARATUS AND METHOD FOR MANAGING DIGITAL RIGHTS MANAGEMENT CONTENTS IN PORTABLE TERMINAL - Provided is an apparatus and method for managing Digital Rights Management (DRM) contents in a portable terminal. The method includes when a license of the DRM content is consumed, changing license information, which is stored in an external memory, on the DRM content; storing information relating to changed data of the external memory into an internal memory; determining whether the changed license information stored in the external memory has changed by using the information stored in the internal memory when the DRM content is used; and determining whether the DRM content is available according to whether the changed license information has changed. | 01-01-2009 |
| 20090007223 | METHOD AND SYSTEM FOR RUN-TIME DYNAMIC AND INTERACTIVE IDENTIFICATION OF SOFTWARE AUTHORIZATION REQUIREMENTS AND PRIVILEGED CODE LOCATIONS, AND FOR VALIDATION OF OTHER SOFTWARE PROGRAM ANALYSIS RESULTS - A system, method and computer program product for identifying security authorizations and privileged-code requirements; for validating analyses performed using static analyses; for automatically evaluating existing security policies; for detecting problems in code; in a run-time execution environment in which a software program is executing. The method comprises: implementing reflection objects for identifying program points in the executing program where authorization failures have occurred in response to the program's attempted access of resources requiring authorization; displaying instances of identified program points via a user interface, the identified instances being user selectable; for a selected program point, determining authorization and privileged-code requirements for the access restricted resources in real-time; and, enabling a user to select, via the user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorizations is provided. | 01-01-2009 |
| 20090007224 | INFORMATION PROCESSING APPARATUS, INFORMATION MANAGEMENT METHOD, AND STORAGE MEDIUM THEREFOR - An image forming apparatus capable of flexibly setting a security policy for a modified file. A client terminal generates a print job added with a new security policy for a second file generated from a first file, and delivers the print job added with the new security policy to the image forming apparatus. The image forming apparatus generates intermediate data based on the print job delivered from the client terminal, and causes a second policy server to register the security policy. The second policy server registers the security policy, while items of the security policy being appropriately assigned to the first and second policy servers. The second policy server generates an encryption key. The image forming apparatus encrypts the intermediate data using the encryption key, and stores the encrypted intermediate data. | 01-01-2009 |
| 20090007225 | METHOD AND APPARATUS FOR ENSURING SECURITY OF REMOTE USER INTERFACE SESSION USING OUT-OF-BAND COMMUNICATION - A method and apparatus for ensuring security of a session. In the method, a first client selects a user interface related to a process in need of security from among user interfaces related to predetermined contents provided from a first server, and a first client or a second client communicates directly with a second server operated by a contents provider to perform the process in need of security and notifies the first server of the performing result. Thus, it is not required to transmit/receive security information via the first server. | 01-01-2009 |
| 20090007226 | Communications Apparatus and Control Method Therefor - When exchanging communication parameter setting information on a wireless network, a communications apparatus selects between a first operation mode in which communications parameter information is exchanged with a specific communications apparatus and a second operation mode in which communications parameter information is exchanged with an unspecified number of communications apparatus. Depending on the selected operation mode, the communications apparatus control security upon holding the communications parameter information exchanged with the specific communications apparatus and the communications parameter information exchanged with the unspecified number of communications apparatus. | 01-01-2009 |
| 20090007227 | SYSTEM AND METHOD OF DATA COGNITION INCORPORATING AUTONOMOUS SECURITY PROTECTION - Autonomous embedded data cognition enables data to perform real-time environmental configuration control, self-manage, perform analyses, determine its current situation, and evaluate behavior to respond accordingly. When created, security measures, and access controls are selected. Highly sensitive data can be extracted and substituted with creator label and/or functional representation. Data-to-data reasoning and analysis can be performed. The processing method comprises autonomous monitoring for a state change and analyzing the current user to determine if the instantiation should exist. If affirmed, the cognition engine automatically configures the computational environment in which it resides. If denied, environmental behavior is further analyzed for security problems or an erroneous situation. If detected, the creator is alerted and provided with incident information enabling remote creator control of the data. Cognitive data can decide to self-destruct mitigating risk of undesirable instantiations. Intelligent Agents, a comprehensive data structure, and intelligent document means are leveraged for implementation. | 01-01-2009 |
| 20090007228 | MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Apparatus are provided for managing hierarchically organized subscriber profiles. According to one embodiment, a router includes a subscriber manager, a database and a virtual interface. The subscriber manager is operable to receive a connection request from a subscriber of a service provider. The database has stored therein hierarchically organized profile identifiers, including multiple lower-level profile identifiers, which explicitly define subscriber services, and multiple first-level profile identifiers, which define service contexts representing combinations of services available to subscribers when connected to the service provider by (i) explicitly defining the subscriber services or (ii) referring to one or more of the plurality of lower-level profile identifiers. The virtual interface defines a subscriber connection between the router and the subscriber and is created and configured responsive to the connection request based on a first-level profile identifier that is associated with the subscriber. | 01-01-2009 |
| 20090013374 | SYSTEMS AND METHODS FOR SECURING COMPUTERS - Systems and methods are disclosed for avoiding electronic mail (email) attacks on a computer by downloading one or more emails in virtual-copy format to prevent the one or more emails from executing; determining whether a potentially infected email is in the one or more emails; and displaying the potentially infected email to a user and providing a user interface to allow the user to select and delete the infected email prior to downloading emails to the user's computer. | 01-08-2009 |
| 20090013375 | PERMISSIONS MANAGEMENT PLATFORM - A permissions management platform is disclosed that includes: a documentation agent, which documents at least one circumstance, wherein the at least one circumstance comprises at least one permission that is provided from at least one first party to at least one second party, and at least one authorized party, wherein the at least one party has access to the documentation agent. A software system is also disclosed that includes the permissions management platform disclosed herein stored on a recordable medium. Methods for documenting and managing permissions information are described that include: providing a documentation agent that documents the circumstances in which permission is provided from at least one first party to at least one second party; creating a documentation record; storing the documentation record in a retrievable format, and providing at least one authorized party having access to the documentation record. | 01-08-2009 |
| 20090013376 | SYSTEM FOR MANAGING COMMUNITY PROVIDED IN INFORMATION PROCESSING SYSTEM, AND METHOD THEREOF - Provided is a system which manages a user community provided in an information processing system, in which user community information provided by a user is made available to another user for reference. The system includes a storage section which stores an audit policy defining contents of information to be permitted to be registered in each of a plurality of communities, by associating the audit policy with each of the communities; a detection section which detects a community to which information is provided in response to provision of the information by a user; and a registration control section which inhibits registration of information, provided by a user, in a detected user community on condition that the information violates an audit policy corresponding to the user community. | 01-08-2009 |
| 20090013377 | Method and apparatus for privacy protection - The privacy of users of the Internet and interactive television is protected by actuating a ‘privacy button” on the computer of the end user to cause the computer to search the user's computer to identify all cookies designed to track the user's computer behavior; disable each of the cookies identified by the search; identify the source of each of the disabled cookies; create, carry and forward a message to the identified cookie source that the end user does not want to have his computer behavior observed and/or to receive any advertising until further notice; create, carry and forward a message to the end user's Internet service provider that the end user does not want to receive any advertising and/or that computer observation activity is to be suspended by the Internet service provider until further notice; search the computer memory to identify all websites visited by the end user on the computer during a given time period; and create carry and forward a message to each website identified in the search that the end user does not want to have his computer behavior observed and/or to receive any advertising until further notice. | 01-08-2009 |
| 20090013378 | Method for Testing Safety Access Protocol Conformity of Access Point and Apparatus Thereof - The invention relates to a method and device for testing conformity of a secure access protocol at an access point. The method includes the steps of: capturing a data packet of a secure access protocol in a secure access authentication process at an access point under test; and analyzing and checking an encapsulation format of the captured data packet of the secure access protocol and a protocol flow. With the invention the test result is independent of the implementation of an upper-layer protocol, and a correct test result can be obtained regardless of deviant implementation of a reference equipment, to thereby improve correctness of the test result. With the invention, an error in the implementation of the protocol can also be located precisely in accordance with detailed information obtained from the data packet of the protocol, and a simulative test of a possible exception is introduced, thereby ensuring that a product which passes the test conforms to the standard and interoperability. | 01-08-2009 |
| 20090019514 | METHOD AND SYSTEM FOR ENFORCING PASSWORD POLICY IN A DISTRIBUTED DIRECTORY - The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date. According to still another aspect, the proxy server enforces password policy on bind plug-ins and, in particular, through a pair of pre-bind and post-bind extended operations. In particular, pre-bind processing includes checking if an account is locked. Post-bind processing includes checking for expired passwords, grace logins and updating failed/successful bind counters. | 01-15-2009 |
| 20090019515 | METHOD AND SYSTEM FOR SECURE ACCESS POLICY MIGRATION - A method for deploying a directory server that includes receiving a new version of the directory server on a server to replace a prior version of the directory server, wherein the new version of the directory server uses a new version of an access policy and the prior directory server uses a prior version of the access policy, and configuring the new version of the directory server to use both the prior version of access policy and the new version of the access policy, wherein the new version of the directory server maintains compatibility between the new version of the access policy and the prior version of the access policy. | 01-15-2009 |
| 20090019516 | ROLE-BASED ACCESS CONTROL - A user interface and a processor coupled to the user interface wherein the processor receives access requests through the user interface and authorizes access through the user interface. The processor associates a rights request with a role based policy to determine access rights, modifies the determined access rights in accordance with an exception list related to particular users and records, and authorizes access to a record based upon the modified determined access rights. | 01-15-2009 |
| 20090019517 | Method and System for Restricting Access of One or More Users to a Service - The present invention relates to method and system for restricting access of one or more users to a service provided by a service provider. The one or more users are affiliated with an entity. The method comprises providing the entity with an ability to create one or more rules for restricting access of the one or more users to the service. The one or more rules are then obtained from the entity. When a request is received from a user for accessing the service, it is identified if the request is a request to which the one or more rules are to be applied based on a first identification criterion. The one or more rules are then applied to such a request. | 01-15-2009 |
| 20090019518 | Virtual firewall system based on commons security policy and method of controlling the same - A virtual firewall system based on a common security policy and a method of controlling the same. The virtual firewall system includes one or more virtual security policy modules, each of which includes a local security policy database; a security policy determiner, which determines, from the one or more virtual security policy modules, a virtual security policy module corresponding to a packet received from outside; and a common security policy database, which stores security policies. Each of the one or more virtual security policy modules determines whether or not to apply a security policy of the common security policy database to the received packet, and when the security policy of the common security policy database is applied, does not apply the security policy of a local security policy database. An operator can easily and conveniently set and restore the system. | 01-15-2009 |
| 20090025057 | Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy. | 01-22-2009 |
| 20090031393 | SYSTEM AND METHOD FOR CONTROLLING EMAIL PROPAGATION - A system and method for controlling the propagation of an email message includes defining at least a first email recipient and a second email recipient of the email message. A first email propagation policy associated with at least the first email recipient is defined, and a second email propagation policy associated with at least the second email recipient is defined. The email message is sent to the first email recipient and to the second email recipient. | 01-29-2009 |
| 20090031394 | METHODS AND SYSTEMS FOR INTER-RESOURCE MANAGEMENT SERVICE TYPE DESCRIPTIONS - Communication nodes, systems and methods are described which provide access screening for services based upon service type description information and policy criteria information associated with an access network. If a requested service is, e.g., banned due to regulatory policies in a geographic region associated with a particular access network, then the requested service shall be denied even if the user has a valid subscription to such requested service via another access network. | 01-29-2009 |
| 20090031395 | Security system for wireless networks - A security procedure for invoking IPsec security for communication of a packet in a network includes the steps of generating a message to be sent at the transport layer, building Internet Protocol and Transport Control Protocol headers for the message, selecting a security policy in accordance with a security policy database after the step of building Internet Protocol and Transport Control Protocol headers, and processing the packet according to the selected security policy. | 01-29-2009 |
| 20090031396 | METHOD OF AND APPARATUS FOR MANAGING ACCESS PRIVILEGES IN CLDC OSGi ENVIRONMENT - Provided are a method and apparatus for managing resource access privileges of an application in a Connected Limited Device Configuration (CLDC) Open Service Gateway Initiative (OSGi) environment. The method includes executing the application in a thread having a unique thread identifier, identifying the application by mapping the unique thread identifier with an application identifier from a mapping table, examining a security policy to determine the kind of resource access privileges the identified application has, and allowing or not allowing, according to the examination result, the application to access the resources. Accordingly, when an application tries to access resources in a device, access privileges of the application can be managed so that the application does not maliciously access the resources. | 01-29-2009 |
| 20090037973 | Policy-enabled aggregation of IM User communities - A method of automatically aggregating an online user community, and graphical user interface for same, the method including one or more of the following: a user creating the online community; the user defining an aggregation policy for the online user community; a service provider retrieving the aggregation policy; the service provider applying the aggregation policy to an other user; determining whether the other user fits the aggregation policy; adding the other user to the online user community; the user defining an anti-aggregation policy; the service provider retrieving the anti-aggregation policy; determining whether the other user fits the anti-aggregation policy; and removing the other user from the online user community when the other user fits the anti-aggregation policy. | 02-05-2009 |
| 20090037974 | SECURITY DOCUMENT PRINTING SYSTEM AND METHOD OF CONTROLLING THE SAME - A system to print a security document and a control method thereof. The printing system simplifies a security procedure, and minimizes or prevents the security document from being illegally copied or copied without authorization. The printing system includes an input unit which receives an authenticator to copy the security document, and an output unit which determines whether the authenticator is equal to an authentication mark on the security document, and copies the security document in different ways according to the determined result. | 02-05-2009 |
| 20090037975 | System and Method for Authenticating Content - A system for authenticating content and methods for making and using same. The content authentication system advantageously facilitates recognition of known content, control over use of the known content, and knowledge accumulation regarding the use of known content for monetization models. The recognition of the suspect content preferably includes an analysis of known content recognition data associated with the known content and suspect content recognition data associated with the suspect content. A correlation between the known content recognition data and the suspect content recognition data is found, and the suspect content is analyzed in light of the correlation and known content rules associated with the known content. Thereby, the content authentication system can determine whether to approve action for the suspect content. The content authentication system enables selected known content information to be shared among known content right holders and hosting websites. | 02-05-2009 |
| 20090037976 | System and Method for Securing a Network Session - A system comprises an end-user device including a browser and a security component capable of executing a security policy, the security policy to be downloaded from a website; and a website including a security policy downloadable to the security component. | 02-05-2009 |
| 20090037977 | APPARATUS AND METHOD FOR APPLYING NETWORK POLICY AT A NETWORK DEVICE - This document discusses, among other things, applying network policy at a network device. In an example embodiment fibre channel hard zoning information may be received that indicates whether a fibre channel frame is permitted to be communicated between two fibre channel ports. Some example embodiments include identifying a media access control addresses associated with the fibre channel ports. An example embodiment may include generating one or more access control entries based on the fibre channel identifications of the fibre channel ports and the zoning information. The access control entries may be distributes to an Ethernet port to be inserted into an existing access control list and used to enforce a zoning policy upon fibre channel over Ethernet frames. | 02-05-2009 |
| 20090044248 | SECURITY POLICY GENERATION - The invention provides security policy generation methods and devices for generating a security policy that is set up for an information processing apparatus comprises a step of generating an application model having a transmitter and a receiver of a message decided, for each of a plurality of messages that are communicated, a step of storing in advance a plurality of security patterns with a signer of electronic signature appended to the message as an undecided parameter, a step of selecting a security pattern that is a model of security policy to be set up for the transmitter or receiver of the message, corresponding to each of the plurality of messages included in the application model, and a step of substituting the identification information of the transmitter or receiver of each message included in the application model for the undecided parameter of the security pattern selected corresponding to the message. | 02-12-2009 |
| 20090049508 | LANGUAGE-AGNOSTIC POLICY MANAGEMENT - A system and method for language-agnostic policy management. At least one policy associated with an event occurrence is identified. At least one policy engine associated with the at least one policy is identified. The at least one policy is evaluated by a policy engine of the associated at least one policy engine. | 02-19-2009 |
| 20090049509 | SCOPE-CENTRIC ACCESS CONTROL MODEL - Apparatus, methods, and computer program products are disclosed that maintain an association graph made up of association tuples. Each of the association tuples belongs to an access-control-policy scope that imposes an access control policy. On receipt of a client reference and a supplier reference a scope-defining entity is identified from the client reference. The scope-defining entity has an explicit access control policy. An effective supplier reference is retrieved from a set of the association tuples matching the scope-defining entity and is presented. | 02-19-2009 |
| 20090049510 | SECURING STORED CONTENT FOR TRUSTED HOSTS AND SAFE COMPUTING ENVIRONMENTS - Techniques for protecting content to ensure its use in a trusted environment are disclosed. The stored content is protected against harmful and/or defective host (or hosted) environments. A trusted security component provided for a device can verify the internal integrity of the stored content and the host before it allows the content to come in contact with the host. As a counter part, a trusted security component provided for the host can verify and attest to the integrity of the host and/or specific host computing environment that can be provided for the content stored in the device. The trusted security component provided for a device effectively verify the host integrity based on the information attested to by the trusted security component provided for the host. If the trusted security component trusts the host, it allows the trusted host to provide a trusted host computing environment trusted to be safe for the content stored in the device. A trusted host can effectively provide a safe virtual environment that allows a content representing a copy (or image) of an original computing environment to operate on the host computing system to give a similar appearance as the original computing environment. | 02-19-2009 |
| 20090049511 | METHOD AND APPARATUS FOR PROVIDING A DATA MASKING PORTAL - An approach is provided for de-personalizing data. A request is received from an application for retrieval of data. An end user associated with the request is authenticated. A determination is made whether to mask the data based on the request and the authentication. In response to the determination, a masking algorithm is selected to apply to the data and to output mask data. | 02-19-2009 |
| 20090049512 | METHOD AND SYSTEM FOR MASKING DATA - An approach is provided for masking data. A determination is made whether an action initiated by an authenticated user corresponds to one of a plurality of policies stored in a policy store, wherein the policies relate to whether data to be retrieved from a data source is to be masked. A new policy is generated if no match is found in the policy store. Information associated with the new policy is received, wherein the information is input by the user. The new policy is stored in the policy store. | 02-19-2009 |
| 20090049513 | SYSTEM AND METHOD FOR CONTROLLING A VIRTUAL ENVIRONMENT OF A USER - A method and a system for controlling a virtual environment of a user, e.g., a child is provided. In the virtual environment, users are able to interact with other users using messages. Each message is made up of one or more items contained in a dictionary. Information is transmitted, e.g., by e mail, to an agent, e.g., a parent. The transmitted information is information that may be used to authorize the agent to control the virtual environment of the user. The virtual environment of the user is controlled by setting a level of interaction at which the user is permitted to interact with others. The messages may include pre-written messages and messages composed by a user using items contained in the dictionary. A message checker bars unsuitable combinations made up of items contained in the dictionary. Inappropriate language and personally identifiable information may be excluded from the contents of the messages. | 02-19-2009 |
| 20090049514 | Autonomic trust management for a trustworthy system - An autonomic trust management system, device or method performs trust management in an autonomic processing manner with regard to evidence collection, trust evaluation, and trust (re-)establishment and control. An autonomic trust management mechanism is embedded into a digital system, such as a device or a distributed system, for supporting trustworthy relationships among system entities. The trust management mechanism provides an autonomic adaptation of trust control modes, which include control mechanisms or operations, in order to ensure the dynamic changed trust relationships based on the feedback from a trust assessment and the adaptive trust (re-)establishment or control loops. | 02-19-2009 |
| 20090049515 | SYSTEM AND METHOD FOR EFFECTING INFORMATION GOVERNANCE - A method to manage data located on networked devices is provided. The method includes replicating objects residing on the devices and collecting information about at least one of the objects or the devices. The method further includes receiving input on desired information governance policies and outcomes and analyzing the replicated objects, collected information and received input to determine an information governance action. | 02-19-2009 |
| 20090049516 | COMMUNICATION RELAY METHOD AND APPARATUS AND COMMUNICATION RELAY CONTROL METHOD AND APPARATUS - Provided are a method and apparatus for relaying a communication between a terminal and an external communication network, and a method and apparatus for controlling a relay of a communication between a terminal and an external communication network. The method includes receiving safety policy information of the terminal from an external server that stores a plurality of pieces of safety policy information used to control a communication between at least one terminal and the external communication network. | 02-19-2009 |
| 20090049517 | METHOD AND SYSTEM FOR PERFORMING AN UNTRACEABLE SECRET MATCHING - Performing an untraceable secret matching between a first credential associated with a first property of a first user and a second credential associated with a second property of a second user includes receiving the first credential, receiving a matching reference formed so the first user can detect a matching of the first property with a remote property from a credential of another user, supplying a first nonce value to the second user, receiving a hidden version of the second credential from the second user formed by the second user on the basis of the second credential, the first nonce value supplied by the first user and a random value locally generated on a side of the second user, and performing the matching by combining the first credential and the received hidden credential with the first nonce value and comparing the combination with the matching reference. | 02-19-2009 |
| 20090049518 | Managing and Enforcing Policies on Mobile Devices - Embodiments of a system configured to manage policies, including decision policies and active policies, on mobile devices is described. The system is configured to manage policies, including decision policies and active policies, on mobile devices is described that includes a device policy repository, a policy decision point, a decision policy enforcer, and an active policy enforcer. The system includes a method for enforcing policies on mobile devices that proactively monitors the execution environment and automatically triggers active policies. The method further exports an interface and provides functionality to evaluate and enforce decision policies. The system can combine policies from different sources, including detecting and avoiding policy conflicts. | 02-19-2009 |
| 20090055887 | PRIVACY ONTOLOGY FOR IDENTIFYING AND CLASSIFYING PERSONALLY IDENTIFIABLE INFORMATION AND A RELATED GUI - Method and system of providing an association between a system's meta-tagged data objects and a list of terms, the association indicating which objects are and are not covered by a given policy, in one aspect, may comprise obtaining a list of terms and a policy that includes one or more of the terms; identifying a plurality of meta-tags used in a system; developing one or more mappings between the terms and the meta-tags; identifying system data objects in the system having one or more meta-tags; creating for each meta-tag of each system data object identified, an association between the system data object and the one or more terms to which the meta-tag is mapped, the association indicating whether the system data object is or is not covered by the policy. | 02-26-2009 |
| 20090055888 | Self identifying services in distributed computing - A service policy is modified for a service in a distributed computing environment having a service oriented architecture. A client is notified of the modified service policy without use of a service registry. | 02-26-2009 |
| 20090055889 | System and method for detecting and mitigating the writing of sensitive data to memory - Disclosed is a system and method for detecting and mitigating the writing of sensitive or prohibited information to memory or communication media. The method includes detecting if an application is to write data to a memory, rerouting the writing of that data, and scanning the data for sensitive content or prohibited information. The scanning is done in accordance with one or more information security policies. If sensitive information is detected, the system has the option of issuing an alarm and/or preventing the sensitive information from being written, depending on the security policy. If the system permits the sensitive information to be written to memory, the system may spawn a file watcher object, which waits for a specified amount of time and then checks to see if the sensitive information has been deleted. If not, the system may issue an alarm or erase the sensitive information, depending on the security policy. | 02-26-2009 |
| 20090055890 | SYSTEM AND METHOD FOR SECURITY PLANNING WITH HARD SECURITY CONSTRAINTS - A method for security planning with hard security constraints includes: receiving security-related requirements of a network to be developed using system inputs and processing components; and generating the network according to the security-related requirements, wherein the network satisfies hard security constraints. | 02-26-2009 |
| 20090055891 | DEVICE, METHOD, AND PROGRAM FOR RELAYING DATA COMMUNICATION - A device, method and computer program product for relaying data communication between a client and a server. A proxy device for relaying data communication between a client and a server includes a receiving unit for receiving an access request directed to the server from the client, a determining unit for determining whether transfer of a response of the server to the access request to the client will take and amount of time equal to or longer than a threshold time period, a dummy message responding unit for sending, in response to a determination result indicating that the transfer of the response will take an amount of time equal to or longer than the threshold time period, a dummy response message for notifying the client that the response of the server will be sent to the client when the response becomes available for transfer, and a transferring unit for transferring, upon the response of the server becoming transferable to the client, the response to the client. | 02-26-2009 |
| 20090064270 | TEMPLATE BASED FEDERATION OF POLICIES - This disclosure presents a method of federating policies to the underlying policy management systems based on their respective capabilities, a method to federate policies to policy managers when same managed resource is being managed by multiple managers, a method to create and federate policies at lower level policy managers for given policy at higher level integrated policy manager system, and a method to federate policies to autonomic managers using policy templates. | 03-05-2009 |
| 20090064271 | FILTERING POLICIES FOR DATA AGGREGATED BY AN ESB - Exemplary embodiments of the present invention implement filtering policies to correlate and perform fine-grained access control on aggregated data within an enterprise service bus (ESB) architecture. These filtering policies can be made available externally to a system user during runtime in order to allow changes to be dynamically applied to an ESB flow without the need to modify the flow of the ESB. An ESB architecture provides the benefit of being of having the capability to provide an aggregation of services. An ESB has the capability to route a service request to call multiple providers, collect all needed data, aggregate the data, and return the data to a requester. The filtering policies can be implemented within a data filtering engine that is comprised within the ESB. | 03-05-2009 |
| 20090064272 | DATABASE AUTHORIZATION RULES AND COMPONENT LOGIC AUTHORIZATION RULES AGGREGATION - Embodiments of the present invention provide a method, system and computer program product for aggregating database and component logic authorization rules in a multi-tier application. In an embodiment of the invention, a method for aggregating database and component logic authorization rules in a multi-tier application system can include aggregating role-based authorization rules for both a persistence layer and a logic layer of a multi-tier application in a unified policy, distributing the unified policy to both the persistence layer and the logic layer of the multi-tier application, transforming the unified policy into respectively a set of role based permissions for the persistence layer and a set of role based permissions for the logic layer, and applying the set of role based permissions for the persistence layer in the persistence layer, and the set of role based permissions for the logic layer in the logic layer of the multi-tier application. | 03-05-2009 |
| 20090064273 | Methods and systems for secure data entry and maintenance - Methods and systems are provided for the secure entry and maintenance of data entered via a user input device. A computing device includes a secure processor coupled to one or more user devices. The user devices may be peripheral devices coupled to the secure processor via a wired connection such as a USB or PS/2 interface or via a wireless connection such as Bluetooth. A security boundary associated with the secure processor is established using hardware or cryptographic techniques. Input data received from the user device is stored within the security boundary. Additionally, the secure processor is configured to identify the user peripheral device coupled to the secure processor and to determine whether a request received to access the user peripheral device is allowable based on security policies defined for the user peripheral device. | 03-05-2009 |
| 20090070852 | Social Network Site Including Invitation Functionality - A social network site with enhanced user interaction functionality. In one implementation, a method includes receiving an invite request from an inviting user, wherein the invite request comprises identifying information associated with an invited user; generating a new account for the invited user; allowing the inviting user to create and customize a proposed personal page for the invited user; transmitting to the invited user an invitation and a link to the proposed personal page; and conditionally receiving a response from the invited user, wherein the response indicates if the invited user has accepted the personal page. | 03-12-2009 |
| 20090070853 | Security Policy Validation For Web Services - Methods, apparatus, and products are disclosed for security policy validation for web services that include: transforming a security policy for a web service into a policy predicate logic representation; providing a profile predicate logic representation that represents one or more rules of a security policy profile; and determining whether the security policy satisfies the security policy profile in dependence upon the policy predicate logic representation and the profile predicate logic representation. | 03-12-2009 |
| 20090070854 | METHOD, APPARATUS AND NETWORK FOR NEGOTIATING MIP CAPABILITY - The invention provides a method, an apparatus and a network for negotiating MIP capability in a network, including: negotiating the MIP capability through an Authentication and Authorization process and/or an above-physical layer capability negotiation process, to obtain service information that can be provided by the network. With the invention, the network is allowed to choose whether to provide MIP service and relevant service. | 03-12-2009 |
| 20090077615 | Security Policy Validation For Web Services - Methods, apparatus, and products are disclosed for security policy validation for web services that include: transforming a security policy for a web service into a policy predicate logic representation; providing a profile predicate logic representation that represents one or more rules of a security policy profile; determining whether the security policy satisfies the security policy profile in dependence upon the policy predicate logic representation and the profile predicate logic representation; and notifying a user that the security policy is valid if the security policy satisfies the security policy profile | 03-19-2009 |
| 20090077616 | Handling trust in an IP multimedia subsystem communication network - A method and apparatus for handling trust in an IP Multimedia Subsystem network. A node in the IP Multimedia Subsystem network receives a Session Initiation Protocol message from a remote node. The message includes an indicator indicating the level of trust of a communication sent from the remote node to the IP Multimedia Subsystem node. The node can then apply a security policy to the message, the security policy being determined by the indicator. | 03-19-2009 |
| 20090077617 | Automated generation of spam-detection rules using optical character recognition and identifications of common features - In a spam detection method and system, optical character recognition (OCR) techniques are applied to a set of images that have been identified as being spam. The images may be provided as the initial training of the spam detection system, but the preferred embodiment is one in which the images are provided for the purpose of updating the spam-detection rules of currently running systems at different locations. The OCR generates text strings representative of content of the individual images. Automated techniques are applied to the text strings to identify common features or patterns, such as misspellings which are either intentionally included in order to avoid detection or introduced through OCR errors due to the text being obscured. Spam-detection rules are automatically generated on the basis of identifications of the common features. Then, the spam-detection rules are applied to electronic communications, such as electronic mail, so as to detect occurrences of spam within the electronic communications. | 03-19-2009 |
| 20090077618 | Segmented Network Identity Management - A service category associates a set of authenticators and a set of authentication and authorization policies. When an authenticator attempts to connect the network, the service category for such authenticator determined and the authentication and authorization policies applied. A feature of the present invention is that these policies are segmented into several sub-policies to support multiple services and apply different authentication and authorization policies for each type of service. These sub-policies are a tunnel policy, a credential validation policy, in inner tunnel policy and an authorization policy. Successful negotiation of each policy allows the authenticator to connect a network. | 03-19-2009 |
| 20090077619 | METHOD AND SYSTEM FOR DYNAMIC PROTOCOL DECODING AND ANALYSIS - A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data. | 03-19-2009 |
| 20090077620 | Method and System for Location-Based Wireless Network - Described are a method and a system for granting and denying network access to a device based on a location of that device. A method includes determining a current location of at least one mobile unit, permitting network access to a wireless network to the mobile unit if a network access policy of the mobile unit is configured to permit network access for the current location, and denying network access to the wireless network to the mobile unit if the network access policy of the mobile unit is configured to restrict network access for the current location. The system includes a processor generating network access policy data for at least one mobile unit, the network access policy data configured to one of permit network access and restrict network access for the at least one mobile unit depending on a location of the at least one mobile unit within an operating environment, a wireless switch providing a wireless network infrastructure, a location determination module calculating a current location of the at least one mobile unit, and a plurality of wireless access points in communication with the wireless switch, wherein each one of the wireless access points one of permits network access and restricts network access to the at least one mobile unit based on the current location and the network access policy data for the at least one mobile unit. | 03-19-2009 |
| 20090077621 | METHOD AND SYSTEM FOR MANAGING SECURITY POLICIES - A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g., to an enforcement entity, an Intrusion Detection System (IDS), etc.). In another example, the receiving, determining, loading, generating and distributing steps can be performed at a policy node within an IT system. | 03-19-2009 |
| 20090077622 | Security Network Integrated With Premise Security System - An integrated security system is described that integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network (broadband, cellular/GSM, POTS access) that enables users to remotely stay connected to their premises. The integrated security system, while delivering remote premise monitoring and control functionality to conventional monitored premise protection, complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices (cameras, lamp modules, thermostats, etc.) can be added, enabling users to remotely see live video and/or pictures and control home devices via their personal web portal or webpage, mobile phone, and/or other remote client device. Users can also receive notifications via email or text message when happenings occur, or do not occur, in their home. | 03-19-2009 |
| 20090077623 | Security Network Integrating Security System and Network Devices - An integrated security system is described that integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network (broadband, cellular/GSM, POTS access) that enables users to remotely stay connected to their premises. The integrated security system, while delivering remote premise monitoring and control functionality to conventional monitored premise protection, complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices (cameras, lamp modules, thermostats, etc.) can be added, enabling users to remotely see live video and/or pictures and control home devices via their personal web portal or webpage, mobile phone, and/or other remote client device. Users can also receive notifications via email or text message when happenings occur, or do not occur, in their home. | 03-19-2009 |
| 20090077624 | Forming A Security Network Including Integrated Security System Components and Network Devices - An integrated security system is described that integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network (broadband, cellular/GSM, POTS access) that enables users to remotely stay connected to their premises. The integrated security system, while delivering remote premise monitoring and control functionality to conventional monitored premise protection, complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices (cameras, lamp modules, thermostats, etc.) can be added, enabling users to remotely see live video and/or pictures and control home devices via their personal web portal or webpage, mobile phone, and/or other remote client device. Users can also receive notifications via email or text message when happenings occur, or do not occur, in their home. | 03-19-2009 |
| 20090077625 | ASSOCIATING INFORMATION RELATED TO COMPONENTS IN STRUCTURED DOCUMENTS STORED IN THEIR NATIVE FORMAT IN A DATABASE - A system for associating information related to a component of a structured document that is stored in its native format in a database system includes generating a hierarchical node tree comprising a plurality of nodes, where each node represents a component in the structured document, and generating a path associated with each node, where the path follows the hierarchical structure of the structured document from a root node to the node. In each node, an identifier associated with the path is stored. A table is provided that correlates the identifier with information related to the associated path. The information applies to the component represented by the node. | 03-19-2009 |
| 20090077626 | METHOD AND DEVICE FOR COMMUNICATION ON A COMMUNICATION LINK BETWEEN AN AIRCRAFT AND A GROUND STATION - A communication method on a communication link between an aircraft and a ground station, the communication capable of being configured according to a plurality of safety levels in which, when the aircraft sends a request to a ground station to modify the safety level of the communication from a previous safety level to a new safety level and the aircraft does not receive an acknowledgement of the request by the ground station, the aircraft still accepts messages from the ground station according to the new security level. | 03-19-2009 |
| 20090077627 | INFORMATION CARD FEDERATION POINT TRACKING AND MANAGEMENT - A client can store information about federation points. A federation point is a combination of an identifier of an account on a relying party and an identifier of an information card. The client can track which information cards are included n various federation points, and can use this information to assist the user in performing a transaction with relying parties. | 03-19-2009 |
| 20090083826 | UNSOLICITED COMMUNICATION MANAGEMENT VIA MOBILE DEVICE - A system that can effectively screen or filter incoming communications to a mobile device is disclosed. The innovation can filter voice calls, emails, instant messages, text messages, etc. via a mobile device (e.g., cellular telephone, smartphone, personal digital assistant (PDA), notebook computer). In accordance with the innovation, callers (or senders) are prompted to prove their ‘identity’ as an acceptable (or authorized) identity in order to be permitted to communicate with a mobile device. Accordingly, the innovation prompts a caller (or sender) with a challenge that requires a human input (e.g., human interactive programming (HIP)), which can effectively filter automated machine communication as well as unwanted human communication such as spam. This filtering can be based on most any policy, rule, context-awareness factor. | 03-26-2009 |
| 20090083827 | SYSTEM AND METHOD FOR CIRCUMVENTING INSTANT MESSAGING DO-NOT-DISTURB - A system and method for circumventing a do-not-disturb status of an instant messaging user including defining a policy of circumvention rights for circumventing do-not-disturb status in instant messaging. A do-not-disturb status of an instant messaging user is identified, and the do-not-disturb status of the instant messaging user is circumvented based upon the policy of circumvention rights. | 03-26-2009 |
| 20090083828 | METHOD OF ARMING-DISARMING SECURITY PANEL OVER UN-ENCRYPTED COMMUNICATION PATHS - A method and system for remotely controlling a security panel of a security alarm system over un-encrypted communication paths are provided. In one aspect, a message is received in plain text over un-encrypted communication path, for example, from a remote device to control a security panel of a security system installed at a premise. The plain text message is correlated to a security panel command and the security panel command is sent to a security panel installed at the premise. The security panel executes the command and sends a confirmation status message. The status message is correlated to a second plain text message and communicated over the un-encrypted communication path to the remote device that initiated the command. | 03-26-2009 |
| 20090083829 | COMPUTER SYSTEM - The present invention is directed to computer systems, methods and/or hardware where one or more guest operating systems exchange instructions with the processing hardware (see DEFINITIONS section) through a controller kernel. Even though the instructions are exchanged through the controller kernel, rather than directly between the OS and the processing hardware, the controller kernel does not change the instructions out of native form. The controller kernel refrains from virtualizing or emulating the instructions. For this reason, the controller kernel cannot be considered to be and/or include middleware, a hypervisor or VMM. The use of the controller kernel can be helpful in computer systems with multiple guest OS's because it allows multiple containerized OS's to simultaneously run on a single set of processing hardware. For example, the multiple containerized OS's can be used to run multiple terminals. The use of the controller kernel may also be useful even if there is a single guest operating system. For example, a LINUX controller kernel has been found to speed up the operation of the Windows Vista operating system running as the guest OS, relative to the speed of Windows Vista running directly on the same processing hardware in the conventional way. | 03-26-2009 |
| 20090083830 | Systems and Methods of Controlling Network Access - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device. | 03-26-2009 |
| 20090083831 | ACCESS CONTROL DECISION SYSTEM, ACCESS CONTROL ENFORCING SYSTEM, AND SECURITY POLICY - In an access control decision system, first information indicated by an access decision request is converted into second information being higher abstract when the access decision request is received. Next, the access control for the subject information is determined by referring a security policy being abstractly regulated based on the second information and a decision result showing the access control for the subject information is sent to a request originator that sent the access decision request. | 03-26-2009 |
| 20090089857 | IDENTITY-BASED ADDRESS NORMALIZATION - In various embodiments, techniques for identity-based address normalization are provided. A principal attempts to access a resource via a principal-supplied address. A principal identity for the principal is used to acquire one or more address patterns. The principal-supplied address is compared against the one or more address patterns and when a match is detected, the principal-supplied address is normalized according to policy associated with the matched pattern. Additional access limitations and security restrictions are then enforced in response to the normalized address. | 04-02-2009 |
| 20090094664 | Integrated Guidance and Validation Policy Based Zoning Mechanism - A mechanism is provided to automatically retrieve zoning best practices from a centralized repository and to ensure that automatically generated zones do not violate these best practices. A user selects a set of hosts and storage controllers. The user also selects a guidance policy for creating the zone, and also selects a set of validation policies that must be enforced on the zone. If the user selects a guidance policy and a validation policy combination that is incompatible, the mechanism allows the user to change either the selected guidance policy or the set of validation policies. If the user has selected consistent-zoning as a guidance policy, then the mechanism automatically selects a guidance policy that does not violate the known validation policies. | 04-09-2009 |
| 20090094665 | Monitoring and Controlling Network Communications - Aspects of the subject matter described herein relate to monitoring and controlling network communications. In aspects, communication components receive a communication from a node. The communication components determine a potential use of the communication that may be used for reporting and enforcement purposes. The communication components monitor subsequent communications and store usage information including duration in a store. In addition, the communication components may enforce a policy that depends on the potential use of a communication and the usage information. | 04-09-2009 |
| 20090094666 | DISTRIBUTING POLICIES TO PROTECT AGAINST VOICE SPAM AND DENIAL-OF-SERVICE - In one embodiment, a network device generates a protection policy responsive to identifying undesired voice data traffic. The network device then distributes the generated protection policy along a call path used for transferring the undesired voice data traffic. The proxy may distribute the protection policy by inserting the protection policy in a call response or other message that traces the call path back to a calling endpoint. | 04-09-2009 |
| 20090094667 | Method and Apparatus for Automatic Determination of Authorization Requirements While Editing or Generating Code - Systems and methods are presented for automatically determining the security requirements of program code during the creation or modification of that program code and for presenting the necessary security permissions to a developer of the program code at the time of the creation or modification of the program code. A cache is established containing program code segments including library calls and application program interfaces that require security permissions at runtime. The cache also includes the security permissions associated with the stored program code segments. Program code editing is monitored in real time during the editing, and instances of edits that add, modify or delete the stored program code segments from the program code being edited are identified. The security permissions associated with the program code segments that are modified by the edits are retrieved from the cache. The retrieved security permissions are immediately presented to the developer in an interactive format that provides the developer with the ability to accept or decline the necessary changes to the security permissions. | 04-09-2009 |
| 20090094668 | EMAIL PRIVACY SYSTEM AND METHOD - A method of protecting identity privacy of a recipient of an electronic mail message from a sender to the recipient is disclosed. The method includes identifying a privacy policy within an address book entry corresponding to the recipient within an address book associated with the sender. The method further includes sending the electronic mail message from the sender to the recipient via a network in accordance with the identified privacy policy. | 04-09-2009 |
| 20090094669 | Detecting fraud in a communications network - The application relates to a method and apparatus for ranking data relating to use of a communications network according to the likelihood that the use is fraudulent, the method comprising receiving a first data set comprising a plurality of parameter values relating to each of a plurality of observed fraudulent uses of the communications network and establishing a first model for the parameters of the first data set, receiving a second data set comprising a plurality of parameter values relating to each of a plurality of observed non-fraudulent uses of the communications network and establishing a second model for the parameters of the second data set, receiving a third data set comprising a plurality of parameter values relating to a subsequent use of the communications network, applying the third data set to the first and second models, determining the likelihoods that the third data set is compatible with the first and second models and determining a ranking for the subsequent use within a plurality of subsequent uses to be investigated for fraud based on the determined respective likelihoods. | 04-09-2009 |
| 20090094670 | SECURITY APPARATUS AND METHOD FOR ALL-IN-ONE MOBILE DEVICE USING SECURITY PROFILE - The present invention relates to a security apparatus and method for an all-in-one mobile device using a security profile. According to the security apparatus and method for an all-in-one mobile device using a security profile, a security profile of the mobile device is set in a manual mode or an automatic mode according to a user's knowledge level for security, and when environmental factors of the mobile device vary or the user requests to change a security level, the security profile is dynamically or statically reconstructed. This structure can rapidly solve a security problem and enables a user having a low knowledge level for security and a low degree of understanding of the functions of the mobile device to easily set a security function. | 04-09-2009 |
| 20090094671 | System, Method and Apparatus for Providing Security in an IP-Based End User Device - The present invention provides a system, method and apparatus for providing security in an IP-based end user device, such personal computer clients, hard phones, soft phones, cellular phones, dual-mode phones, handheld communication devices, wireless communications devices and any other device capable of supporting real time IP-based applications. An application layer, a TCP/IP layer and a datalink layer of the IP-based end user device are monitored. Whenever an incoming session is detected and analyzed, the incoming session is accepted whenever one or more session security parameter(s) are satisfied and the incoming session is denied whenever the session security parameter(s) are not satisfied. Whenever an incoming packet is detected and analyzed, the incoming packet is processed whenever one or more packet security parameter(s) are satisfied and the incoming packet is dropped whenever the packet security parameter(s) are not satisfied. | 04-09-2009 |
| 20090094672 | Universal serial bus selective encryption - A method to interact with a remote USB device is disclosed. An identifying message is received from a remote client associated with the remote USB device. The remote USB device is identified based at least in part on the identifying message from the remote client. A security policy is determined for the remote USB device. A policy message is transmitted to the remote client for selectively implementing the security policy of the remote USB device. A method to interact with a local USB device is disclosed. An identifying message is determined by performing a host controller service for the local USB device. The identifying message is transmitted to a server. A policy message is received from the server for selectively implementing a security policy on the local USB device. The security policy is regarded and configuring the host controller service. | 04-09-2009 |
| 20090094673 | METHOD AND SYSTEM FOR INTEGRATED SECURING AND MANAGING OF VIRTUAL MACHINES AND VIRTUAL APPLIANCES - Method and system for the integrated securing and managing of virtual machines and virtual appliances are presented. Sealing the virtual appliance at the computer of a sender, verifying authenticity of the sender at a recipient computer and managing the execution of the VA are performed in a seamless fashion. | 04-09-2009 |
| 20090094674 | INFORMATION AGGREGATION, PROCESSING AND DISTRIBUTION SYSTEM - A utility is provided for managing exchanges of information within a context involving multiple users, for example, multi-user network collaboration. The invention enables automatic enforcement of a policy regarding sensitive information. The policy may be negotiated among the users and expressed as multiple rule sets that govern access to a use of sensitive information. The utility also logs activities involving sensitive information to ensure compliance with the policy. These logs can be audited by a third party or automatically processed for audit compliance by the utility. In this manner, an environment of trust is created which encourages fruitful collaboration. | 04-09-2009 |
| 20090094675 | SYSTEM AND PROGRAM PRODUCT FOR AUTOMATICALLY MANAGING INFORMATION PRIVACY - A request including a call for the information in a bean and a purpose for the call is received. Upon receipt, the purpose is compared to a privacy control policy that is packaged with the bean. If the purpose complies with the privacy control policy, the requested access and/or use of the information is permitted. | 04-09-2009 |
| 20090100497 | METHOD AND APPARATUS FOR PREVENTING A SET OF USERS FROM ACCESSING A MESSAGE IN AN INSTANT MESSAGING SYSTEM - The illustrative embodiments described herein provide a computer-implemented method, apparatus, and computer program product for preventing a set of users from accessing a message in an instant messaging system. The process determines whether a message received by a receiving computing device from a sending computing device is undetected by a set of users associated with the receiving computing device. The process notifies the sending computing device that the message is undetected by the set of users in response to determining that the message is undetected by the set of users associated with the receiving computing device. The process prevents the set of users from accessing the message in response to receiving a request to prevent the set of users from accessing the message. | 04-16-2009 |
| 20090100498 | METHOD AND SYSTEM FOR ANALYZING POLICIES FOR COMPLIANCE WITH A SPECIFIED POLICY USING A POLICY TEMPLATE - A method and system are disclosed for analyzing policies for compliance with a specified policy. The method comprises the steps of creating a policy template representing said specified policy, and comparing a group of given policies to said policy template to determine whether said given policies conflict with said specified policy. In the preferred embodiment of the invention, the specified policy may include specified rules, the given policies include a plurality of given rules, and the policy template expresses said specified rules. In this preferred embodiment, the comparing step includes the step of comparing said plurality of given rules to the policy template to determine whether any of said given rules conflicts with said specified rules. In addition, preferably, if conflicts are found between said given policies and said specified policy, the given policies are modified to eliminate the conflicts. | 04-16-2009 |
| 20090100499 | Database System and Method for Encryption and Protection of Confidential Information - A database system for encryption and protection of confidential data is provided. The database system includes a data source system receiving confidential data and first associated data. A secure data network interface system is connected to the data source system over an open network, the data network interface system receives the confidential data and the first associated data from the data source system and further comprises a secure data storage system coupled to the data network interface system and isolated from the open network, a data encryption system generating a unique encrypted identifier for the confidential data, and a data association system associating the confidential data with the unique encrypted identifier and storing the confidential data, the first associated data and the unique encrypted identifier in the secure data storage system. | 04-16-2009 |
| 20090106815 | METHOD FOR MAPPING PRIVACY POLICIES TO CLASSIFICATION LABELS - A method and system are disclosed for mapping a privacy policy into classification labels for controlling access to information on a computer system or network, said privacy policy including one or more rules for determining which users can access said information. The method comprises the steps of parsing said one or more rules of the privacy policy; sorting the one or more rules into one or more sets; and, for each set of rules, (i) forming a logical statement from the rules of said each set, and (ii) using said logical statement to create associated privacy labels that allow access to said information. In a preferred embodiment, each of the rules is associated with a user category, a data category and a purpose category; and the rules in each set of rules have the same user category, the same data category, and the same purpose category. | 04-23-2009 |
| 20090106816 | INFORMATION PROCESSING APPARATUS, CONTENT PROCESSING METHOD, AND COMPUTER PROGRAM PRODUCT THEREOF - When a conflict occurs among usage rules for content data, a verification on the content data is made in accordance with the conflict solution policy defined in the usage rule for each of the content data. Available content data are determined in correspondence with a combination of grant verification results individually made on the content data. | 04-23-2009 |
| 20090106817 | SECURITY MANAGEMENT APPARATUS, SECURITY MANAGEMENT SYSTEM, SECURITY MANAGEMENT METHOD, AND SECURITY MANAGEMENT PROGRAM - A security management apparatus is capable of taking various security measures while referencing machine information and hence excellent in flexibility and widely applicable. The apparatus includes a security diagnostic unit for making a security diagnosis on the basis of security information obtained from a security information providing apparatus for providing information concerning security in a network and further on the basis of machine information obtained from at least one network machine connected to a network to judge a type of security-related processing to be executed for the network machine and also judge whether or not the security-related processing needs to be executed. A security execution unit executes predetermined security measure processing for the network machine on the basis of a result of diagnosis made by the security diagnostic unit. | 04-23-2009 |
| 20090106818 | SELECTIVELY AUTHORIZING SOFTWARE FUNCTIONALITY AFTER INSTALLATION OF THE SOFTWARE - Controlling access to functionality within an installed software product. The invention includes an authorization module that dynamically references authorization information when specific functionality is requested by a requesting entity such as a user or an application program to determine if the requested functionality is authorized to be executed. Further, the invention dynamically provides an opportunity to the requesting entity to purchase unauthorized functionality. In this manner, functionality within the software product may be enabled or disabled at any time (e.g., during installation, post-installation, and re-installation). | 04-23-2009 |
| 20090106819 | METHOD AND SYSTEM FOR PROVIDING, USING RIGHTS DESCRIPTION - A method for providing rights description includes generating a rights expression for controlling the use of digital contents, where the rights expression uses a parameter constant to describe permission and constraint of the rights and uses a parameter variable to describe consumption state information of the rights, and providing the terminal device with the rights expression. A method for using rights description includes obtaining the rights expression for controlling the use of digital contents, transferring the value of the rights consumption state to the corresponding parameter variable in the rights expression, executing the rights expression to obtain the remaining consumption state information of the rights, and using the digital contents according to the remaining consumption state information. The disclosure also discloses a server, a terminal device, and a DRM system. The technical solution under the present disclosure extends the rights description language without upgrading the terminal device and sets the logic relations between different rights items flexibly. | 04-23-2009 |
| 20090113514 | Cascading Policy Management Deployment Architecture - Systems and methods are provided to implement a dynamic and efficient cascading policy management framework architecture for both wired and wireless networks. A plurality of Policy Functions (PFs) are assigned to a plurality of Policy Enforcement Points (PEP). The PFs make decisions regarding local policy control at the specific PEP. The PFs then delegate the policy requests or IP flows to a separate PEP that is more conducive to enforcing that policy request. Thus, policy decisions are made at the point where the most information is available, leading to fewer policy requests traversing back and forth across a network. Additionally, this cascading Policy Management Framework Architecture allows for unified policy management across multiple types of networks, including wired (Internet) and wireless (UMTS). | 04-30-2009 |
| 20090113515 | ALLOCATION OF ON-LINE MONITORING RESOURCES - Methods, apparatuses, and techniques for adjusting a level of monitoring of the activity of users in an online community are described. Aspects include a triggering mechanism being activated by a community member in response to inappropriate activity by another community member. Receiving a time based history of community members activity around a time of the triggering mechanism being activated. Recreating the community activity from the time based history. Evaluating activities of the community members to determine if there was inappropriate activity and if there is inappropriate activity by an offending community member applying online resources to track the activities of the offending community member. | 04-30-2009 |
| 20090113516 | Setting Policy Based on Access Node Location - Policy setting in an access node remotely located from a controller. A remote access node connects to a controller over a digital network such as the internet. Operating policy is established based on the location of the access node. In one embodiment, the location of the access node is determined through a GPS receiver associated with the node. In a second embodiment, the location of the access node is determined through its public IP address. Location information is used to establish policy at the access node, which may include aspects such as operating parameters, access controls, and availability of services through the controller. | 04-30-2009 |
| 20090113517 | Security state aware firewall - A network firewall may apply policies to packets based on a security classification. Packets with an authenticated and established security connection may be handled at a high throughput while packets with unauthenticated connections may be handed at a low throughput or even discarded. In some embodiments, three or more levels of security classifications may be used to process packets at different speeds or priorities. In some embodiments, one device may classify and tag each packet, while another device within the network may process the packets according to the tags. | 04-30-2009 |
| 20090113518 | Method for Establishing a Person as a User in a System - Dependents of benefit plan participants can be given access to personal information of a plan participant. The dependents, who are not existing users or members of the plan, can be allowed access to some or all of the personal information associated with the plan participant. | 04-30-2009 |
| 20090113519 | PARENTAL CONTROLS FOR ENTERTAINMENT CONTENT - Parental controls for entertainment digital media are provided that allow a parent to restrict multiple user's access to entertainment content. One or more updatable rating definition files with dynamic data are used to define rating levels and content descriptors for a regional rating system. Entertainment content definition files define the rating level and content descriptors for entertainment content. User permission settings define a particular user's access rating level and content descriptors. The rating definition file can be used to compare the entertainment content definition file and user permission settings in determining if a user is allowed access to particular entertainment content. | 04-30-2009 |
| 20090119740 | ADJUSTING FILTER OR CLASSIFICATION CONTROL SETTINGS - Methods and systems for adjusting control settings associated with filtering or classifying communications to a computer or a network. The adjustment of the control settings can include adjustment of policy and/or security settings associated with the computer or network. Ranges associated with the control settings can also be provided in some implementations. | 05-07-2009 |
| 20090119741 | METHOD AND SYSTEM FOR PROVIDING WIRELESS VULNERABILITY MANAGEMENT FOR LOCAL AREA COMPUTER NETWORKS - A Software-as-a-Service (SaaS) based method for providing wireless vulnerability management for local area computer networks. The method includes providing a security server being hosted by a service provider entity to provide analysis of data associated with wireless vulnerability management for a plurality of local area computer networks of a plurality of customer entities, respectively. The method includes creating a workspace for wireless vulnerability management for a customer entity on the security server and receiving configuration information associated with the workspace. The method also includes supplying one or more sniffers to the customer entity. The method includes receiving at the security server information associated with wireless activity monitored by the one or more sniffers at premises of the customer entity and processing the received information within the workspace for the customer entity using the security server. The method includes metering usage of the workspace for wireless vulnerability management for the customer entity. | 05-07-2009 |
| 20090119742 | Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol - Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol are provided. The methods include evaluating an inner user identifier against a policy engine to determine a home AAA server to route an access request for inner user authentication. Instead of having a static route configured based on an outer identifier/roaming identity, the policy engine can have multiple rules and actions for routing the request. The evaluation can be based on the conditions of the inner user identifier and or other AAA attributes received in the request. The request is transmitted within a secure communication tunnel. There are several embodiments of evaluating an inner user identifier against a policy engine. | 05-07-2009 |
| 20090119743 | Method and system for generic real time management of devices on computers connected to a network - A method and system for enterprise device management allows the administrator to set a policy of forbidden devices, monitor devices used in the organization, provide alerts and notification incase an unknown device is connected to a computer, and monitor or block connections of devices which do not comply with the said security policy. A method for device management in a computer system comprises detecting connection of a device to the computer system and determining a reaction to perform in response to the connection of the device to the computer system based on parameters related to the device and on device management rules. | 05-07-2009 |
| 20090119744 | DEVICE COMPONENT ROLL BACK PROTECTION SCHEME - Various embodiments of the present disclosure describe techniques for enforcing a subcomponent related security policy for closed computing systems. A closed computing system can include a list of subcomponents that identify the subcomponents it was manufactured with. The list can be used to determine if any currently attached subcomponents are different than the original ones. If a new subcomponent is detected, the device can perform a predetermined action in accordance with a security policy. | 05-07-2009 |
| 20090119745 | SYSTEM AND METHOD FOR PREVENTING PRIVATE INFORMATION FROM LEAKING OUT THROUGH ACCESS CONTEXT ANALYSIS IN PERSONAL MOBILE TERMINAL - A system for preventing private information from leaking out through access context analysis in a personal mobile terminal includes a private information manager that receives a private information leakage prevention policy, divides the policy into a plurality of private information leakage prevention rules, and transmits the plurality of rules to individual modules, respectively; a context analyzer that performs access context information analysis to obtain context information, when detecting a packet corresponding to a first rule, and transmits the context information; a packet analyzer that receives the context information, monitors packets transmitted to the outside through packet analysis, and transmits filtering information when detecting a packet corresponding to a second rule; and a private information leakage preventing unit that receives the filtering information and determines whether to allow or drop a packet corresponding to a third rule. | 05-07-2009 |
| 20090119746 | GLOBAL POLICY APPARATUS AND RELATED METHODS - A method of implementing requirements applicable to systems of an enterprise includes modeling the requirements as contents of policies applicable to target domains of the enterprise. The policy contents are integrated into a policy model. The policy model is adapted to obtain representations of domain-specific requirements corresponding to target systems in the target domains. The representations are integrated with the corresponding target systems to implement the domain-specific requirements. | 05-07-2009 |
| 20090119747 | PEER-TO-PEER NETWORK - In order to provide security within a peer-to-peer network ( | 05-07-2009 |
| 20090125972 | FEDERATED SINGLE SIGN-ON (F-SSO) REQUEST PROCESSING USING A TRUST CHAIN HAVING A CUSTOM MODULE - Federated single sign on (F-SSO) uses a token service that fulfills requests by executing a module chain comprising a set of modules. F-SSO runtime processing is enhanced by enabling a federated entity user to define a custom module to include in the chain. The custom module includes one or more name-value pairs, wherein a given name-value pair has a value that may be validated against an entity-defined rule. The rule is determined during the processing of the custom module based on one or more invocation parameters of the module chain. In a runtime operation, F-SSO begins in response to receipt of a token. In response, the processing of the module chain that includes the custom module is initiated. During processing of the custom module, an attempt is made to validate the value of a name-value pair based on the rule. If the value of the name-value pair based on the rule can be validated, processing of the module chain continues. This approach enables finer granularity on the information that can be asserted or required as part of an F-SSO flow. | 05-14-2009 |
| 20090125973 | METHOD FOR ANALYZING AND MANAGING UNSTRUCTURED DATA - A system and method for managing unstructured data that includes identifying at least one unstructured data environment with unstructured data, identifying mitigating controls in each of the unstructured data environments, the mitigating controls reducing a security risk associated with each of the unstructured data environments, and generating at least one process for managing the unstructured data in each of the unstructured data environments, the process including defining mitigating controls for managing the unstructured data in each of the unstructured data environments. | 05-14-2009 |
| 20090125974 | Method and system for enforcing trusted computing policies in a hypervisor security module architecture - A method and system for enforcing trusted computing (TC) policies in a security module architecture for a hypervisor. Upon receiving a request from a subject for access to an object, TC-related attribute values are obtained for the subject and the object based on a virtualized trusted platform module (vTPM). Access control decisions are the made based at least on the TC-related attribute values and TC-related policies. | 05-14-2009 |
| 20090125975 | Method for generating a plurality of unique secure numbers and card comprising such a number - A process is provided for enabling the generation of valid secure numbers during a given period, these secure numbers having an optimal security level, while preserving the possibility for creating additional numbers or increasing the security level in accordance with the requirements. In at least one embodiment, the method permits the generation of as many secure numbers as are required, while having a maximum security level, which reduces the risks of sending a random number allowing the assignment of entitlements or a credit. The contradictory parameters for the quantity of generated numbers and security can be corrected at any time. | 05-14-2009 |
| 20090125976 | AUTOMATED TEST INPUT GENERATION FOR WEB APPLICATIONS - A method and apparatus is disclosed herein for automated test input generation for web applications. In one embodiment, the method comprises performing a source-to-source transformation of the program; performing interpretation on the program based on a set of test input values; symbolically executing the program; recording a symbolic constraint for each of one or more conditional expressions encountered during execution of the program, including analyzing a string operation in the program to identify one or more possible execution paths, and generating symbolic inputs representing values of variables in each of the conditional expressions as a numeric expression and a string constraint including generating constraints on string values by modeling string operations using finite state transducers (FSTs) and supplying values from the program's execution in place of intractable sub-expressions; and generating new inputs to drive the program during a subsequent iteration based on results of solving the recorded string constraints. | 05-14-2009 |
| 20090125977 | LANGUAGE FRAMEWORK AND INFRASTRUCTURE FOR SAFE AND COMPOSABLE APPLICATIONS - A method and apparatus is disclosed herein for using a language framework for composable programs. In one embodiment, the method comprises accessing active content having a software component embedded therein, where the software component has a plurality of components that together implement a work flow of a sequence of activities, the plurality of components representing one or more external services, one or more user interface controls and one or more inputs and output; executing the software component, including mediating communication between components using an information flow-based security model. | 05-14-2009 |
| 20090125978 | APPARATUS AND METHOD FOR MANAGING CONTENTS RIGHT OBJECT IN MOBILE COMMUNICATION TERMINAL - An apparatus and method for managing a contents right object in a mobile communication terminal are provided. In the method, when a system update event occurs, a valid right object of contents in the mobile communication terminal is encoded and the encoded right object is transmitted to a server. A system update is executed and then the server is requested to transmit the encoded right object. The encoded right object is received from the server and the received right object is decoded. | 05-14-2009 |
| 20090133096 | MICRO AND MACRO TRUST IN A DECENTRALIZED ENVIRONMENT - A method and system are disclosed. In one embodiment the method includes calculating a trust level of a first entity. The first entity has a plurality of components. Each component in the first entity has at least the trust level of the first entity. | 05-21-2009 |
| 20090133097 | Device, system, and method for provisioning trusted platform module policies to a virtual machine monitor - A method, apparatus and system for a trusted platform module accepting a customized integrity policy provisioned to a virtual machine monitor, verifying the security of a first policy object, for example, including the customized integrity policy, by comparing a counter associated with the first policy object with a counter associated with a second policy object, and customizing a virtual trusted platform module of the virtual machine monitor according to the first policy object, for example, when the first policy object is verified. The customized integrity policy may include user specified configurations for implementing a customized virtual environment. Other embodiments are described and claimed. | 05-21-2009 |
| 20090133098 | SERVICE MANAGEMENT SYSTEM AND METHOD OF EXECUTING A POLICY - A service management system and a method of executing a policy. In one embodiment, the service management system includes: (1) a repository configured to contain device, system, subscriber and service descriptions that define services in terms of a set of systems and devices that assume roles based on at least one of capabilities and attributes thereof and (2) a policy engine coupled to the repository and configured to employ the repository to identify end points relevant to a policy, identify services in which any of the end points play a role, identify subscribers having an identified device of the end points and a subscription to an identified service and cause the policy to be executed with respect to identified devices of identified subscribers and identified systems. | 05-21-2009 |
| 20090138937 | ENHANCED SECURITY AND PERFORMANCE OF WEB APPLICATIONS - A client-side enforcement mechanism may allow application security policies to be specified at a server in a programmatic manner. Servers may specify security policies as JavaScript functions included in a page returned by the server and run before other scripts. At runtime, and during initial loading, the functions are invoked by the client on each page modification to ensure the page conforms to the security policy. As such, before a mutation takes effect, the policy may transform that mutation and the code and data of the page. Replicated code execution may take place at both the client and the server where the server runs its own shadow copy of a client-side application in a trusted execution environment so that the server may check that the method calls coming from the client correspond to a correct execution of the client-side application The redundant execution at the client can be untrusted, but serves to improve the responsiveness and performance of the Web application. | 05-28-2009 |
| 20090138938 | System and Method for Auditing a Security Policy - Provided a computerized system and method of automated auditing a range of rules associated with an enforced security policy. The method comprises automated obtaining log records assigned to a first rule within the range of rules and logged during a counted period, each said log record comprising a unique rule identifier and recorded values of respective arguments comprised in the rule; counting a number of records matching certain recorded values and logged within certain time intervals within the counted period (counted values); and automated generating a counted log record assigned to said rule, said record comprising the unique rule identifier, the counted period, recorded values of the rule arguments and respective counted values. The method further comprises obtaining a plurality of objects engaged in said first rule; resolving a first object among said plurality of objects to a set of resolved values; matching said resolved values to the recorded values of the respective arguments, said recorded values comprised in the counted log record assigned to said rule; counting each match in accordance with respective counted value, thus giving rise to a plurality of matching values of the resolved values; and using the plurality of matching values for analysis related to usage of the first object. | 05-28-2009 |
| 20090138939 | SYSTEM AND METHOD FOR INFERRING ACCESS POLICIES FROM ACCESS EVENT RECORDS - A method of security gateway policy definition to quickly infer a new policy based on event data extracted and analyzed using business logic and workflow from a gateway event log or behavior log. The method includes reading the components of a log record, translating the components into acceptable policy attributes, creating a new policy based on those attributes, and presenting the new policy to a system administrator for editing and approval. | 05-28-2009 |
| 20090138940 | METHOD FOR ENFORCING CONTEXT MODEL BASED SERVICE-ORIENTED ARCHITECTURE POLICIES AND POLICY ENGINE - A method for enforcing context model based Service-Oriented Architecture (SOA) policies is provided, which includes: gathering instance documents related to policy enforcement according to a business requirement; generating an instantiated context model using the gathered instance documents; generating a policy set to be enforced according to the gathered instance documents; determining an enforcement sequence of policies in the policy set; and applying the policies to the instantiated context model according to the enforcement sequence. The method for enforcing context model based SOA policies may flexibly gather the instance documents according to scenarios and purposes of the policy enforcement to define the policy scope, such as project, application, service, etc., and may be applied to various types of the SOA policies. In addition, a policy engine for enforcing context model based SOA policies is provided. | 05-28-2009 |
| 20090144798 | Optimized peer-to-peer mobile communications - A customer can control access to information about the customer stored in a database by selecting one or more policies, where each policy specifies conditions and/or rules for accessing information associated with the policy, and for each selected policy the user selects portions of the customer's information for association with the selected policy. The customer can create or specify one or more policies for accessing information. In another method, information about the customer stored in the database includes personal information about customer, including contact information for people associated with the customer, and facts about the customer, e.g., contact information for family members professionals who provide service (e.g. doctor, lawyer, banker), emergency contacts, medical information, for example blood type, allergies, medications, blood type, organ donor status. | 06-04-2009 |
| 20090144799 | METHOD AND SYSTEM FOR SECURELY TRANSMITTING DETERRENT DATA - A method for securely transmitting deterrent data includes generating a deterrent having a predesigned number and configuration of glyphs having deterrent data therein, and transmitting a portion of the deterrent data from a subset of the glyphs without transmitting deterrent data from a remainder of the glyphs. The glyphs form a predetermined structure with a single solution. The method further includes receiving the portion of the deterrent data, placing the portion of the deterrent data into the subset of the glyphs, and solving the predetermined structure with the single solution, thereby determining the remainder of the glyphs to be infilled in the predetermined structure with deterrent data gleaned from the solution. | 06-04-2009 |
| 20090144800 | AUTOMATED CLUSTER MEMBER MANAGEMENT BASED ON NODE CAPABILITIES - Embodiments of the present invention provide a method, system and computer program product for automated cluster member management based on node capabilities. In one embodiment of the invention, a method for automated cluster member management based on node capabilities can be provided. The method can include defining a membership policy for a cluster, the membership policy specifying a nodal configuration required for a node in a cluster. The method further can include evaluating different nodes in a computing environment against the membership policy for the cluster. Finally, the method can include associating cluster members in the cluster to only those of the nodes having respective configurations meeting the nodal configuration of the membership policy. Likewise, the method can include evaluating nodes already in the cluster, and disassociating cluster members in the cluster from those of the nodes having respective configurations failing to meet the nodal configuration of the membership policy. | 06-04-2009 |
| 20090144801 | METHODS AND SYSTEMS FOR SEARCHING FOR SECURE FILE TRANSMISSION - Described herein are methods and systems for managing and controlling the distribution of digital media. A first media file is associated with first media content and with first metadata providing one or more rules constraining how and/or what second media content can be played in conjunction with the first media content. Optionally, included in the first media file is a locator associated with the second media content which is to be accessed over a network when the first media content is played via a terminal player which receives the first media file. | 06-04-2009 |
| 20090144802 | Large scale identity management - Methods of designing, structuring and operating an Identity Management provisioning solution over multiple sets of hardware/software platforms are organized by “area of expertise” to better utilize IdM deployment and support team resources for subject matter expertise, improving quality, consolidating resources, and significantly reducing the cost of IdM deployment and operation, across the entire MSP customer base. For example, IdM events originate in a source system platform and flow into a large scale Identity Management infrastructure platform, where IdM event filtering occurs, source system lookups or source system exports occur, provisioning policies or rules are applied to determine which accounts and/or entitlements need to be provisioned or de-provisioned in target connected systems, and target system imports are executed to accomplish the provisioning or de-provisioning activities. | 06-04-2009 |
| 20090144803 | Computer-Implemented Method for Role Discovery and Simplification in Access Control Systems\ - A method includes selecting a first biclique role in a plurality of roles and finding all roles in the plurality that have a set of vertices of a second type that is a subset of a set of vertices of the second type in the first role; removing each of the subsets from the set of vertices of the second type corresponding to the first role; and reassigning the vertices of the first type to the roles such that original associations between the vertices of the first type and the vertices of the second type are maintained. | 06-04-2009 |
| 20090150968 | Method and apparatus for managing and displaying contact authentication in a peer-to-peer collaboration system - Proper user-to-data associations are maintained in shared spaces created in a peer-to-peer collaborative system by means of a simplified and minimal user interface that permits users to easily authenticate other members of a shared space. In particular, support is provided for automatically building authenticated relationships even if users do not take the time to authenticate other users. When a user enters a shared space and views the contacts in that space, the display names of each contact are accompanied by distinctive icons that identify that authentication status of that contact. A mechanism is provided for resolving conflicts between contacts with the same display names to prevent confusion and contact “spoofing.” Security policies can be established to provide a uniform approach to authentication. These policies can be set by a user or, alternatively, the policies can be set by an administrator. | 06-11-2009 |
| 20090150969 | Filtering Policies to Enable Selection of Policy Subsets - A policy filter enables selection of a subset policy alternative that meets certain criteria from amongst a set of policy alternatives without having to specify the entire contents of the alternative to be selected. More specifically, the policy filter simplifies the process of selecting an appropriate alternative from amongst a set of available policy alternatives when the selection criteria comprises only a subset of the behaviors implied by an alternative by reducing the set of available alternatives to those that satisfy a certain criteria. | 06-11-2009 |
| 20090150970 | Data Fading to Secure Data on Mobile Client Devices - Methods, systems, and computer program products to secure data stored on mobile client devices are provided. In an embodiment, the method operates by defining one or more security policies. Each security policy comprises a plurality of security policy parameters. The method stores the security policies in a data store, and selects a security policy from among the stored security policies for a mobile client device. The selected security policy is applied to the mobile client device. The mobile client device determines whether it is compliance with parameters of said selected security policy, and performs data fade actions if it is determined that it is out of compliance with said security policy parameters. | 06-11-2009 |
| 20090150971 | TECHNIQUES FOR DYNAMIC GENERATION AND MANAGEMENT OF PASSWORD DICTIONARIES - Techniques for dynamic generation and management of password dictionaries are presented. Passwords are parsed for recognizable terms. The terms are housed in dictionaries or databases. Statistics associated with the terms are maintained and managed. The statistics are used to provide strength values to the passwords and determine when passwords are acceptable and unacceptable. | 06-11-2009 |
| 20090150972 | APPARATUS AND METHOD FOR MANAGING P2P TRAFFIC - The invention relates to a P2P traffic management apparatus and method. A P2P flow agent monitors an executed application program to extract a P2P application program, adds application identifiers to packets generated by the application program according to a set policy, and transmits the packets. In this case, a P2P security gateway monitors the inflowing packets from the P2P flow agent to extract packets having the application identifiers, uses the extracted application identifiers to inquire and acquire a related policy, and controls the packets according to the acquired policy. | 06-11-2009 |
| 20090150973 | ACCESS CONTROL METHOD AND SYSTEM FOR MULTIPLE ACCESSING ENTITIES - An access control method and system for multiple accessing entities are provided. The access control method includes generating a plurality of integrated identifiers (IDs) respectively corresponding a plurality of individual ID groups, each having the individual IDs of a number of entities; if multiple accessing entities issue a request for access to a service, extracting an integrated ID corresponding to a list of the individual IDs of the multiple accessing entities; and searching for an access control policy corresponding to the extracted integrated ID and the ID of the service and performing access control on the multiple accessing entities according to the identified access control policy. Therefore, it is possible to efficiently control the access of multiple accessing entities to a service. | 06-11-2009 |
| 20090158384 | DISTRIBUTION OF INFORMATION PROTECTION POLICIES TO CLIENT MACHINES - One embodiment includes a method which may be practiced in a computing environment where resources are distributed. The method includes acts for obtaining policy information defining restrictions on resources distributed in the computing environment. The method includes sending a request to a server for metadata about one or more resource protection policies at the server. In response to the request, metadata about one or more resource protection polices at the server is received from the server. The metadata from the server is analyzed. Based on analyzing the metadata, one or more resource protection policies stored at the client are updated. | 06-18-2009 |
| 20090158385 | Apparatus and method for automatically generating SELinux security policy based on selt - Provided is an apparatus and method for automatically generating a SELinux security policy based on SELT. In the method, process generation is prepared by receiving execution file names of a program destined for policy generation. A system call log, which is traced by generating a process by executing the received execution file of the program, is stored. The traced system call log is purified into data necessary for generation of a security policy. Objects are grouped in consideration of the relationship between the objects based on purified information. A normalized data structure is recorded in an SELT description language format using a security policy file. Duplication and collision between the generated SELT security policy and the previous security policy in a system are detected. | 06-18-2009 |
| 20090158386 | METHOD AND APPARATUS FOR CHECKING FIREWALL POLICY - A method and apparatus for checking for vulnerabilities in a firewall policy used in a firewall system are provided. The method includes determining whether a target firewall policy is for an existing firewall system or a new firewall system, when the target firewall policy is for the existing firewall system, checking for errors in the target firewall policy by comparing the target firewall policy with an existing firewall policy applied to the existing firewall system, and when the target firewall policy is for the new firewall system, checking for errors in the target firewall policy by simulating a state in which the target firewall policy is applied to the new firewall system. | 06-18-2009 |
| 20090158387 | CONTROL SYSTEM AND METHOD - A control system includes a user management server or server group, a Service Policy Decision Function (SPDF) server, an Access-Resource and Admission Control Function (A-RACF) server, and a control interface location between the user management server or server group and the SPDF n server for transmitting the information. In addition, a control method using the control system above and a control device are provided. By the technical solutions above, when there are many access network operators connecting to the uniform network operation operator, the problem that the SPDF server searches the A-RACF server is solved, and the user information is acquired by setting the interface between the SPDF server and the user management server or server group. | 06-18-2009 |
| 20090165076 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR DATA SECURITY POLICY ENFORCEMENT - A method for data security policy enforcement including inspecting incoming and outgoing data packets from a server computing device for attributes in accordance with a data security policy, processing the data packets in accordance with the security policy based on the inspected attributes, and routing the data packets in accordance with the security policy based on the inspected attributes, wherein incoming and outgoing data from the server computing device composed of the data packets is processed and routed in accordance with the security policy on a per-packet basis. A system and computer program product is also provided. | 06-25-2009 |
| 20090165077 | Method, Apparatus and Computer Program Product for Secure Software Installation - A method, apparatus and computer program product are provided for secure software download or installation. In this regard, sensory notifications and cognitive activities are implemented prior to proceeding to a download or installation procedure. For example, a sensory notification can be provided if security attributes of software are noncompliant with security preferences. Additionally, performance of a task can be required if security attributes of software are noncompliant with the security preferences prior to installation of the software, wherein requiring performance of a task comprises selecting the task such that the task is variable from one installation of the software to another installation of the software. | 06-25-2009 |
| 20090165078 | MANAGING POLICY RULES AND ASSOCIATED POLICY COMPONENTS - A method for modifying policy elements is disclosed. At least one reusable policy element ( | 06-25-2009 |
| 20090165079 | Deriving Service Provider Constraints From Service Consumer Context - A context for a service request made by a service consumer can be used to establish a constraint rules set that is applied by a service provider. A context associated with a first service request can be received from a service consumer. An identity of the service consumer can be verified. A constraint value request associated with the service request can be received from a service provider responding to the service request. One or more constraints can be derived from the first context. An identity of a service provider that will fulfill the service request can be verified. The one or more constraints can be provided to the service provider. Related systems, apparatus, methods, and/or articles are also described. | 06-25-2009 |
| 20090165080 | GENERIC RIGHTS TOKEN AND DRM-RELATED SERVICE POINTERS IN A COMMON PROTECTED CONTENT FILE - Methods and systems of rendering content on a device having a native digital rights management (DRM) system are described. A device, such as an end-user device capable of executing or playing content, acquires content in a common content format file having standardized locations for specific types of data. A generic digital rights token associated with the content is obtained by utilizing one of the standardized locations in the content format file, where the rights token contains information sufficient to allow retrieval of the rights associated with the content. Utilizing data in another of the standardized locations, it is then determined whether the device is registered in a domain. A license server directory may be accessed utilizing data in another of the standardized locations in the common content format file and a domain identifier, a device identifier, or both are transmitted to the license server directory. A native DRM system trigger is received and, upon activation of the trigger, a native DRM license is acquired, thereby enabling rendering of the content in the common content format file on the device. | 06-25-2009 |
| 20090165081 | TRUSTED MULTI-STAKEHOLDER ENVIRONMENT - In one embodiment, a multi-stakeholder environment is controlled by first assigning a first domain to a first stakeholder and a second domain to a second stakeholder. Then a first access policy is defined for the first domain and access is restricted to the first domain for the second stakeholder according to the first access policy. In another embodiment, an access request is handled in a multi-stakeholder environment by first receiving parameters forwarded by hooks in system call functions in a kernel of the multi-stakeholder environment, wherein the parameters contain information about a first stakeholder requesting access to a domain corresponding to a second stakeholder. Then it is determined whether to allow the first stakeholder to access the domain based at least partially upon security settings corresponding to the domain. | 06-25-2009 |
| 20090165082 | DIRECTORY INFRASTRUCTURE FOR SOCIAL NETWORKING WEB APPLICATION SERVICES - A computer-implemented method of implementing information security. The method can include receiving a user input comprising a first user identifier and at least a second user identifier, determining whether the first user identifier corresponds to at least one of a plurality of existing user profiles, and determining whether the second user identifier corresponds to at least one of the plurality of existing user profiles. When it is determined that the first user identifier does not correspond to at least one of the plurality of existing user profiles, but that the second user identifier does correspond to at least one of the plurality of existing user profiles, the method can include selecting the user profile to which the second user identifier corresponds, automatically generating a unique user identifier, and associating the unique user identifier with the selected user profile. | 06-25-2009 |
| 20090165083 | METHOD AND APPARATUS FOR MANAGING POLICIES FOR TIME-BASED LICENSES ON MOBILE DEVICES - Methods and devices provide for creating, managing, modifying, and/or enforcing flexible digital rights management license policies for protecting games, media, data, or other software with a time-based license. Embodiments are especially directed toward situations in which a source of time is unavailable, untrustworthy, or unreliable. Licenses are defined by a small number of parameters. Parameter values may be defined by and included with protected content or applications. The parameter values may be chosen to define and enforce a desired level of compromise between usability and security characteristics. | 06-25-2009 |
| 20090165084 | SECURITY POLICY SWITCHING DEVICE, SECURITY POLICY MANAGEMENT SYSTEM, AND STORAGE MEDIUM - A security policy switching device includes a policy information storage that stores policy setting information and identification information of a policy in correspondence to each other, the policy setting information including setting content of the policy and identification information of a user to whom the policy is attached, a data information storage that stores identification information of data for which a policy is set and identification information of a policy attached to the data in correspondence to each other, and a policy switching unit that switches, in response to a switching request designating identification information of data for which the policy is to be switched and identification information of a user instructing the switch, a policy attached to the data by updating identification information of the policy attached to the data stored in the data information storage with identification information of another policy. | 06-25-2009 |
| 20090172768 | METHODS AND APPARATUS FOR OPERATING EMBEDDED INFORMATION TECHNOLOGY APPLICATIONS WITH A SERVICE OPERATING SYSTEM - A method includes setting a rule policy with an embedded information technology application. The method further includes parsing the policy rule from a policy engine to a context engine. The method further includes determining a computing device condition with the context engine based upon the parsed policy rule. The method further includes notifying the policy engine with the context engine if the computing device condition has changed from a first condition to a second condition. The method further includes, in response to the computing device condition changing from the first condition to the second condition, executing an action according to the parsed policy rule. An associated system and machine readable medium are also disclosed. | 07-02-2009 |
| 20090172769 | PROGRAMMATIC VALIDATION IN AN INFORMATION TECHNOLOGY ENVIRONMENT - Programmatically validating service level policies established for business applications of an Information Technology environment. The programmatic validation predicts whether the policies are achievable within the environment. Examples of service level policies include quantitative goals, redundancy levels and resource use. | 07-02-2009 |
| 20090172770 | METHOD AND APPARATUS FOR RENTING COMPUTER PERIPHERAL DEVICES IN-SITU - Embodiments of a system for renting one or more peripheral devices to a proximally disposed mobile device are disclosed herein. In some embodiments, a peripheral manager is configured to facilitate access to the one or more peripheral devices by the mobile device. The peripheral manager may also facilitate identification and/or authentication of the mobile device and/or its user, determine an access privilege of the mobile device and/or its user, and accept payment in exchange for the access by the mobile device and/or its user. Other embodiments are described and claimed. | 07-02-2009 |
| 20090172771 | SYSTEMS AND METHODS FOR SITUATION SEMANTICS BASED MANAGEMENT OF POLICY ENABLED COMMUNICATION SYSTEMS - Communication nodes, systems and methods are described which manage and process management information using semantic variable entities governed by a formal logic and upon which computations can be performed. Such semantic variable entities include, for example, management infons and or management situations which can be used, for example, to manage policy enforcement in communication networks. | 07-02-2009 |
| 20090172772 | METHOD AND SYSTEM FOR PROCESSING SECURITY DATA OF A COMPUTER NETWORK - Method of processing security data of a computer network (R) including a plurality of users (U | 07-02-2009 |
| 20090172773 | Syndicating Surgical Data In A Healthcare Environment - Disclosed herein are systems and methods for syndication and management of structured and unstructured data to assist institutional healthcare delivery, healthcare providers' practices, healthcare providers' group practices, collaborative academic research and decision making in healthcare, including through the utilization of medical devices and healthcare pools. | 07-02-2009 |
| 20090172774 | METHOD AND SYSTEM FOR DISTRIBUTING SECURITY POLICIES - A method and system for distributing and enforcing security policies is provided. A firewall agent executing at a host computer system that is to be protected receives security policies for the enforcement engines responsible for enforcing the security policies on the host computer system. A security policy has rules that each provide a condition and action to be performed when the condition is satisfied. A rule also has a rule type that is used by the distribution system to identify the security components that are responsible for enforcing the rules. To distribute the security policies that have been received at a host computer system, the firewall agent identifies to which enforcement engine a rule applies based in part on rule type. The firewall agent then distributes the rule to the identified enforcement engine, which then enforces the rule. | 07-02-2009 |
| 20090178102 | Implementing Security Policies in Software Development Tools - Disclosed is an access and information flow control framework that includes a series of phases. The first phase includes: receiving raw authorization requirement(s); creating authorization requirement representation(s) from the raw authorization requirement(s) using a language; and analyzing the authorization requirement representation(s) to ensure that they are consistent and conflict-free. The second phase includes: creating case authorization(s) from the authorization requirement representation(s) and validating consistency between the authorization requirement representation(s) and the use case authorization(s). The use case authorization may be created by propagating the authorization requirement representation(s) to a subject hierarchy; enumerating implicit authorization(s) derived from the authorization requirement representation(s); resolving inconsistencies in the use case authorization(s); and completing incomplete use case authorization(s). The third phase includes: receiving raw information flow requirement(s); creating information flow requirement representation(s) from the raw information flow requirement(s) using a language; creating propagated information flow requirement(s) by propagating the information flow requirement representation(s) to a subject hierarchy; creating at least one enumerated information flow requirement by enumerating possible direct and indirect information flow requirement(s) derived from the information flow requirement representation(s) and the propagated information flow requirement”; generating filtered enumerated information flow requirement(s) by filtering enumerated information flow requirement(s); and ensure that the filtered enumerated information flow requirement(s) are consistent with an information flow policy. The fourth phase includes: creating operation authorization(s); resolving inconsistencies in the operation authorization(s); and ensuring that the operation authorization(s) are conflict-free; and handling errors in any of the earlier phases. | 07-09-2009 |
| 20090178103 | SPECIFYING AND ENFORCING AT LEAST ONE RUN-TIME POLICY FOR AT LEAST ONE COMPUTER PROCESS EXECUTING ON A COMPUTER SYSTEM - The present invention provides a method and system of specifying and enforcing at least one run-time policy for at least one computer process executing on a computer system, where the computer system includes a computer operating system. In an exemplary embodiment, the method and system include (1) relating the policy with an executable file of the process, (2) associating the policy with a running instance of the process, and (3) enforcing the policy on the running instance. | 07-09-2009 |
| 20090178104 | METHOD AND SYSTEM FOR A MULTI-LEVEL SECURITY ASSOCIATION LOOKUP SCHEME FOR INTERNET PROTOCOL SECURITY - Methods and systems for data communication are disclosed and may include utilizing a multi-level lookup process for determining IPsec parameters from a security association database. The security association database may be stored in content addressable memory, and may include an Internet protocol address table, a security association lookup table, and a security association context table. The security association lookup and security association context tables may include a single table. An Internet protocol address table index may be looked up in the Internet protocol address table for a first lookup of the multi-level lookup process. A security protocol index may be looked up utilizing the Internet protocol address table index for a second lookup of the multi-level lookup process. The Internet protocol security parameters may be determined utilizing the security protocol index. IPsec processing may be performed utilizing the determined Internet protocol security parameters. | 07-09-2009 |
| 20090178105 | REDUCING OVERHEAD ASSOCIATED WITH DISTRIBUTED PASSWORD POLICY ENFORCEMENT OPERATIONS - A computer implemented method, data processing system, and computer program product for reducing the overhead associated with distributed password policy enforcement operations using a proxy server. when a proxy server provides a request from a client to a backend directory server, the proxy server determines whether a password policy check is required to be performed at the backend directory server. If a password policy check is not required to be performed at the backend directory server, the proxy server sends the client request together with a skip password policy control to the backend directory server. This skip password policy control informs the backend directory server to skip the password policy check on the client request. | 07-09-2009 |
| 20090178106 | PASSWORD POLICY ENFORCEMENT IN A DISTRIBUTED DIRECTORY WHEN POLICY INFORMATION IS DISTRIBUTED - A computer implemented method, data processing system, and computer program product for password policy enforcement in a distributed directory when policy information is distributed. When a proxy server is providing a request from a client to a backend directory server, the proxy server performs a series of LDAP operations on a targeted set of backend directory servers to collect password policy information applicable to a target user. The password policy information applicable to the target user is partitioned and distributed across the plurality of backend directory servers. When the password policy information for the target user has been collected, the proxy server evaluates the collected password policy information to determine an effective password policy for the target user. The proxy server then sends the request and subsequent requests with the effective password policy to a backend directory server. | 07-09-2009 |
| 20090178107 | ACCESS CONTROL POLICY CONVERSION - Methods and apparatus are provided for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints. Authorizations in the data structures are defined in terms of subject, resource and action elements. For each resource in a set of resources in the source policy data structure, the data structure is analyzed to identify primary authorizations relating to that resource. For each primary authorization, policy data which represents a policy defining an access rule expressing that authorization is generated and stored in system memory and analyzed to identify any auxiliary constraints associated with that primary authorization. For each auxiliary constraint so identified, policy data is generated and stored in system memory. | 07-09-2009 |
| 20090178108 | ENTERPRISE SECURITY ASSESSMENT SHARING FOR OFF-PREMISE USERS USING GLOBALLY DISTRIBUTED INFRASTRUCTURE - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and off-premise or roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
| 20090178109 | Authentication in a globally distributed infrastructure for secure content management - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services. | 07-09-2009 |
| 20090178110 | Communication Control Device, Communication Control System, Communication Control Method, and Communication Control Program - The communication control device of the present invention includes: a communication parameter acquisition means ( | 07-09-2009 |
| 20090178111 | SYSTEM AND METHOD FOR MAINTAINING SECURITY IN A DISTRIBUTED COMPUTER NETWORK - A system for maintaining security in a distributed computing environment comprises a policy manager located on a server to maintain policy data files and distribute local security policies to a plurality of clients, and a plurality of application guards, wherein each application guard is located at one of the plurality of clients to manage access by individual transactions to at least one application associated with the application guard, wherein the application guard controls access to the application based on a local security policy received from the policy manager. | 07-09-2009 |
| 20090178112 | LEVEL OF SERVICE DESCRIPTORS - An apparatus can include a client having a card selector, a query generator, and a transmitter. The card selector can allow a user to select an information card based on a security policy. The card selector can also provide a security token in response to the selected information card. The query generator can generate a query based on the selected information card, wherein the query pertains to information about features that are available on a relying party based on the security token and independent of a user's identity. The transmitter can transmit the generated query and the security token to an endpoint on the relying party. | 07-09-2009 |
| 20090183225 | PLUGGABLE MODULES FOR TERMINAL SERVICES - Embodiments that facilitate the use of pluggable policy modules and authentication modules for access to a Terminal Services (TS) server are disclosed. In accordance with various embodiments, a method includes accessing one or more pluggable modules at a Terminal Services Gateway (TSG) server or a Terminal Services (TS) server. The method further includes processing a TS server access request from a TS client at the TSG server or the TS server. The TS server access request is processed in part based on the one or more pluggable modules. In one particular embodiment, the one or more pluggable modules include at least one of a connection authorization policy (CAP) module, a resource authorization policy (RAP) module, and an authentication module. | 07-16-2009 |
| 20090183226 | Systems and Methods for Identity-Based Communication Gate for Social Networks - Systems and methods are disclosed that provide for control of online communication services, including social networks and video games. In some embodiments, parents of children engaging in activities using online communication services can control who their child can engage in communications with, while using online communication services. In some embodiments, parents can monitor potentially problematic communications between their child and other subscribers of an online communication service. Thus, subscribers of online communication services can be prevented from misrepresenting themselves or concealing important information, including age and gender. | 07-16-2009 |
| 20090183227 | Secure Runtime Execution of Web Script Content on a Client - Method for ensuring security of online content on a client device. Online content is rendered on a display on the client device and the client device stores one or more policies each defining an execution boundary of a web script content. The execution boundary defines resource access of the web script content, and the web script content is configured to issue an execution invocation to interact with other portions of the online content. The issued execution invocation is intercepted and parameters included in the intercepted execution invocation are identified. The identified parameters request resources from an application or the client device for interacting with the other portions of the online content. The identified parameters are evaluated against the execution boundary of each of the policies stored in the client device. A dynamic resolution is provided to the web script content in response to the evaluating. | 07-16-2009 |
| 20090183228 | Method for managing usage authorizations in a data processing network and a data processing network - To facilitate the work of a user with a data processing network with a number of security levels of the applications and functions to be executed, a method is proposed for managing usage authorizations in this data processing network. In at least one embodiment of the method, when a user logs in at a work station, at least one role stored in a central authorization register is allocated to the user; when an application is called up a local security module of the application determines which authorizations are granted for the role of the user; and if there is no authorization for an application-related action, a central security module accesses a central collection of security rules, the security rules indicating the circumstances, in which, when a user's authorizations are not sufficient to carry out the application-related action, the user can still carry it out and determines whether according to at least one of the security rules a usage authority is possible for the application-related action and offers this to the user. | 07-16-2009 |
| 20090187962 | METHODS, DEVICES, AND COMPUTER PROGRAM PRODUCTS FOR POLICY-DRIVEN ADAPTIVE MULTI-FACTOR AUTHENTICATION - Embodiments of the invention include methods for providing policy-driven, adaptive, multi-factor authentication procedures. A pool of potential authentication challenges is defined. Each of the potential authentication challenges is assigned a category and a weighted difficulty level. One or more authentication challenges are selected from the pool of potential authentication challenges using one or more security policies that are based upon the assigned category and the assigned weighted difficulty level, wherein a quantity of authentication challenges is determined using the one or more security policies. One or more historical access patterns are utilized in conjunction with the selected one or more authentication challenges to authenticate a user, wherein the historical access patterns include at least one of an access time or an access location. One or more dummy challenges are used to authenticate the user. | 07-23-2009 |
| 20090187963 | Method and apparatus for a cryptographically assisted computer system designed to deter viruses and malware via enforced accountability - The present invention provides a method and apparatus for a cryptographically assisted computer system designed to deter viruses and malware via enforced accountability and access policies. The Security Enforcement System ( | 07-23-2009 |
| 20090187964 | Applying Security Policies to Multiple Systems and Controlling Policy Propagation - A method and apparatus for attaching security policies to secured computing systems is provided. A security policy is attached to a parent domain. The parent domain includes a first secured computing system. The security policy is a natural language description for controlling access to the secured computing system. Upon determining that the parent domain propagates the security policy, a first generation child domain is identified. The first generation child domain includes a second secured computing system. The first generation child domain is associated with the parent domain in a hierarchical relationship. It is determined that the first generation child domain inherits the security policy based on an inheritance rule. The security policy is attached to the first generation child domain. | 07-23-2009 |
| 20090187965 | ELECTRONIC APPARATUS, METHOD FOR CONTROLLING FUNCTIONS OF THE APPARATUS AND SERVER - An electronic apparatus, having functions on which use limitations can be imposed, in which a variety of functions are loaded on the electronic apparatus by hardware circuitry or by computer programs. Use of a certain function(s) is limited by setting a function limiting flag to “1”, provided that an other function(s) are usable within a period of a preset number of days of possible test use. An application is made from the apparatus to a key issuing source for purchasing usable functions. The key issuing source then issues a limitation removing key. The limitation removing key may be acquired from the key issuing source by a mobile phone terminal and transmitted to the apparatus by infrared ray communication. The apparatus rewrites the function limiting flag by this limitation removing key. If the number of days of actual test use has reached the number of days of possible test use, the CPU of the apparatus does not carry out the function(s) the function limiting flag of which is “1”. | 07-23-2009 |
| 20090187966 | NEAR REAL-TIME MULTI-PARTY TASK AUTHORIZATION ACCESS CONTROL - A method and apparatus are used in determining authorization to perform tasks in a computer environment, and specifically requiring multiple parties to authorize a task before access is granted. The present system provides for substantially real time communication to a second party authorizer when a task owner is attempting to perform a task. | 07-23-2009 |
| 20090187967 | ENHANCEMENTS TO DATA-DRIVEN MEDIA MANAGEMENT WITHIN AN ELECTRONIC DEVICE - A centralized resource manager manages the routing of audio or visual information within a device, including a handheld device such as a smartphone. The resource manager evaluates data-driven policies to determine how to route audio or visual information to or from various input or output components connected to the device, including headphones, built-in speakers, microphones, bluetooth headsets, cameras, and so on. Among the data considered in the policies are connection status data, indicating if a device is connected, routing status data, indicating if a device is permitted to route information to or from a component, and grouping data, indicating logical relationships between various components. Components may be considered inherently routable, automatically routable, or optionally routable. Numerous other uses exist for such data, including providing simpler and more logical management interfaces. | 07-23-2009 |
| 20090187968 | SYSTEM AND METHOD FOR DYNAMIC NETWORK POLICY MANAGEMENT - A system and method that provides dynamic network policy management. The system enables a network administrator to regulate usage of network services upon initiation of and throughout network sessions. The system employs a method of identifying selectable characteristics of attached functions to establish static and dynamic policies, which policies may be amended before, during and after any session throughout the network based on the monitored detection of any of a number of specified triggering events or activities. Particular policies associated with a particular identified attached function in prior sessions may be cached or saved and employed in subsequent sessions to provide network usage permissions more rapidly in such subsequent sessions. The cached or saved policy information may also be used to identify network usage, control, and security. The system and method of the present invention provides static and dynamic policy allocation for network usage provisioning. | 07-23-2009 |
| 20090193491 | SECURE ELEMENT MANAGER - In one embodiment, a computing device may comprise system hardware, system firmware, one or more secure elements and one or more secure element management module. The secure element may enable access to goods or services. In some embodiments, the operational status of an embedded secure element may be modified by a secure element management module through addition of hardware, communication with a server or the like. | 07-30-2009 |
| 20090193492 | METHOD FOR INFORMATION TRACKING IN MULTIPLE INTERDEPENDENT DIMENSIONS - A method for information flow tracking is provided using, for example, a functional programming language based on lambda calculus, λ | 07-30-2009 |
| 20090193493 | ACCESS POLICY ANALYSIS - Software tools assist an access-policy analyst or creator to debug and/or author access policies. An access request contains a query that evaluates to either true or false depending on whether access is to be allowed. Abduction may be used to generate assumptions that, if true, would cause the access request to be true. The tool may perform analysis on the generated assumptions, such as: comparing the assumptions with tokens to detect errors in the tokens or to suggest changes to the tokens that would cause the query to be satisfied, or comparing the assumptions to a meta-policy. The tool may allow an analysis, policy author, or other person to interactively walk through assumptions in order to see the implications of the access policy. | 07-30-2009 |
| 20090193494 | MANAGING ACTIONS OF VIRTUAL ACTORS IN A VIRTUAL ENVIRONMENT - A method, system, and computer usable program product for monitoring the actions of a virtual actor are provided in the illustrative embodiments. An interaction of the virtual actor acting in a role is detected. A set of policies is applied to the interaction. The set of policies include an auditing policy. Auditing according to the auditing policy is determined based on the role of the virtual actor. | 07-30-2009 |
| 20090193495 | SYSTEM AND METHODS FOR EFFICIENTLY CLASSIFYING AND SELECTING AMONG SECURITY POLICY ALTERNATIVES FOR OUTBOUND NETWORK COMMUNICATIONS - A computer-implemented method of selecting among a plurality of endpoint policy alternatives to apply to a message conveyed over a data communications network is provided. The method can include assigning a score to each of the plurality of endpoint policy alternatives, wherein an assigned score is based upon policy assertions of the endpoint policy alternative to which the score is assigned. The method can further include selecting, according to a predetermined selection criterion, one of the plurality of endpoint policy alternatives based upon the assigned scores. | 07-30-2009 |
| 20090193496 | DETECTION OF HARDWARE-BASED VIRTUAL MACHINE ENVIRONMENT - A method and a processing device are provided for detecting a hardware-based virtual machine environment. An execution time of a privileged instruction may be measured and an execution time of a nonprivileged instruction may be measured. The execution time of the privileged instruction may be compared with the execution time of the nonprivileged instruction. When the execution time of the privileged instruction exceeds the execution time of the nonprivileged instruction by at least a threshold or a threshold factor, then a hardware-based virtual machine environment is detected. In some embodiments, a well-known technique for detecting a software-based virtual machine environment may be used in conjunction with a technique for detecting a hardware-based virtual machine environment. A licensing policy of a software product may be accessed and the software product may be prevented from executing when a detected machine environment is in violation of the licensing policy. | 07-30-2009 |
| 20090193497 | METHOD AND APPARATUS FOR CONSTRUCTING SECURITY POLICIES FOR WEB CONTENT INSTRUMENTATION AGAINST BROWSER-BASED ATTACKS - A method and apparatus is disclosed herein for constructing security policies for content instrumentation against attacks. In one embodiment, the method comprises constructing one or more security policies for web content using at least one rewriting template, at least one edit automata policy, or at least one policy template; and rewriting a script program in a document to cause behavior resulting from execution of the script to conform to the one or more policies. | 07-30-2009 |
| 20090193498 | SYSTEMS AND METHODS FOR FINE GRAIN POLICY DRIVEN CLIENTLESS SSL VPN ACCESS - The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server. | 07-30-2009 |
| 20090199264 | DYNAMIC TRUST MODEL FOR AUTHENTICATING A USER - A system that that dynamically authenticates one or more users is described. During operation, the computer system determines a trust level for a user, where the trust level is a function of elapsed time since the user previously provided authentication information. Next, the computer system calculates a transaction risk level based on a type of user transaction performed by the user. Then, the computer system requests additional authentication information from the user based on the trust level and the transaction risk level. | 08-06-2009 |
| 20090199265 | ANALYTICS ENGINE - Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components. | 08-06-2009 |
| 20090199266 | Compiling Method for Command Based Router Classifiers - A method and compiler for compiling hierarchical command based policy rules to a flat filter list structure adapted for storage in a Content Addressable Memory (CAM), wherein the policy rules are organized in a tree-structure of classifiers. First, all of the possible search paths in the tree structure are found, and then only the valid search paths according to defined criteria are added to the flat filter list. The CAM may be a Ternary Content Addressed Memory. | 08-06-2009 |
| 20090199267 | Internet filtering utility using consumer-governed internet web site ratings, governor voting system and vote validation process - Internet filtering system to produce only desirable internet search returns and to block undesirable web sites by computer administrators (herein called governors) wishing to limit the access of internet content for themselves, their children, their employees or clients, using a consumer-governed internet web site rating system that is verified with a governor voting system and vote validation process. | 08-06-2009 |
| 20090199268 | POLICY CONTROL FOR ENCAPSULATED DATA FLOWS - Systems and methodologies are described that facilitate communicating encapsulation information for a related mobility protocol type utilized in communicating over a data flow with reduced specific implementation on the policy server to support different mobility protocol types. In this regard, encapsulation information can be transmitted to the policy server from a network gateway such that the policy server can forward the encapsulation information to a serving gateway along with policy rules related to a data flow type. The serving gateway can utilize the encapsulation information to detect and interpret the encapsulated data flow according to the policy rules. In this regard, the serving gateway can provide support (e.g. quality of service support) for the flow. The encapsulation information can relate to a mobility protocol type, an encapsulation header, an indication that encapsulation is required, parameters regarding locating an encapsulation header in a message, and/or the like. | 08-06-2009 |
| 20090205011 | CHANGE RECOMMENDATIONS FOR COMPLIANCE POLICY ENFORCEMENT - Some embodiments of the present invention provide a system for maintaining a software system. During operation, the system obtains a compliance policy for the software system and monitors the software system for a violation of the compliance policy. If a violation is detected, the system generates a change recommendation associated with the violation using the compliance policy and provides the change recommendation to an administrator, so that the administrator can use the change recommendation to resolve the violation. | 08-13-2009 |
| 20090205012 | AUTOMATED COMPLIANCE POLICY ENFORCEMENT IN SOFTWARE SYSTEMS - Some embodiments of the present invention provide a system that maintains a software system. During operation, the system obtains a compliance policy for the software system and monitors the software system for a violation of the compliance policy. If such a violation is detected, the system retrieves a change package associated with the violation based on the compliance policy and automatically deploys the change package to the software system to resolve the violation. | 08-13-2009 |
| 20090205013 | Customization restrictions for multi-layer XML customization - Embodiments of the present invention provide techniques for customizing aspects of a metadata-driven software application. In particular, embodiments of the present invention provide ( | 08-13-2009 |
| 20090205014 | SYSTEM AND METHOD FOR APPLICATION-INTEGRATED INFORMATION CARD SELECTION - A selector daemon can run in the background of a computer. Applications that are capable of processing information cards directly, without requiring the use of a card selector, can request the selector daemon to list information cards that satisfy security policy. Upon receiving such a request, selector daemon can determine the information cards available on the computer that satisfy the security policy, and can identify these information cards to the requesting application. The applications can then use the identified information cards in any manner desired, without having to use a card selector: for example, by requesting a security token based on one of the information cards directly from an identity provider. | 08-13-2009 |
| 20090205015 | Method for Forecasting Unstable Policy Enforcements - Method for forecasting instable policy enforcement, is described, wherein a behavior dynamic Bayesian network (DBN) model and a policy finite state transducers extended with tautness functions and identities (TFFST) model is analytically composed to derive predictions of the consequences of enforcing a given policy, in particular to detect flip-flop configuration changes in a system. The method comprises the steps of—translating ( | 08-13-2009 |
| 20090205016 | POLICY ENFORCEMENT USING ESSO - A method for enforcing policies used with a computer client, the method including receiving, at policy decision point (PDP) processor, information from a single sign-on (SSO) system indicating an occurrence of an event of interest on the computer client, performing, using the PDP processor, a policy check in response to the occurrence of the event of interest, wherein a policy check result is generated, and providing the generated policy check result to the SSO system. | 08-13-2009 |
| 20090205017 | APPROPRIATE CONTROL OF ACCESS RIGHT TO ACCESS A DOCUMENT WITHIN SET NUMBER OF ACCESSIBLE TIMES - An access right management system is provided, which appropriately controls an access right, to access a document, when the number of executable times is set for each kind of processing on the document managed by a policy server. The management system includes the policy server which saves the access right showing permission or inhibition of access to the document in a first file and a document management server which saves the number of accessible times in a second file. When a predetermined condition is satisfied, the document management server instructs the policy server to update the access right, and the policy server which receives the instructions executes an update of the access right such as changing a permission of access to an inhibition of access. | 08-13-2009 |
| 20090205018 | METHOD AND SYSTEM FOR THE SPECIFICATION AND ENFORCEMENT OF ARBITRARY ATTRIBUTE-BASED ACCESS CONTROL POLICIES - A general attribute-based access control system includes at least one resource server, at least one client module, an access control database including basic data sets and basic relations between the basic data sets, at least one server module including an access decision sub-module that computes a decision whether to grant or deny access to computer-accessible resources referenced by objects, an event processing sub-module that processes events, and an administrative sub-module that creates, deletes, and modifies elements of the basic data sets and the basic relations. | 08-13-2009 |
| 20090210923 | Personal license server and methods for use thereof - A personal license server and methods for use thereof are disclosed. In one embodiment, a personal license server is provided comprising a memory and circuitry operative to receive a digital rights management (DRM) license from a license server, store the DRM license in the memory, and provide the DRM license to a personal license server client, wherein the personal license server client receives the DRM license without communicating with the license server. In another embodiment, a personal license server client is provided that receives, from a license requester, a request for a digital rights management (DRM) license from a license server; in response to the request, communicates with a personal license server instead of the license server to receive the DRM license; and provides the DRM license to the license requester. Other embodiments are provided, and each of these embodiments can be used alone or in combination with one another. | 08-20-2009 |
| 20090217340 | METHODS AND SYSTEMS FOR CLINICAL CONTEXT MANAGEMENT VIA CONTEXT INJECTION INTO COMPONENTS AND DATA - Certain embodiments present a system for managing access to patient data in a clinical information system that uses software applications, and a context manager that facilitates the sharing of context among the applications. The system has one access point, or a computer workstation terminal, allowing for user interaction with said at least two software applications. A centralized database stores information relating to patient data and user attempts to access patient data by the software applications. A first context identification module assigns a context label to each access attempt, and a second context identification module assigns a context label to data gathered by the software applications. An auditor regulates relationships between the software applications manager and provides a user interface enabling access to the centralized database. The auditor identifies impermissible application tasks based on rules and identification labels, and prevents access to impermissible application tasks through the user interface. | 08-27-2009 |
| 20090217341 | METHOD OF UPDATING INTRUSION DETECTION RULES THROUGH LINK DATA PACKET - A method of updating intrusion detection rules through a link data packet is used to dynamically update rules storages of Snort system hosts. Firstly, an update sponsor in the network transmits a link data packet with an intrusion detection rule to the Snort system host. The Snort system host acquires the intrusion detection rule from the received link data packet, and parses an operation type of the intrusion detection rule. Then, the Snort system host verifies the validity of the intrusion detection rule. Subsequently, the rules storage is updated according to the type of the valid intrusion detection rule and a rules tree. | 08-27-2009 |
| 20090217342 | Parental Control for Social Networking - A computer-implemented infrastructure is provided for use with social communication services that are accessed via the public Internet. Facilities of the infrastructure identify a controlled class of users and permit a supervisory class of users to monitor and control use of social communication services server by the controlled class. The infrastructure enables children to access social communication services servers, and allows their parents to supervise their use of such services on an ongoing basis. | 08-27-2009 |
| 20090217343 | Digital Rights Management of Streaming Captured Content Based on Criteria Regulating a Sequence of Elements - A captured content rights controller detects a first portion of streaming captured content and a second portion of the streaming captured content after the first portion of the streaming captured content is detected. The captured content rights controller determines whether rendering the second portion of the streaming captured content after the first portion of the streaming captured content is subject to at least one digital rights management protection rule for streaming captured content as specified by at least one owner of at least one restricted element within the streaming captured content captured independent of distribution of the content by the owner of the at least one restricted element within the streaming captured content. The captured content rights controller applies the at least one digital rights management protection rule to restrict rendering of the second portion of the streaming captured content after the first portion of the streaming captured content. | 08-27-2009 |
| 20090217344 | Digital Rights Management of Captured Content Based on Capture Associated Locations - When captured content is detected, the captured content is analyzed to determine whether any portion of the content is subject to digital rights management protection specified for content captured, where captured content is content captured independent of distribution of the content by an owner of at least one restricted element within the captured content. In response to determining that a portion of the captured content is subject to digital rights management protection, a database is queried to select at least one digital rights management rule associated with the portion and comprising at least one location based criteria. At least one relevant location is associated with the captured content. At least one digital rights management rule is applied to restrict usage of the captured content, with the at least one location based criteria specified by the at least one relevant location. In addition, in response to determining that the captured content is not subject to digital rights management protection, a certification is applied to the captured content designating a particular system that determined no portion of the captured content is subject to digital rights management protection. | 08-27-2009 |
| 20090217345 | SYSTEM AND METHOD FOR POLICY BASED CONTROL OF NAS STORAGE DEVICES - A system and method for providing policy-based data management and control on a NAS device deployed on a network and having event enabling framework software. When a user makes a request to store, read, or manipulate data on the NAS device, the NAS device provides an indication of this request to a management tool running on a remote system through the event enabling framework software. The management tool reviews the request in light of its previously established policy-based data storage management configuration and subsequently informs the NAS device, via the event enabling framework software, to either accept or not accept the user's request to store, read or modify data on the NAS device. | 08-27-2009 |
| 20090217346 | DHCP CENTRIC NETWORK ACCESS MANAGEMENT THROUGH NETWORK DEVICE ACCESS CONTROL LISTS - In embodiments of the present invention improved capabilities are described for the computer program product steps of serving a limited network connection to an endpoint computing facility via network device access control lists, where the limited network connection may enable the endpoint to communicate with a limited set of network resources; assessing security compliance information relating to the endpoint to determine a security state; and in response to receiving an indication that the security compliance information is acceptable, serving a managed network connection to the endpoint, where the managed connection may enable the endpoint to communicate with a larger set of network resources than the limited network connection. | 08-27-2009 |
| 20090217347 | METHOD AND NETWORK SYSTEM FOR NEGOTIATING A SECURITY CAPABILITY BETWEEN A PCC AND A PCE - A method and a network system for negotiating a security capability between a path computation client (PCC) and a path computation element (PCE) are described. The method includes the steps as follows. The PCE sends a packet carrying security policy capability information to the PCC. After receiving the packet, the PCC acquires a security policy capability supported or required by the PCE or a security policy capability supported by both of the PCE and the PCC. In various embodiments of the present invention, negotiation of PCC-PCE and PCC-PCC may be performed by sending the packet carrying the security policy capability information, thereby greatly simplifying the security policy configuration between PCC-PCE and PCE-PCE, and simplifying the complexity in PCE deployment. | 08-27-2009 |
| 20090222876 | POSITIVE MULTI-SUBSYSTEMS SECURITY MONITORING (PMS-SM) - A system for Positive Multi-Subsystems—Security Monitoring providing for the monitoring of security events of a business organization comprising business assets, wherein the events are monitored according to a positively stated policy that is created, managed and controlled by Multiple Sub-Systems Meta Security Policy. The system includes Policy Connectors, wherein each PC has a specific set of rules and relevant data and an event collector comprising centralized event collector software, wherein the event collector collects security events, and wherein each security event is created in the PMS-SM system using MSSMSP. Each event arises from an application. The system also includes security events which include Business Asset Monitor events. A BAM event represents user activity against a specific business asset and Security data that is queried from the various security sub-systems using the PC's and a Security policy of MSSMSP. The system enables positive, centralized security monitoring. | 09-03-2009 |
| 20090222877 | UNIFIED NETWORK THREAT MANAGEMENT WITH RULE CLASSIFICATION - A computer network device comprises an intrusion prevention rule set comprising a plurality of rules, each of the plurality of rules associated with two or more rule classification parameters, and an intrusion prevention module that is operable to use two or more of the classification parameters associated with the plurality of intrusion protection rules to selectively apply the rules to provide network intrusion protection of network traffic | 09-03-2009 |
| 20090222878 | SYSTEMS AND METHODS FOR A SECURE GUEST ACCOUNT - An embodiment relates generally to a method of creating a secure environment in a computer device. The method includes providing a secure guest account in a multi-user operating system and enforcing a policy on the secure account to allow a user to log-in to the secure guest account while preventing access at least one network port of the computer device. The method also includes enforcing a rule to allow the secure guest account access to an application and the at least one network port. | 09-03-2009 |
| 20090222879 | SUPER POLICY IN INFORMATION PROTECTION SYSTEMS - Providing access to information based on super policy. Information is associated with author policy expressing restrictions on use of the information The author policy is processed using super policy programmatic code to generate a composite policy. The composite policy includes a combination of the author policy and super policy applied by the super policy programmatic code, such that restrictions are added to or removed from the author policy to create the composite policy. A request for the information is evaluated. This includes evaluating information about the requester against the composite policy to determine if the requester is authorized to access the information. A determination is made that the requester is authorized to access the information based on the composite policy, where after the requester is authorized to access the information based on the composite policy, access is granted to the information to the requester. | 09-03-2009 |
| 20090222880 | Configurable access control security for virtualization - Provided are systems and methods for applying access controls to separate and contain virtual machines in a flexible, configurable manner. Access can be granted or removed to a variety of system resources—including network cards, shared folders, and external devices. Operations, such as cut and paste, between the virtual machines can be restricted or allowed. Virtual machines are run in containers. This allows more than one virtual machine to share the same access profile. Containers can be configured to allow a user to instantiate a virtual machine at run time. This allows the user to dynamically define which virtual machines run in various containers. An administrator determines which containers (if any) allow dynamic instantiation, and specifies the list of virtual machines the user can choose from. A container, and/or virtual machines within the container, can be restricted to particular users. | 09-03-2009 |
| 20090222881 | RESOURCE STATE TRANSITION BASED ACCESS CONTROL SYSTEM - Enforcing access control based on resource state. A method includes receiving a request for an operation on one or more objects stored on computer readable media. One or more pre-operation states of the one or more objects are determined. One or more post-operation states of the one or more objects are determined. One or more access control rules are referenced. The access control rules control access to resources based on pre-operation state and post operation state. It can then be determined that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states. Based on determining that the one or more access control rules allow the operation to succeed, the operation is allowed to succeed. | 09-03-2009 |
| 20090222882 | UNIFIED MANAGEMENT POLICY - Defining a unified access management policy expression that unifies access control policy with events or workflows. Unified management policy information is stored. The unified management policy information defines permissions for access to resources together with events or workflows. A request is received to execute the one or more operations on one or more objects. The requested operation is verified against the unified management rules. Verifying includes performing a single retrieval, retrieving both the access control information and the events or workflows and calculating the applicability of the rule to the conditions represented by the request. Matching rules are applied, access control decisions performed and associated workflows are executed. | 09-03-2009 |
| 20090222883 | Method and Apparatus for Confidential Knowledge Protection in Software System Development - An apparatus and a computer-implemented method for protecting confidential knowledge in a software system design which includes a plurality of artifacts. The method includes the steps of calculating a correlation between the confidential knowledge and the software system design, acquiring inter-dependencies between the artifacts in the software system design, and determining protection mechanisms for the respective artifacts according to the correlation and the inter-dependencies. The system includes a correlation calculating section for calculating a correlation between the confidential knowledge and the software system design; an inter-dependency acquiring section for acquiring inter-dependencies between the artifacts in the software system design; and a mechanism designing section for determining protection mechanisms for the respective artifacts according to said correlation and said inter-dependencies. | 09-03-2009 |
| 20090222884 | INTERFACES AND METHODS FOR GROUP POLICY MANAGEMENT - A system and method for managing group policy objects in a network, including interfaces that allow access by programs or a user interface component to functions of a group policy management console that performs management tasks on group policy objects and other related objects. The interfaces abstract the underlying data storage and retrieval, thereby facilitating searching for objects, and providing the ability to delegate, view, change and permissions on those objects, and check and save those permissions. Modeling and other test simulations are facilitated by other interfaces. Other interfaces provide dynamic and interactive features, such as to convey progress and rich status messages, and allow canceling of an ongoing operation. Still other interfaces provide methods for operating on group policy related data, including group policy object backup, restore, import, copy and create methods, and methods for linking group policy objects to scope of management objects. | 09-03-2009 |
| 20090222885 | SYSTEM AND METHODOLOGY PROVIDING MULTI-TIER SECURITY FOR NETWORK DATA WITH INDUSTRIAL CONTROL COMPONENTS - The present invention relates to a system and methodology facilitating network security and data access in an industrial control environment. An industrial control system is provided that includes an industrial controller to communicate with a network. At least one security layer can be configured in the industrial controller, wherein the security layer can be associated with one or more security components to control and/or restrict data access to the controller. An operating system manages the security layer in accordance with a processor to limit or mitigate communications from the network based upon the configured security layer or layers. | 09-03-2009 |
| 20090235324 | METHOD FOR DISCOVERING A SECURITY POLICY - Techniques for mapping at least one physical system and at least one virtual system into at least two separate execution environments are provided. The techniques include discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system, using the discovered policy to create an enforceable isolation policy, and using the isolation policy to map the at least one physical system and at least one virtual system into at least two separate execution environments. Techniques are also provided for generating a database of one or more isolation policies. | 09-17-2009 |
| 20090235325 | MESSAGE PROCESSING METHODS AND SYSTEMS - Methods and apparatus for controlling the operation of a distributed application using message interception techniques are disclosed. The message interception software is independent of the software components making up the distributed application. The message interception software processes messages by carrying out a series of actions set out in an interceptor chain configuration policy, that policy being selected on the basis of the contents of the intercepted message. The interceptor chain configuration policy is divided into a separate enforcement configuration policy which dictates what actions should be carried out on a message and in what order, and an interceptor reference policy which indicates references to interceptors which are suitable for carrying out the actions specified in the enforcement configuration policy. In this way, the behaviour of the message interception software (and thus the distributed application) can be updated whilst both the interception software and the distributed application are running without requiring the person updating the behaviour of the message interception software to deal with esoteric references to interceptor software routines. | 09-17-2009 |
| 20090241164 | System and Method for Protecting Assets Using Wide Area Network Connection - A system, method, and program product is provided that detects whether a network adapter has been removed from a computer system. If the network adapter, such as a wireless network adapter, has been removed from the computer system, then a tamper evident indicator (e.g., bit) is set in a nonvolatile memory area of the computer system. In addition, a hard drive password is set to a different password according to a hard drive password policy. The hard drive password controls access to files stored on the hard drive. In one embodiment, the power-on password is also changed to a new password so that the user has to enter the new power-on password when initializing the computer system in order to access the files stored on the computer system. | 09-24-2009 |
| 20090241165 | COMPLIANCE POLICY MANAGEMENT SYSTEMS AND METHODS - In an exemplary system, a compliance policy processing subsystem is selectively and communicatively coupled to a rules management subsystem. The rules management subsystem is configured to maintain a rules database. The compliance policy processing subsystem is configured to facilitate selection by a user of a section of text within a compliance policy, direct the rules management subsystem to identify one or more rules within the rules database that are relevant to the section of text, and display a representation of the relevant rules. | 09-24-2009 |
| 20090241166 | Establishment of Security Federations - Secure interactions between administrative domains are modeled. The modeled process specifies role information for each of the administrative domains and interaction between the administrative domains. Role information associated with candidate administrative domains is received, and appropriate administrative domains from the candidate administrative domains are dynamically resolved based on the modeled process and the received role information. Trust realms between the dynamically resolved appropriate administrative domains are automatically derived based on the role information and the interactions from the modeled process. The secure interaction between the dynamically resolved appropriate administrative domains is effected through the automatically derived trust realms. | 09-24-2009 |
| 20090241167 | METHOD AND SYSTEM FOR NETWORK IDENTIFICATION VIA DNS - In embodiments of the present invention improved capabilities are described for accessing a DNS server, where the DNS server may be a DNS server within the control of a administrator. A pair of name and IP address may be stored on the DNS server. A client may then transmit the name to a DNS server to request the DNS server to lookup the IP address related to the client transmitted name. This client to DNS server communication may be performed as part of a network request from the client. The IP address may then be returned to the client in response to the connection request, which may allow the client to interpret the return of the security IP address as an indication of a known DNS server and therefore a known network. As a result, the client may then be able to set its security rules according to known network rules. Further, the identifying of a known network may be associated with location information associated with the DNS server, and thus the client, where the location information may be associated with multiple DNS IP address entries. | 09-24-2009 |
| 20090249430 | CLAIM CATEGORY HANDLING - A relying party can have a security policy. The security policy can include claims that are categorized other than “required” and “optional”. The user can specify, in a user policy, whether or not to include in a request for a security token from an identity provider claims that are not “required”. | 10-01-2009 |
| 20090249431 | Determining Effective Policy - Aspects of the subject matter described herein relate to determining effective policy when more than one policy may be associated with an entity. In aspects, bindings associate policies with target groups that may include one or more entities. The bindings are ordered by precedence. When properties of two or more policies affect an entity, properties of policies in higher precedence bindings control (e.g., override) properties of policies in lower precedence bindings. When a property of a policy is not included in other policies that affect an entity, the property is retained. A policy resolver determines disjoint target groups and a resultant policy associated with each disjoint target group. The resultant policy associated with a disjoint target group represents a combination of the original policies according to precedence. | 10-01-2009 |
| 20090249432 | SYSTEM AND METHOD FOR CIRCUMVENTING INSTANT MESSAGING DO-NOT-DISTURB - A method and computer program product for defining one or more authorized users capable of granting do-not-disturb circumvention privileges, and receiving an indicator of a grant of do-not-disturb circumvention privileges to a circumventing user by the one or more authorized users. A do-not-disturb status of an instant messaging user is circumvented based upon, at least in part, the grant of do-not-disturb circumvention privileges. | 10-01-2009 |
| 20090249433 | SYSTEM AND METHOD FOR COLLABORATIVE MONITORING OF POLICY VIOLATIONS - A computer implemented system and method is used to receive user reports regarding potential security policy violations that describe observations by the user, the type of policy violation, and an identification of another user with potential knowledge of a security policy violation. A payoff matrix may be formed for each user submitting a user report regarding potential as well as actual security violations and for users identified in such reports, wherein the payoff matrix reflects payout data for reported and unreported security policy violations. The payoff matrix may be used to both reward and punish reporting behaviors. | 10-01-2009 |
| 20090249434 | APPARATUS, SYSTEM, AND METHOD FOR PRE-BOOT POLICY MODIFICATION - An apparatus, system, and method are disclosed for pre-boot policy modification. A key module exchanges a key with a server in a secure environment. A communication module receives a policy encoded with the key. A decode module decodes the encoded policy using the key and saves the policy setting prior to booting an operating system on the computer. An update module boots the computer using the policy. | 10-01-2009 |
| 20090249435 | Manually controlled application security environments - Computer protection is weak with the methods currently available and there are risks of malicious users getting access to computers, corrupting important data, including system data. We are proposing a method for improving access protection, more particularly, by adding a device that will enable or disable protection for applications as required. The device supports one or more users, one or more user groups, none or one or more Application Security Environments for each user or user group and one or more states for each Application Security Environment. The state of the hardware is manually controlled by the users. Depending on the configuration, each hardware state corresponding to an Application Security Environment corresponds to a set of privileges for processes running in that Application Security Environment while that Application Security Environment is in that state. | 10-01-2009 |
| 20090249436 | Centralized Enforcement of Name-Based Computer System Security Rules - This disclosure describes techniques of using a centralized rule database to control the abilities of software processes to perform actions with regard to resources provided by a computer. As described herein, each software process executing in a computer executes within a chamber and each resource provided by the computer is associated with a canonical name that uniquely identifies the resource. Furthermore, the computer stores a set of security rules in a centralized rule database. In addition, this disclosure describes techniques of enforcing the rules stored in the centralized rule database. | 10-01-2009 |
| 20090249437 | ASSIGNMENT OF POLICY FUNCTION ADDRESS DURING ACCESS AUTHENTICATION IN WIMAX NETWORKS - A policy function used by a Service Flow Authorization of an Internal Protocol network is dynamically specified. A mobile station sends a request to a Network Access Servicer. Service Equipment forwards the request to a Service Provider's AAA Server. A connectively serving network sends an Access-Accept RADIUS message to an accessing serving network. The PF address is inserted into the Access-Accept RADIUS message. | 10-01-2009 |
| 20090249438 | MOVING SECURITY FOR VIRTUAL MACHINES - A method of maintaining multiple firewalls on multiple host nodes. Each host node runs one or more virtual machines. For at least a first host node, the method maintains multiple sets of policies for multiple virtual machines that run on the first host node. The method, upon detecting that a particular virtual machine has been moved from the first host node to a second host node, removes a set of policies associated with the particular virtual machine from the first host node and supplies the set of policies to the second host node. | 10-01-2009 |
| 20090249439 | SYSTEM AND METHOD FOR SINGLE SIGN-ON TO RESOURCES ACROSS A NETWORK - Systems, methods and apparatus for providing single sign on across a plurality of resources is disclosed. An exemplary method includes receiving a request from a user to access a particular one of the plurality of resources; establishing an SSO session for the user if an SSO session has not been established; determining if the user has been authenticated to the particular resource, and if not, retrieving credentials for the user that are specific to the resource; presenting the credentials to the resource so as to create a session with the resource; and presenting a user interface for a customer to configure which of the plurality of resources can be accessed by users. | 10-01-2009 |
| 20090249440 | SYSTEM, METHOD, AND APPARATUS FOR MANAGING ACCESS TO RESOURCES ACROSS A NETWORK - A system, method and apparatus for managing access across a plurality of applications is disclosed. The system may include a user store connector configured to connect to one or more user stores to retrieve attributes; an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user; a policy engine configured to retrieve attributes from the user store connector corresponding to a user and use the attributes to evaluate access policies, if any, which are defined for protection of resources, to determine whether or not the user should be granted access to the resources; an admin component that is configured to enable the access policies to be defined relative to attributes and the resources; and a policy store configured to store the access policies. | 10-01-2009 |
| 20090249441 | GOVERNING THE TRANSFER OF PHYSIOLOGICAL AND EMOTIONAL USER DATA - Apparatus and articles of manufacture are provided for governing the transfer of data characterizing a user's behavior, physiological parameters and/or psychological parameters. One embodiment provides a computer readable storage medium containing a program which, when executed, performs an operation for handling a request, from a requesting application, for emotion data characterizing an emotional state of a user. A firewall ruleset defining rules governing the transfer of the emotion data to requesting applications is accessed to determine whether to provide the emotion data the requesting application. The request is denied if the firewall ruleset rules are not satisfied. | 10-01-2009 |
| 20090254967 | VIRTUAL PRIVATE NETWORKS (VPN) ACCESS BASED ON CLIENT WORKSTATION SECURITY COMPLIANCE - Techniques for virtual private network (VPN) access, which is based on client workstation security compliance, are provided. When a user successfully logs into a secure network, client integrity checks are processed on a client workstation of the user to gather configuration information related to a processing environment of the client workstation. Metrics associated with the client integrity checks are compared with security policy and an assigned security access level is set for the user during a VPN session. Traffic policy is then enforced against the VPN session by configuring attributes of the VPN session. | 10-08-2009 |
| 20090254968 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR VIRTUAL WORLD ACCESS CONTROL MANAGEMENT - A method for virtual world (VW) access control management includes intercepting a policy object from a VW network in response to a request from a VW client system to access a VW space, the policy object intercepted by a proxy server located outside of the network. The method also includes selecting an identity based upon the policy object, which provides credentials required in the policy object as a condition of granting access to the network, generating proof from the selected identity, and transmitting the proof to a verifier avatar located inside the network, the verifier avatar logically mapped to, and controlled by, a verification system located outside of the network. The method further includes receiving, at the verification system, the proof from the verifier avatar. In response to successful validation of the proof, the verification avatar places an avatar of the client system on a list of avatars having access to the space. | 10-08-2009 |
| 20090254969 | Method and system for managing security of mobile terminal - A method for enabling security on a mobile terminal having a communication link with a circuit switched network against suspicious activities is provided. Activities performed at the mobile terminal are performed according to a security policy provided from the circuit switched network. Detection of a suspicious activity is alerted to the circuit switched network when the suspicious activity is detected. A policy manager server of the circuit switched network changes the security policy to cure the suspicious activity on the mobile terminal. Call traffic delivered to/sent from the mobile terminal is filtered out, which causes the suspicious activity according to the security policy. The mobile terminal enforces a security measure on a suspicious activity according to the security policy. | 10-08-2009 |
| 20090254970 | MULTI-TIER SECURITY EVENT CORRELATION AND MITIGATION - The present invention is directed to the use of a multi-tiered security architecture that includes vendor-operated global security services and policy servers able to exchange security events and mitigation measures. | 10-08-2009 |
| 20090254971 | SECURE DATA INTERCHANGE - A secure data interchange system enables information about bilateral and multilateral interactions between multiple persistent parties to be exchanged and leveraged within an environment that uses a combination of techniques to control access to information, release of information, and matching of information back to parties. Access to data records can be controlled using an associated price rule. A data owner can specify a price for different types and amounts of information access. | 10-08-2009 |
| 20090254972 | Method and System for Implementing Changes to Security Policies in a Distributed Security System - Improved approaches for effectuating changes to security policies in a distributed security system are disclosed. The changes to security policies are distributed to those users (e.g., user and/or computers) in the security system that are affected. The distribution of such changes to security policies can be deferred for those affected users that are not activated (e.g., logged-in or on-line) with the security system. | 10-08-2009 |
| 20090260050 | Authenticating device for controlling application security environments - Computer protection is weak with the methods currently available and there are risks of malicious users getting access to computers, corrupting important data, including system data. We are proposing a method for improving access protection, more particularly, by adding a device capable of user authentication that will enable or disable protection for applications as required. The device supports one or more users, none or more user groups, none or one or more Application Security Environments for each user or user group and one or more states for each Application Security Environment. The state of the hardware is manually controlled by the users. Depending on the configuration, each hardware state corresponding to an Application Security Environment corresponds to a set of privileges for processes running in that Application Security Environment while that Application Security Environment is in that state. | 10-15-2009 |
| 20090260051 | POLICY PROCESSING SYSTEM, METHOD, AND PROGRAM - In a policy handling system performing automatic execution, management, and control of a system, a policy retrieving section ( | 10-15-2009 |
| 20090260052 | Inter-Process Message Security - An inter-process messaging security management may be provided. A message comprising an operation to be performed may be sent from a process operating in a process chamber to a second process operating in another chamber. Before the message is allowed to be delivered, the validity of the operation contained in the message may be verified and a security policy may be examined to determine whether the message is permitted to be sent from the first process to the second process. If the security policy permits the second process to execute the operation requested by the first process, the message may be delivered to the second process. If the operation is not permitted, the message may not be delivered and an error message may be returned to the first process. | 10-15-2009 |
| 20090260053 | Data Management in a Computer System - Embodiments of the invention generally provide methods, systems, and articles of manufacture that facilitate classification of a data access authority of unclassified users into one or more categories, and control access of data by the users based on the categories. When an unclassified user is found in an organization chart, one or more classified users near the unclassified user in the data tree may be identified. The unclassified user may be compared to the identified classified users to determine one or more suggested data access categories for classifying the unclassified user. The unclassified user may therefore be classified into one of the suggested data access category based on, for example, user input. | 10-15-2009 |
| 20090260054 | Automatic Application of Information Protection Policies - The secure application of content protection policies to content. The secure application of content protection polices is accomplished by having an enforcement mechanism monitor policy application points to detect the transfer of content. The enforcement mechanism accesses the content and a determination is made to protect the content. A usage policy is then identified by the enforcement mechanism to apply to the content and the usage policy is then applied to the content, resulting in a usage policy for the content. | 10-15-2009 |
| 20090260055 | REAL-TIME DATA SHARING AMONG A PLURALITY OF USERS - Described embodiments provide for accessing stored data representing real-time tracking information shared among a plurality of users. First, a user request for access to stored data is identified. A device type associated with the user request is determined, and one or more permissions for the user request are also determined. Based on the one or more permissions determined, a portion of the stored data is provided to the user through one of a plurality of specialized data views. The selected one of the plurality of specialized data views is selected based on the device type. | 10-15-2009 |
| 20090260056 | Role-Based Authorization Management Framework - A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications. | 10-15-2009 |
| 20090265752 | SYSTEM AND METHOD OF CONTROLLING A MOBILE DEVICE USING A NETWORK POLICY - A method of controlling a mobile device based on a network policy, wherein the network policy is stored on the mobile device when a server or access point is accessed. When a packet is transmitted, it is sent only if it meets the policy parameters as established by the network policy. Parameters may include the type of service or packet, the time of day of the usage, or the maximum tolerable delay permitted. | 10-22-2009 |
| 20090265753 | USING OPAQUE GROUPS IN A FEDERATED IDENTITY MANAGEMENT ENVIRONMENT - A system and method for using an opaque group within a federated identity management environment, to prevent disclosure of identities of the group. An opaque group is constructed at an identity provider within the system and has a group identity that references primary system identities of its members (e.g., electronic mail addresses, public key certificates, network addresses). Services to the group (e.g., distribution of an object such as a document or electronic mail message, invitation to an online meeting, authentication as a member of the group) can be requested from service providers, but because service providers do not have access to members' primary identities, the service providers forward the requests to an identity provider that has access to the group identity. That identity provider retrieves the members' identities and completes the action. | 10-22-2009 |
| 20090265754 | Policy Enforcement in Mobile Devices - Systems, methods and computer program products for enabling enforcement of an administrative policy on one or more mobile devices are described herein. In an embodiment, an administrator uses a policy server to create and provide an enforcement policy to a mobile device. An enforcement policy may include information on mobile device resources which may be controlled by an administrator. An enforcement policy also includes information on how mobile device features will be set, configured or disabled. An enforcement device driver and an enforcement monitor on a mobile device use the enforcement policy to control access to resources associated with the mobile device regardless of whether the mobile device is “online” and connected to a network or “offline” and disconnected from a network. | 10-22-2009 |
| 20090265755 | FIREWALL METHODOLOGIES FOR USE WITHIN VIRTUAL ENVIRONMENTS - In some embodiments a method comprises receiving a virtual universe request, and determining properties of the virtual universe request. The method can also comprise determining a virtual universe firewall security policy, wherein the virtual universe firewall security policy identifies allowable properties associated with the virtual universe request. The method can also include comparing the properties of the virtual universe request to the properties of the virtual universe firewall security policy, and blocking the virtual universe request based on the comparison of the virtual universe request's properties to the virtual universe firewall security policy's allowable properties. | 10-22-2009 |
| 20090265756 | SAFETY AND MANAGEMENT OF COMPUTING ENVIRONMENTS THAT MAY SUPPORT UNSAFE COMPONENTS - Techniques for managing and protecting computing environments are disclosed. A safe computing environment can be provided for ensuring the safety and/or management of a device. The safe computing environment can be secured by a safe component that isolates and protects it from unsafe computing environments which may also be operating. As a result, various security and management activities can be securely performed from a safe computing environment. A safe computing environment can, for example, be provided on a device as a safe virtual computing environment (e.g., a safe virtual machine) protected by a safe virtual computing monitor (e.g., a safe virtual machine monitor) from one or more other virtual computing environments that are not known or not believed to be safe for the device. It will also be appreciated that the safe components can, for example, be provided as trusted components for a device. As such, various trusted components (or agent) can operate in a trusted computing environment secured from interference by components that many not be trusted and perform various security and/or management tasks alone or in connection, for example, with other trusted components (e.g., trusted serves). | 10-22-2009 |
| 20090265757 | SYSTEM AND METHOD FOR SECURE NETWORKING IN A VIRTUAL SPACE - Secure networking in a virtual space over a network. Subscriber computing devices each operated by a subscriber are associated with a subscriber identifier. Each computing device is connected to the network. A subscriber security profile is created in a security profile datastore, wherein the subscriber security profile comprises information indicative of a security status and wherein the subscriber security profile is associated with the subscriber's subscriber identifier. Subscriber identifiers associated with subscribers who are logged in to a website are monitored. The website defines a virtual space and the logged-in subscribers are characterized as present in the virtual space. A web page is served to the computing devices of the present subscribers via the network. The web page of a first subscriber comprises a first subscriber icon associated with the first subscriber and subscriber icons of other present subscribers. A determination is made whether the first subscriber security profile matches the subscriber security profile of one or more of the other present subscribers according to security matching criteria. An attribute is assigned to the icons of the other present subscribers having security profiles that match the security profile of the first subscriber according to security matching criteria. Selected security profile information is provided to the first subscriber of a selected one of any of the other present matching subscribers. | 10-22-2009 |
| 20090271839 | Document Security System - A document security system is disclosed. In the document security system, when a user is permitted to use a device and to use a document, a process for the document requested by a user is executed by the device. Further, after executing the process, a follow-up obligation is executed corresponding to the type of the document obtained from image data of the document. | 10-29-2009 |
| 20090271840 | METHOD AND SYSTEM FOR CONTROLLING INTER-ZONE COMMUNICATION - A method for executing a target program that includes opening, in response to a request, a door between the source container and the global container, where the source container is controlled by the global container and the request specifies a target program. The method further includes sending the request to an access module located in the global container using the door, verifying that the request can be executed in a target container using a policy definition, where the target program is in the target container and the target container is controlled by the global container, logging in to the target container after the request has been verified, initiating a gateway within the target container in response to the login, setting an execution context of the gateway based on the policy definition, and executing the target program by the gateway, using the execution context, to generate a response to the request. | 10-29-2009 |
| 20090271841 | METHODS, HARDWARE PRODUCTS, AND COMPUTER PROGRAM PRODUCTS FOR IMPLEMENTING ZERO-TRUST POLICY IN STORAGE REPORTS - A zero-trust policy is implemented in storage reports to provide a preventative measure against potential attack vectors. Introspection of a guest memory having a guest memory layout is performed. An operating system (OS) memory map is accepted. The guest memory layout is compared with the OS memory map. When the guest memory layout matches the OS memory map, the OS memory map is used to obtain one or more interested memory segments, and data processing is performed. | 10-29-2009 |
| 20090271842 | COMMUNICATIONS SECURITY SYSTEM - A method of establishing secure communications between a first computer, eg a client computer ( | 10-29-2009 |
| 20090271843 | INFORMATION FLOW CONTROL SYSTEM - In an information control flow system, when a process reads a file with a second attribute after being through for reading of a file with a first attribute, when the second attribute is higher in level than the first attribute, a user is allowed to select first control with which the file with the second attribute is not made open, second control with which the file with the second attribute is made open after the file with the first attribute is closed, or third control with which the file with the second attribute is made open after the file with the first attribute is opened again for read-only purpose. When the user selects the first control, the first attribute is provided to a file to be written, and when the user selects the second or third control, the second attribute is provided to a file to be written. | 10-29-2009 |
| 20090276823 | METHOD AND APPARATUS FOR MODIFYING A COLOR OF AN ELECTRONIC HOUSING - A method and apparatus for modifying a color of an electronics housing ( | 11-05-2009 |
| 20090276824 | TECHNIQUE FOR EFFICIENTLY EVALUATING A SECURITY POLICY - One embodiment of the present invention provides a system for efficiently evaluating a security policy. During operation, the system retrieves one or more roles associated with the user. Next, the system checks if a session-level cache exists for a set of Access Control Entries (ACEs) which is associated with the one or more roles. If this session-level cache exists, the system returns the set of ACEs from the session-level cache. Otherwise, the system generates the set of ACEs associated with the one or more roles from an Access Control List (ACL). During operation, the system can also update the one or more roles associated with the user and update the set of ACEs based on the updated one or more roles and the ACL. The system subsequently updates the session level cache with the updated set of ACEs and updated one or more roles. | 11-05-2009 |
| 20090276825 | SHARING MANAGEMENT SYSTEM, SHARING MANAGEMENT METHOD AND PROGRAM - In a policy-change input unit ( | 11-05-2009 |
| 20090276826 | IMAGE FORMING APPARATUS, METHOD, AND COMPUTER-READABLE RECORDING MEDIUM FOR ACCESS CONTROL - There is disclosed an image forming apparatus to which one or more programs can be added. The image forming apparatus includes a managing part configured to manage access authorization information set for each of groups into which the programs are categorized, a displaying part configured to display a setting screen in which access authorization setting information is set in correspondence with each of the programs, a changing part configured to change a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen, and a determining part configured to determine whether the access authorization can be granted to the programs. | 11-05-2009 |
| 20090276827 | Method and Apparatus for Network Access Control (NAC) in Roaming Services - The present invention discloses a method and apparatus for network access control (NAC) in roaming services. In embodiments of the present invention, roaming quarantine access policies and roaming secure access policies are defined on access devices to control access of roaming terminals, instead of defining unified access policies on network-wide access devices. Embodiments of the present invention allow each branch network to enforce and update access policies as needed without restrictions of network identification and adaptation, making it easier to implement NAC on a distributed network, and improving NAC development. Embodiments of the present invention provide widely applicable, easy-to-implement NAC solutions for roaming. | 11-05-2009 |
| 20090276828 | METHOD OF NEGOTIATING SECURITY PARAMETERS AND AUTHENTICATING USERS INTERCONNECTED TO A NETWORK - A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder. | 11-05-2009 |
| 20090282457 | COMMON REPRESENTATION FOR DIFFERENT PROTECTION ARCHITECTURES (CRPA) - A method of representing security information of a host in a universal format, in a manner that is independent of the semantics and implementation details of the underlying operating system is disclosed. The method comprises of the steps of having a security information representation layer to represent security information, the security information representation layer further comprising of representing entity and user privilege security information; representing object security information; representing object dependencies; and representing vulnerability information. | 11-12-2009 |
| 20090282458 | Remote and Local Compound Device Capabilities Synchronization Method and System - A method and system allow applying policies to service requests for information or a session, which are created by communications devices and are intended to be sent to service providers over a network. The policies govern the extent to which details about the communications devices sending the requests are released or revealed to that service provider. After amount of capabilities corresponding to the extent allowed by the polity is determined and provided in the service request, the service request is sent over the network to the service provider. Policy based disclosure of communications device capabilities information may be applied in local network embodiments, such as a home or small office network including local sever and residential gateway functions. | 11-12-2009 |
| 20090282459 | ELECTRONIC DOCUMENT CONVERSION DEVICE AND ELECTRONIC DOCUMENT CONVERSION METHOD - Based on the security policy set in the original document and the security policy supported by the format of conversion destination, it is judged whether or not the security policy set in the original document is inheritable to the electronic document after format conversion. If it is judged that the security policy is inheritable, the security policy set in the original document is inherited to the electronic document after format conversion. If it is judged that the security policy is not inheritable, a process for inheriting the security policy set in the original document to the electronic document after format conversion is not performed. | 11-12-2009 |
| 20090282460 | System and Method for Transferring Information Through a Trusted Network - A networking method includes receiving a first data packet from a computing node at a middleware process of a first computing system, adding, by the middleware process, a Common Internet Protocol Security Option (CIPSO) label to the data packet to form a modified packet, and transmitting, by a separation kernel, the modified packet to a second computing system. The first computing system includes an embedded operating system, and the computing node is coupled to the first computing system. The second computing system includes a CIPSO compliant operating system. | 11-12-2009 |
| 20090288133 | GAMING MACHINE - Disclosed is a gaming machine. The gaming machine comprises a gaming machine main body that plays a game with a predetermined game medium; a decoration member having identification information memorized therein; mounting means mounted to the gaming machine main body, the decoration member being detachably mounted thereto; effect data memorizing means for memorizing plural effect data including effect data corresponding to the identification information provided to the predetermined decoration member; identification information reading out means for reading out the identification member from the decoration member when the decoration member is mounted to the mounting means; effect data selecting means for selecting the effect data corresponding to the identification information read out by the identification information reading out means from the plural effect data memorized in the effect data memorizing means; and effect means for carrying out an effect, based on the effect data selected by the effect data selecting means. | 11-19-2009 |
| 20090288134 | System and Method for Providing Access to a Network Using Flexible Session Rights - A flexible rule engine allows a network operator to dynamically create and modify business rules that govern a subscriber's access to a communications network. The flexible rule engine governs subscriber transitions between various session states by testing for subscriber conditions, network conditions, and then performing specified actions based on these conditions. A rule editor provides the network operator with the ability to compose, edit and delete one or more rules in real time, using an appropriate user interface. | 11-19-2009 |
| 20090288135 | METHOD AND APPARATUS FOR BUILDING AND MANAGING POLICIES - Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described. | 11-19-2009 |
| 20090288136 | HIGHLY PARALLEL EVALUATION OF XACML POLICIES - Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described. | 11-19-2009 |
| 20090293099 | INSIGHT DISTRIBUTION - The present invention relates to using authorization information provided by an asserting agent to control insight-related interactions between a receiving agent and an insight agent. The insight may be information that relates to an entity with whom or a device with which the asserting agent is associated. Such insight is generally referred to as insight of the asserting agent. An insight source maintains the insight of the asserting agent, and the insight agent provides controlled access to the insight by the receiving agent through the insight-related interactions. For others to gain access to at least certain of the asserting agent's insight, the asserting agent must authorize the insight agent to provide the asserting agent's insight to the receiving agent. Upon obtaining the proper authorization, the insight agent will interact with the receiving agent and distribute the asserting agent's insight to the receiving agent. | 11-26-2009 |
| 20090293100 | APPARATUS AND METHOD FOR CHECKING PC SECURITY - Provided are an apparatus and method for checking Personal Computer (PC) security. The apparatus includes a check module for checking a security configuration of a PC on the basis of a check policy received from a security check server and outputting check results, and a control module for changing the security configuration of the PC on the basis of a control policy received from the security check server and the check results received from the check module. According to the apparatus, a security check agent installed in each PC performs security check and changes a security configuration according to a control policy, such that the security configurations of PCs in a network can be managed collectively. | 11-26-2009 |
| 20090293101 | INTEROPERABLE RIGHTS MANAGEMENT - Techniques for interoperable rights management are provided. Content is packaged with declarations defining access rights. The packaged content is delivered to a target resource in accordance with a distribution policy. When the content is accessed the access rights are enforced against the target resource within the target environment in accordance with a local access policy. | 11-26-2009 |
| 20090300704 | Presentity Rules for Location Authorization in a Communication System - A server, computer readable medium and method for accessing data related to a first user connected to a communication network that includes a server, the data being accessed by a second user connected to the communication network. The method includes receiving at the server instructions from the first user for generating authentication privileges for the second user to access the data of the first user, wherein the data includes at least one of location data related to a physical location of the first user, and presence data related to an availability of the first user to communicate with the second user; applying a single set of authentication rules to generate the authentication privileges for the second user for both the location data and the presence data; and storing the generated authentication privileges of the second user. | 12-03-2009 |
| 20090300705 | Generating Document Processing Workflows Configured to Route Documents Based on Document Conceptual Understanding - Embodiments of the invention may be used to improve enforcement and compliance with publishing rules in an automated and provable manner. Prior to publication, documents may be processed using publishing rules (workflows) based on conceptual analysis of document content. Additionally, embodiments of the invention include a content creation system configured to provide prompt feedback on content coverage. Such a system enables the creator of information to better understand what approval requirements apply to content they create and intend to publish, as the content is being created. | 12-03-2009 |
| 20090300706 | CENTRALLY ACCESSIBLE POLICY REPOSITORY - The present invention extends to methods, systems, and computer program products for a centrally accessible policy repository. Protection policies for protecting resources within an organization are stored at a central policy repository. Thus, an administrator can centrally create, maintain, and manage resource protection polices for all of the organizational units within an organization. Accordingly, resources consumed when performing these protection policy related operations is significantly reduced. Additionally, since protection policies are centrally located, there is increased likelihood of being able to consistently apply an organization's protection policies within different organizational units, even when protection policies change. | 12-03-2009 |
| 20090300707 | Method of Optimizing Policy Conformance Check for a Device with a Large Set of Posture Attribute Combinations - A method, apparatus, and electronic device for conforming integrity of a client device | 12-03-2009 |
| 20090300708 | Method for Improving Comprehension of Information in a Security Enhanced Environment by Representing the Information in Audio Form - In a software environment wherein one or more subjects respectively seek to access one or more objects, and wherein a security policy having rules is associated with the environment, a method is provided for use in connection with an effort by a particular subject to access a particular object. The method comprises identifying a domain to which the particular subject belongs, and identifying a type that includes or characterizes the particular object. One or more rules of the security policy are then used to decide whether or not to permit the particular subject to access the particular object. The method further comprises providing one or more distinct audible sounds for a user associated with the particular subject, wherein each audible sound represents specified information pertaining to the decision of whether or not to permit access to the particular object. | 12-03-2009 |
| 20090300709 | AUTOMATED CORRECTION AND REPORTING FOR DYNAMIC WEB APPLICATIONS - Changes to dynamic web content are monitored for compliance with web content compliance rules. A noncompliant element associated with a change to the dynamic web content is identified based upon the web content compliance rules. Automated correction of the noncompliant element is performed based upon the web content compliance rules. The noncompliant element is reported to a server associated with the change to the dynamic web content. | 12-03-2009 |
| 20090300710 | UNIVERSAL SERIAL BUS (USB) STORAGE DEVICE AND ACCESS CONTROL METHOD THEREOF - The invention provides a USB storage device and an access control method thereof. An access control module is provided on the USB storage device. The storage space is divided into at least one data storage entity. Each user's access right to each data storage entity is set and stored in the USB storage device as an access control list. The process between the USB storage device's being connected with a USB host and its being disconnected from the USB host is one session. When a session is established, the user provides authentication information for the USB device to authenticate him/her, and saves the user information used in the current session. In the current session, when the host of the user issues an access request for the data storage entity on the USB storage device, the access control module queries the access right list based on the user information in the current session to determine whether the user has an access right to the requested data storage entity. When the user does not have the access right to the data storage entity, the access control module denies the user's access request for the data storage entity. | 12-03-2009 |
| 20090300711 | ACCESS CONTROL POLICY COMPLIANCE CHECK PROCESS - A storage medium on which is recorded a program for causing an information processing device. The program executes, an access right management information obtainment process for obtaining access right management information, a violation detection process for obtaining a policy from a policy storing unit for storing the policy set for the resource or the access to the resource, for checking whether or not the access right management information complies with the policy, and for detecting access right management information, a policy compliance level calculation process for calculating a risk score in accordance with a degree of risk of the violation, and for calculating a level of compliance with the policy. | 12-03-2009 |
| 20090300712 | System and method for dynamically enforcing security policies on electronic files - A system and method dynamically enforcing security policies on electronic files when the file is used. The system and method preferably delegates the file the ability to protect itself. The file automatically identifies its confidential information and applies them when needed. | 12-03-2009 |
| 20090300713 | ACCESS CONTROL SYSTEM, ACCESS CONTROL METHOD, ELECTRONIC DEVICE AND CONTROL PROGRAM - Provided is the access control system for controlling an access on a task basis without modifying a device side to be accessed and without applying a task ID at each access to a device. | 12-03-2009 |
| 20090300714 | PRIVACY ENGINE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - A privacy enforcement engine conducts a process that evaluates user privacy preferences against the privacy policy of a service provider. The engine works in conjunction with an identity selector. The identity selector filters user identity information cards to determine which ones satisfy the requirements of a security policy. The engine identifies privacy preferences that are relevant to the user identity information specified by the successfully filtered cards. The engine evaluates these privacy preferences against the privacy policy, to provide its own filtering operation relative to the exercise of privacy controls. The cards that pass the filtering operation conducted by the engine are deemed available for disclosure. | 12-03-2009 |
| 20090300715 | USER-DIRECTED PRIVACY CONTROL IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - An identity management system incorporates privacy management processes that enable the user to exercise privacy controls over the disclosure of user identity information within the context of an authentication process. A combination includes an identity selector, a privacy engine, and a ruleset. The identity selector directs the release of a user identity in the form of a security token to satisfy the requirements dictated by a security policy. Prior to release of the user identity, the engine conducts a privacy enforcement process that examines the privacy policy of the service provider and determines if it is acceptable. The engine evaluates a ruleset against the privacy policy. A preference editor enables the user to construct, in advance, the ruleset, which embodies the user's privacy preferences regarding the disclosure of identity information. Based on the evaluation results, the user can either approve or disapprove the privacy policy, and so decide whether to proceed with disclosure of the user identity. | 12-03-2009 |
| 20090300716 | USER AGENT TO EXERCISE PRIVACY CONTROL MANAGEMENT IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy. | 12-03-2009 |
| 20090307742 | Indexing of Security Policies - In one embodiment, a computer implemented method for indexing security policies is provided. The computer implemented method determines a policy vocabulary to form a set of policy elements, and creates an index from the set of policy elements. The computer implemented method further receives a request to form requested policy elements, locates requested policy elements in the index to form a set of returned policy elements, and identifies a rule for use with the returned policy elements. | 12-10-2009 |
| 20090307743 | METHOD TO AUTOMATICALLY MAP BUSINESS FUNCTION LEVEL POLICIES TO IT MANAGEMENT POLICIES - A method, system, computer program product, and computer program storage device for transforming a high-level policy associated with a high layer to a low-level policy associated with a low layer. Mapping between high-level objects in a high layer and low-level objects in a low layer is derived by an automated discovery tool. The high-level policy is mapped to the low-level policy according to the mapping (e.g., by substituting the high-level objects with the low-level objects and by performing a syntax transformation). In one embodiment, a low-level policy is transformed to a high-level policy according to the mapping. As exemplary embodiments, policy transformations in traffic shaping and data retention are disclosed. | 12-10-2009 |
| 20090307744 | AUTOMATING TRUST ESTABLISHMENT AND TRUST MANAGEMENT FOR IDENTITY FEDERATION - A federated identity verification system includes an identity provider that provides security tokens ultimately to one or more relying parties for access by the client to services at a relying party. Specifically, the relying party can validate the security token from an identity provider (whether directly or via a client) when verifying that the received security token conforms to security configuration data previously exchanged with the identity provider. To establish the trust relationship, the identity provider and one or more relying parties exchange security configuration information through an agreed-to communication channel. The security configuration information indicates the settings that the other party needs to use for establishing, maintaining, and/or monitoring the trust relationship. The communication channel allows both parties to flexibly and continually synchronize changes to security configurations, and thus maintain, change, or end the trust relationship automatically, as desired. | 12-10-2009 |
| 20090307745 | DOCUMENT MANAGEMENT APPARATUS, POLICY SERVER, METHOD FOR MANAGING DOCUMENT, METHOD FOR CONTROLLING POLICY SERVER, AND COMPUTER-READABLE RECORDING MEDIUM - A document management apparatus is included in a document management system having a policy server which issues a policy corresponding to a right to access a document. The document management apparatus has an access-right description determination unit configured to collate first data input in the document with an access-right description defined in accordance with second data input in the document in advance, and determine the access-right description for the document in which the first data is input in accordance with a result of the collation, a requesting unit configured to request the policy server to issue the policy in accordance with the access-right description determined using the access-right description determination unit, and an applying unit configured to apply the policy issued by the policy server to the document in which the first data is input. | 12-10-2009 |
| 20090307746 | METHOD, SYSTEM AND DEVICE FOR IMPLEMENTING SECURITY CONTROL - A method, system and device for implementing security control are provided. The method for implementing security control includes: receiving, by the Policy and Charging Enforcement Function (PCEF) entity, security control policy information from the Policy Control and Charging Rules Function (PCRF) entity; and executing, by the PCEF entity, user security control according to the security control policy information. The provided method, system, and device may provide security control for the user session in the Policy Charging Control (PCC) architecture. | 12-10-2009 |
| 20090307747 | System To Establish Trust Between Policy Systems And Users - A system and method are provided to establish trust between a user and a policy system that generates recommended actions in accordance with specified policies. Trust is introduced into the policy-based system by assigning a value to each execution of each policy with respect to the policy-based system, called the instantaneous trust index. The instantaneous trust indices for each one of the policies, for the each execution of a given policy or for both are combined into the overall trust index for a given policy or for a given policy-based system. The recommended actions are processed in accordance with the level or trust associated with a given policy as expressed by the trust indices. Manual user input is provided to monitor or change the recommended actions. In addition, reinforcement learning algorithms are used to further enhance the level of trust between the user and the policy-based system. | 12-10-2009 |
| 20090320088 | Access enforcer - A computer-driven resource manager ( | 12-24-2009 |
| 20090320089 | POLICY-BASED USER BROKERED AUTHORIZATION - A User Brokered Authorization (UBA) mechanism for policy decisions in a computing device is provided. The authorization mechanism interacts with an authorization layer of the computing device's operating system and enables a determination of whether an authorization decision can be made programmatically or by end user decision based on generalized device policy. | 12-24-2009 |
| 20090320090 | DEPLOYING PRIVACY POLICY IN A NETWORK ENVIRONMENT - An authoring application enables an administrative user to generate, validate, and deploy one or more privacy notices and legal notices in web pages that may be retrieved by a client user via a web browser. Two or more of the privacy notices generated by the authoring application may be deployed in a web page, and may be selectively presented to the client user via the web browser in accordance with the notification setting selected at the web browser. Two or more of the legal notices generated by the authoring application may be deployed in the web page or in a second web page. The legal notices may be selectively presented to the client user via the web browser in accordance with the notification setting. | 12-24-2009 |
| 20090320091 | PRESENTING PRIVACY POLICY IN A NETWORK ENVIRONMENT RESPONSIVE TO USER PREFERENCE - An approach for presenting a web page to a client user via a web browser. As one example, a user preference specifying a notification setting may be received from the client user at the web browser. The notification setting may cause the web browser, upon retrieving a web page, to present one or more of a privacy notice or a legal notice to the client user. The particular way in which the privacy notice and the legal notice are presented to the client user may be varied based on the notification setting specified by the user preference. | 12-24-2009 |
| 20090320092 | USER INTERFACE FOR MANAGING ACCESS TO A HEALTH-RECORD - A server system for regulating access to a health record of an individual includes a communications subsystem, a logic subsystem operatively coupled to the communications subsystem and configured to execute instructions, memory operatively coupled to the logic subsystem and holding user-interface instructions that, when executed by the logic subsystem, send information via the communications subsystem for presenting a user interface. In this embodiment, the user interface includes a list of one or more items in the health record to which an application has requested access, and for each of the one or more items, a configuration-indicating element distinguishing whether the application is configured to service the individual if access to that item is denied. The user interface further includes for each of the one or more items, one or more presettable selection elements enabling a marshal of the health record to authorize or withhold access to that item. | 12-24-2009 |
| 20090320093 | HOLISTIC XACML AND OBLIGATION CODE AUTOMATICALLY GENERATED FROM ONTOLOGICALLY DEFINED RULE SET - Computer-based systems and methods for automatically generating both XACML rules and processed-based obligation code using a common ontologically defined ruleset. | 12-24-2009 |
| 20090320094 | System and Method for Implementing a Publication - Systems and methods are provided that allow for publication delegation through the use of publication authorization rules, where a presentity can allow another entity, e.g., a publisher, to publish presence information associated with the presentity on behalf of the presentity. Additionally, the ability is provided for, e.g., a service provider, to restrict presence information that a presentity is allowed to publish. Hence, publication delegation can be effectuated in cases when a rule matches users (with identities) other than the presentity whose presence information is to be published. Moreover, service provider restriction on the allowed presence information can also be provided in those cases when a rule matches the identity of the presentity. | 12-24-2009 |
| 20090328129 | Customizing Policies for Process Privilege Inheritance - An approach is provided that uses policies to determine which parental privileges are inherited by the parent's child processes. A parent software process initializes a child software process, such as by executing the child process. The parent process is associated with a first set of privileges. The inheritance policies are retrieved that correspond to the parent process. A second set of privileges is identified based on the retrieved inheritance policies, and this second set of privileges is applied to the child software process. | 12-31-2009 |
| 20090328130 | POLICY-BASED SECURE INFORMATION DISCLOSURE - Systems and methods for storing data and retrieving data from a smart storage device is provided, where smart storage includes processing capabilities along with the ability to store information. In one aspect, a method includes detecting via bidirectional settings one or more capabilities of rules enforcement logic associated with a storage device and selecting a set of criteria and policies to be downloaded from a host or a management server that are to be downloaded onto the storage device. This includes dynamically generating conditional context aware policies syntax based on user settings or network policy and downloading a set of policies onto the storage device for future policy enforcement. | 12-31-2009 |
| 20090328131 | MECHANISMS TO SECURE DATA ON HARD RESET OF DEVICE - Mechanisms to secure data on a hard reset of a device are provided. A hard reset request is detected on a handheld device. Before the hard reset is permitted to process an additional security compliance check is made. Assuming, the additional security compliance check is successful and before the hard reset is processed, the data of the handheld device is backed up to a configurable location. | 12-31-2009 |
| 20090328132 | DYNAMIC ENTITLEMENT MANAGER - Embodiments of the invention relate to systems, methods, and computer program products for monitoring and/or controlling access to entitlements. For example, in one embodiment a computer program product is configured to periodically examine the members of a particular community in an organization and automatically identify members in the community that have access to software applications, datasets, or other organizational resources that are uncommon in the community, which may indicate that the member should not have access to the such resources. The computer program product of embodiments of the invention is also configured to automatically and periodically determine the resources that members of the same community should all probably have access to. As such, embodiments of the present invention allow an organization to more efficiently monitor and control access to its resources and other entitlements. | 12-31-2009 |
| 20090328133 | CAPABILITY MANAGEMENT FOR NETWORK ELEMENTS - A method, information processing system, and system manage network entities. At least a portion of at least one information model ( | 12-31-2009 |
| 20090328134 | LICENSING PROTECTED CONTENT TO APPLICATION SETS - The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested. | 12-31-2009 |
| 20090328135 | Method, Apparatus, and Computer Program Product for Privacy Management - An apparatus for privacy management may include a processor. The processor may be configured to access one or more privacy options. In this regard, each privacy option may be configured to provide members of one or more groups access to content. The processor may also be configured to provide for selection of a privacy option in association with the content. Associated methods and computer program products may also be provided. | 12-31-2009 |
| 20090328136 | TECHNIQUES FOR ROUTING PRIVACY SENSITIVE INFORMATION TO AN OUTPUT DEVICE - Various embodiments are directed to a privacy routing engine embodied on a device and a method for routing actuations to preserve a user's privacy. The privacy routing engine may receive actuations intended for a user, and may route the actuation to an output device according to a set of user output policies. The user output policies may specify output devices according to a user's context and need for privacy. A user context may include a location, an event, or a sensed condition. Other embodiments are described and claimed. | 12-31-2009 |
| 20090328137 | METHOD FOR PROTECTING DATA IN MASHUP WEBSITES - A method for protecting a mashup webpage is disclosed. The mashup webpage includes a plurality of mini-applications. The method includes intercepting a content access event by a first mini-application of the plurality of mini-applications, the content access event requesting access to content of a second mini-application of the plurality of mini-applications. The method also includes ascertaining, using a Document Mini-application Model (DOM) access control policy and a DOM model, whether the content access event is permissible. The method additionally includes denying the access by the first mini-application to the content of the second mini-application if the content access event is deemed impermissible or permissible according to the DOM access control policy. | 12-31-2009 |
| 20090328138 | SYSTEM FOR CONTROLLING ACCESS TO HOSPITAL INFORMATION AND METHOD FOR CONTROLLING THE SAME - A method and system for implementing activity-oriented access control (AOAC) to hospital information is disclosed. An access request device sends user credentials attaching user attributes to an AOAC server, which in turn searches activity rules that are assigned to user attributes from an activity server and a current work situation of the user from an activity recognition server. The AOAC server transmits an access request list corresponding to the activity rules and the current work situation of the user to the access request device so that it can select a desired access request among the list. | 12-31-2009 |
| 20100005504 | METHOD OF AUTOMATING AND PERSONALIZING SYSTEMS TO SATISFY SECURITYREQUIREMENTS IN AN END-TO-END SERVICE LANDSCAPE - A computer-implemented method of enabling security in network resources provisioned as part of a service landscape instance is provided. The method includes initiating an orchestration process for creating a landscape service instance to provide services to a service subscriber over a data communications network. The method further includes deriving from the orchestration process at least one parameter, and generating at least one security configuration profile based upon the at least one parameter for at least one system of the landscape service instance. | 01-07-2010 |
| 20100005505 | METHOD OF DYNAMICALLY UPDATING NETWORK SECURITY POLICY RULES WHEN NEW NETWORK RESOURCES ARE PROVISIONED IN A SERVICE LANDSCAPE - A computer-implemented method is provided for updating network security policy rules when network resources are provisioned in a service landscape instance. The method includes categorizing network resources in a service landscape instance based on a service landscape model. The method further includes responding to the provisioning of a network resource by automatically generating one or more security policy rules for a newly-provisioned network resource. Additionally, the method includes updating security policy rules of pre-existing network resources in the service landscape instance that are determined to be eligible to communicate with the newly-provisioned network resource so as to include the newly-provisioned network resource as a remote resource based on the service landscape model. | 01-07-2010 |
| 20100005506 | DYNAMIC ADDRESS ASSIGNMENT FOR ACCESS CONTROL ON DHCP NETWORKS - Systems and methods of managing security on a computer network are disclosed. The computer network includes a restricted subnet and a less-restricted subnet. Access to the restricted subnet is controlled by a network filter, optionally inserted as a software shim on a DHCP server. In some embodiments, the network filter is configured to manipulate relay IP addresses to control whether the DHCP server provides, in a DHCPOFFER packet, an IP address that can be used to access the restricted subset. In some embodiments, configuration information is communicated between the DHCP server and the network filter via DHCPOFFER packets. | 01-07-2010 |
| 20100011408 | Implementing Organization-Specific Policy During Establishment of an Autonomous Connection Between Computer Resources - An organization-specific policy is implemented during establishment of an autonomous connection between computer resources includes evaluating a relative priority between default credentials and alternative credentials; and using the highest priority credentials to establish a connection between the computer resources. The alternative credentials are based organization-specific policy and provide for autonomous connections between computer resources differently than the default credentials. | 01-14-2010 |
| 20100011409 | NON-INTERACTIVE INFORMATION CARD TOKEN GENERATION - Systems and methods for automatic, non-interactive generation of information card tokens are provided. An apparatus can include a receiver, a transmitter, and an information card token generator, wherein the information card token generator is operable to generate an information card token in response to an information card token request received from a relying party site, the information card security token being based at least in part on a user-defined policy. | 01-14-2010 |
| 20100011410 | SYSTEM AND METHOD FOR DATA MINING AND SECURITY POLICY MANAGEMENT - A system and method to generate and maintain controlled growth DAG are described. The controlled growth DAG conveys information about objects captured by a capture system. | 01-14-2010 |
| 20100011411 | Policy-Based Usage of Computing Assets - Policy is defined for usage of computing assets (including remote, or external, assets) in a computing environment. The policy may identify the assets by (for example) asset name, asset type, asset version, location in a repository, or some combination thereof. Policy definitions for remote assets are provided in a consistent manner. Policy for particular assets (for example) may vary from one role to another. Policy definitions are preferably used when initializing a computing environment, and also when subsequently importing an asset into that computing environment. The disclosed techniques may also, or alternatively, be used to ensure that a secure computing environment is created whereby only hardware and/or software in a policy can be installed into the computing environment. | 01-14-2010 |
| 20100011412 | METHOD FOR MANAGING CRYPTOGRAPHIC EQUIPMENT WITH A UNIFIED ADMINISTRATION - A unified and universal management system for one or more items of cryptographic equipment, comprising a federating portal that is adapted to allow a user to access services, one or more interfaces for the interchange of information between the management system and equipment outside the system, one or more modules having one or more sub-modules or technological bricks suitable to carry out a unified and universal management method. | 01-14-2010 |
| 20100017843 | Scenario Based Security - A security management system uses several security scenarios that have rules defining the configuration of system and security components in order to meet a specific security scenario. The rules may include an evaluation of multiple components to give a summary statistic or evaluation, as well as rules that may be used to configure the various components to achieve a desired level of security. A management console may aggregate multiple security scenarios together for administration. | 01-21-2010 |
| 20100017844 | ASSOCIATING A UNIQUE IDENTIFIER AND A HEIRARCHY CODE WITH A RECORD - A method and system for creating a record and associating a unique identifier and a hierarchy code with the record where the record is created in response to identifying that a transmission violates an institution's policy. The record may also be passed to a reporting module which may generate a report based on the unique identifier and/or a hierarchy code. Additionally, the record may be passed to a remediation agent for handling. The remediation agent may also update the record based on actions taken by the remediation agent or updates identified by the remediation agent. | 01-21-2010 |
| 20100017845 | DIFFERENTIATED AUTHENTICATION FOR COMPARTMENTALIZED COMPUTING RESOURCES - Embodiments for providing differentiated authentication for accessing groups of compartmentalized computing resources, and accessing each compartmentalized computing resources, as displayed on a desktop environment of an operating system. In one embodiment, a method includes organizing one or more computing resources accessible in a desktop environment into a group. The one or more computing resources include a data content, an application, a network portal, and a device. The method also includes providing an authentication policy for actions that can be performed on each computing resource. The authentication policy is configured to associate an authentication input to each action for a particular computing resource. The method further includes receiving an authentication input when the user intends one of the actions on the particular computing resource. The method additionally includes allowing the user to perform the intended action on the particular computing resource when the received authentication input enables the intended action. | 01-21-2010 |
| 20100017846 | SERVICE PROCESSING METHOD AND SYSTEM, AND POLICY CONTROL AND CHARGING RULES FUNCTION - A service processing method, a service processing system, and a PCRF entity are disclosed to overcome this defect in the prior art: The prior art is unable to handle services discriminatively according to the policy context information when different services require the same QoS level. The method includes: receiving bearer priority information from a PCRF entity, where the bearer priority information includes: bearer priority information of a service data stream, bearer priority information of an IP-CAN session, and/or bearer priority information of an IP-CAN bearer; and handling services according to the bearer priority information. In the embodiments of the present invention, the policy context information is converted into bearer priority information so that the PCEF handles services according to the bearer priority information. In this way, different services that require the same QoS level are handled discriminatively according to the policy context information. | 01-21-2010 |
| 20100017847 | Wireless Connection Setting Program - A computer program product includes computer readable instructions that cause a computer to execute a wireless connection setting process. The computer includes a communication interface configured to communicate with at least one device. The wireless connection setting process includes recognizing a state of the at least one device through the communication interface, displaying an input screen image sequentially for each of at least one setting item of wireless connection settings, configuring the wireless connection settings for the at least one device based upon the input, and controlling whether to display the input screen image by judging whether the input is required to be received for each of the at least one setting item based upon the state of the recognized at least one device. Said configuring includes determining the setting item for which the input is not judged required to be received. | 01-21-2010 |
| 20100023995 | Methods and Aparatus for Securing Access to Computer Libraries and Modules, The SecModule Framework - We have shown an efficient, easy-to-use framework which allows retrofitting of existing libraries, as well as develop new ones into a secured, session-managed environment. Our framework can be used for policy level enforcement (i.e. create enforceable, undeniable rules) for accessing, using, arbitrary code, functions and data held inside the library. | 01-28-2010 |
| 20100023996 | TECHNIQUES FOR IDENTITY AUTHENTICATION OF VIRTUALIZED MACHINES - Techniques for identity authentication of Virtual Machines (VM's) are provided. A VM is authenticated and once authenticated, each device interfaced to or accessible to the VM is also authenticated. When both the VM and each device are authenticated, the VM is granted access to a machine for installation thereon. | 01-28-2010 |
| 20100023997 | METHOD OF USING XPATH AND ONTOLOGY ENGINE IN AUTHORIZATION CONTROL OF ASSETS AND RESOURCES - A method of defining access control. The method allows the expression of access control rules using ontology based semantics and references an ontology subset using XPath as the ontological expression. The access control rules or access criteria are defined by an access control statement and may be expressed using classification criteria and ontology classes. The access control statement comprises a structural description that is used to define an asset and a logical expression that may be used to express the classification criteria. The access control statement defines access policy for various assets. | 01-28-2010 |
| 20100023998 | METHOD, ENTITY AND SYSTEM FOR REALIZING NETWORK ADDRESS TRANSLATION - A method of realizing network address translation (NAT) includes the following steps. An application function (AF) entity receives a message, and determines a signaling direction according to the message. The AF entity carries the signaling direction information in an access authorization request (AAR) message and sends the AAR message to a service-based policy decision function (SPDF) entity. The SPDF entity obtains a corresponding local domain address according to the signaling direction, and sends the obtained address to the AF entity. The AF entity sends the message according to the local domain address. An entity and a system of realizing NAT are also provided. By extending a message interacted between the AF entity and the SPDF entity and adding a field indicating a signaling direction, the SPDF entity is enabled to distinguish an uplink direction or a downlink direction of the message, for example, from an access side/a local core side to a core side/an opposite core side or from the core side/opposite core side to the access side/local core side, so as to realize an NAT control. | 01-28-2010 |
| 20100023999 | SYSTEM AND METHOD FOR NETWORK ADMINISTRATION AND LOCAL ADMINISTRATION OF PRIVACY PROTECTION CRITERIA - Cookie files are screened in a client machine, wherein a cookie file includes a cookie file source. A request from a subscriber is received at a server to send a list of untrusted cookie file sources to the client machine. The list of untrusted cookie file sources is downloaded from the server to the client machine. The downloaded list of untrusted cookie file sources is used to detect cookie files received at the client machine from cookie file sources on the downloaded list by comparing the cookie file source of any received cookie file to the untrusted cookie file sources on the downloaded list. | 01-28-2010 |
| 20100031308 | SAFE AND SECURE PROGRAM EXECUTION FRAMEWORK - A system and method is provided here that can make sure that the instruction sets executing on a computer are certified and secure. The system and method further facilitates a generic way to intercept instruction loading process to inspect loaded code segment 1 | 02-04-2010 |
| 20100031309 | POLICY BASED CONTROL OF MESSAGE DELIVERY - A method of policy based message delivery in a message delivery system includes supplementing a subscriber handle with supplemental information pertaining to a subscriber of the message delivery system, where the message delivery system including a set of subscribers, receiving a message for delivery within the message delivery system, comparing a set of policies with the supplemental information based on information contained in the received message, matching the message to a subscriber of the set of subscribers based on the comparison, and dispatching the message to a matched subscriber based on the matching. | 02-04-2010 |
| 20100031310 | SYSTEM AND METHOD FOR ROAMING PROTECTED CONTENT BACKUP AND DISTRIBUTION - A method includes receiving content and a license to the content at a storage system, receiving a request from a user system for the storage system to send the content and license to the user system, and sending the content and license from the storage system to the user system. Another method includes requesting content and a license to the content, receiving the content and license at a user system, requesting from the user system that the content and license be sent to a storage system, and requesting from the user system that the storage system send the content item to a second user system. In one embodiment, code could be used to perform a method that includes requesting content and a license to the content from a content provider, storing the content and license at a user system and a storage system, and requesting that the storage system send the content to another user system. | 02-04-2010 |
| 20100031311 | Method of executing virtualized application able to run in virtualized environment - A method of executing a virtualized application able to run in a virtualized environment. The virtualized application includes application software and the virtualized environment. The application software includes a license monitor to search for a software license while monitoring an execution policy set by a software provider when software is installed or executed. The virtualized environment includes an environment monitor to monitor an execution environment provided to the application software by the virtualized environment. Therefore, it is possible to prevent software able to run in a virtualized environment from being freely copied without any limitations by the execution policy provided by the software provider. | 02-04-2010 |
| 20100037284 | MEANS AND METHOD FOR CONTROLLING NETWORK ACCESS IN INTEGRATED COMMUNICATIONS NETWORKS - The invention provides methods and means for assisting the control of a User Terminal's, UT's, ( | 02-11-2010 |
| 20100037285 | USER-CRITERIA BASED PRINT JOB SUBMISSION APPROVAL POLICY IN A PRINT SHOP MANAGEMENT SYSTEM - In a print shop management system, a print job submission approval policy is provided to determine whether a print job submission made by a particular user is approved or prohibited. The policy includes multiple policy settings of job restriction criteria enforced at job submission time. The restrictions may be based on job price, certain restricted functions, resource usage, etc. If the job submission is prohibited, a message is displayed to the user but the print job is not submitted to the printer. Each policy setting may be applied to a user based on his user role or user name. Each policy setting is created by an administrator. A user interface for inputting policy setting values is disclosed. | 02-11-2010 |
| 20100037286 | PRINTER-CRITERIA BASED PRINT JOB SUBMISSION APPROVAL POLICY IN A PRINT SHOP MANAGEMENT SYSTEM - In a print shop management system, a print job submission approval policy is provided to determine whether a print job submission to a target printer is approved or prohibited. The policy includes multiple policy settings of job restriction criteria enforced at job submission time. The restrictions are based on conditions of the target printer, such as PM count, jam count, error count, printer status, levels of available resources, etc. The policy may also restrict certain user's ability to submit print jobs to certain printers. If the job submission is prohibited, a message is displayed to the user but the print job is not submitted to the printer. Each policy setting may be applied to a printer based on printer type or identity. Each policy setting is created by an administrator. A user interface for inputting policy setting values is disclosed. | 02-11-2010 |
| 20100037287 | METHOD AND APPARATUS FOR PROVIDING ROUTING AND ACCESS CONTROL FILTERS - A method and apparatus for providing an access control filter and/or a route filter in a network are disclosed. For example, the method receives a new filter rule or a modified filter rule associated with at least one of: a routing policy, or a security policy. The method creates or modifies one or more filter templates in accordance with the new filter rule or the modified filter rule. The method identifies one or more affected interfaces and audits the one or more affected interfaces. The method then generates one or more commands in accordance with the one or more filter templates if the auditing of the one or more affected interfaces is successful, and downloads filter content to one or more routers using the one or more commands. | 02-11-2010 |
| 20100037288 | Inherited Access Authorization to a Social Network - A method for access authorization via inheritance to information of a first registered user on a social network comprises defining authorization criteria for the first registered user; receiving first verification data from a requester, wherein the requester comprises one of a second registered user or a non-registered user; determining if the first verification data satisfies the authorization criteria, and in the event the first verification data satisfies the authorization criteria, extending inherited access authorization to the requester in the event the requester is the non-registered user, and extending inherited access authorization to a contact of the requestor in the event the requestor is the second registered user. | 02-11-2010 |
| 20100037289 | MERGE RULE WIZARD - Various embodiments include a system comprising an interface coupled to a computer network, the interface operable to provide a merge rule wizard operable to generate one or more displayable dialog boxes that include selectable criteria for merging a plurality of sets of security rules into a single security rule base. | 02-11-2010 |
| 20100037290 | SYSTEM AND METHOD FOR HIERARCHICAL ROLE-BASED ENTITLEMENTS - A system and method for authorization to adaptively control access to a resource, comprising the steps of providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource; providing for the evaluation of a policy based on the at least one role; and providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy. | 02-11-2010 |
| 20100037291 | SECURE COMPUTING ENVIRONMENT USING A CLIENT HEARTBEAT TO ADDRESS THEFT AND UNAUTHORIZED ACCESS - Techniques for securing a client. An operating system agent is one or more software modules that execute in an operating system of a client, such as a portable computer. Portions of the operating system agent may monitor resources of the client. The operating system agent sends a message, which describes an operational state of the operating system agent, to a BIOS agent. The BIOS agent is one or more software modules operating in a BIOS of the client. The BIOS agent performs an action based on a policy that is described by policy data stored within the BIOS of the client. The BIOS agent performs the action in response to either (a) the operational state described by the message, or (b) the BIOS agent not receiving the message after an expected period of time. | 02-11-2010 |
| 20100037292 | System and Method for Secure Record Management in a Virtual Space - Systems and methods for using a matching system in a virtual space to facilitate the exchange of protected information and protected content. Subscriber computing devices each operated by a subscriber are associated with a subscriber identifier. Each computing device is connected to the network. In an embodiment, the sharing of protected information and content by one party with another party is regulated through permissions that determine whether a sharing party is authorized to disclose the protected content, whether a potential receiving party is authorized to receive protected content, and whether the protected content meets conditions established by the potential disclosing party for review by the potential reviewing party. Matching instructions may reveal whether a potential recipient is qualified to view the protected information or content and whether the subscriber also possesses any required supplemental information. | 02-11-2010 |
| 20100043047 | UNAUTHORIZED DATA TRANSFER DETECTION AND PREVENTION - A method includes receiving a policy via a network connection, wherein the policy includes at least one signature. Receiving a data communication message from a processor of a computing device via a system bus. Identifying a class, and selectively forwarding the data communication message based in part on the received policy and the identified class. | 02-18-2010 |
| 20100043048 | System, Method, and Apparatus for Modular, String-Sensitive, Access Rights Analysis with Demand-Driven Precision - A static analysis for identification of permission-requirements on stack-inspection authorization systems is provided. The analysis employs functional modularity for improved scalability. To enhance precision, the analysis utilizes program slicing to detect the origin of each parameter passed to a security-sensitive function. Furthermore, since strings are essential when defining permissions, the analysis integrates a sophisticated string analysis that models string computations. | 02-18-2010 |
| 20100043049 | IDENTITY AND POLICY ENABLED COLLABORATION - Techniques for identity and policy enabled collaboration are provided. Access to assets of an enterprise is governed by identity relationships. A policy defines security restrictions between collaborating network resources based on identities assigned to the network resources. During collaboration, the security restrictions are enforced. | 02-18-2010 |
| 20100043050 | FEDERATING POLICIES FROM MULTIPLE POLICY PROVIDERS - One aspect of the present invention can include a system, a method, a computer program product and an apparatus for federating policies from multiple policy providers. The aspect can identify a set of distinct policy providers, each maintaining at least one policy related to a service or a resource. A federated policy exchange service can be established that has a policy provider plug-in for each of the distinct policy providers. The federated policy exchange service can receive requests for policies from a set of policy requesters. Each request can include a resource_id or a service_id used to uniquely identify the service or resource. The federated policy exchange service can dynamically connect to a set of the policy providers to determine policies applicable to each request. For each request, results from the policy providers can be received and processed to generate a response. The federated policy exchange service can provide the response to each policy requestor responsive in response to each response. | 02-18-2010 |
| 20100043051 | IDENTIFYING AND RESOLVING SEPARATION OF DUTIES CONFLICTS IN A MULTI-APPLICATION ENVIRONMENT - A method and system for identifying and resolving separation of duties (SOD) conflicts in a multi-application environment. An SOD conflict based on a person being granted a first authorization and a second authorization in violation of a policy is identified. The first and second authorizations are permissions allowing the person to perform, respectively, a first action provided by a first application and a second action provided by a second application. An optimal recommended action that resolves the SOD conflict is retrieved from a first database table that includes an association between the identified SOD conflict and the optimal recommended action. After the optimal recommended action is displayed on a display device, a user's acceptance of the optimal recommended action is received. In response, the optimal recommended action is performed by automatically deleting from a second database table an association between the person and the first or second authorization. | 02-18-2010 |
| 20100043052 | APPARATUS AND METHOD FOR SECURITY MANAGEMENT OF USER TERMINAL - The present invention relates to an apparatus and method for security management of a user terminal. The present invention generates security policies for the user terminal through an external security management server based on context information for the user terminal. At this time, the present invention receives the generated security policy information and sets internal security policies for the user terminal. The present invention can overcome a limitation of the user terminal as the security policies for the user terminal, particularly, the complex terminal is set by using various interfaces and provide systematic and supplemental security services. | 02-18-2010 |
| 20100043053 | METHOD, SYSTEM, AND ENTITY FOR EXERCISING POLICY CONTROL - A method and a system for exercising policy control, a policy and charging enforcement function (PCEF), and a policy control and charging rules function (PCRF) are provided, which can solve the problem that no policy control can be exercised over application service flows without an application function (AF). The method includes of the following steps: a PCRF receiving information about an application event sent by a PCEF; and the PCRF generating a control policy for a service flow of the application according to the information about the application event, and delivering the control policy to the PCEF. In the present invention, the PCEF sends the obtained information about the application event to the PCRF, so that even when no AF is involved, the PCRF can still generate a control policy according to policy contexts including the information about the application event and the like, so as to exercise an effective policy control over the QoS guarantee, charging and gating of the service flow, thus meeting the requirements of exercising the policy control over data applications with no AF being involved. | 02-18-2010 |
| 20100050229 | VALIDATING NETWORK SECURITY POLICY COMPLIANCE - The present invention may provide the ability to determine the actions triggered by a network security policy given a set of conditions. Embodiments of the invention involve testing the security policy at specified times, documenting and analyzing the test results for compliance, recording the results for auditing purposes, writing events to warn of non-compliance findings, and dynamically taking defensive action to prevent security breaches as the result of non-compliance findings. | 02-25-2010 |
| 20100050230 | Method of inspecting spreadsheet files managed within a spreadsheet risk reconnaissance network - A method of inspecting spreadsheet files managed within a spreadsheet risk reconnaissance network. The method involves a spreadsheet inspector logging-on to the network, and selecting a spreadsheet inspection from the list of spreadsheet inspections to be performed. In response to the selection, the network automatically generates an inspection worksheet for each policy component which is to be manually inspected by the inspector. The inspection worksheet includes all policy compliance components which require human judgment to assess the degree to which an item passes compliance, as well as general notes to allow for inspection items which are not related to the specific compliance items. Upon receiving the network-generated inspection worksheet, the spreadsheet inspector opening the spreadsheet file to be inspected, via a provided hyperlink, and applying human judgment in assessing whether or not the spreadsheet file successfully passes each set of criteria established in the spreadsheet policy. For each policy component being assessed, the spreadsheet inspector evaluating the spreadsheet file and providing a passing grade if the spreadsheet file meets the criteria established in the policy component, and a failing grade if the spreadsheet file does not meet the established criteria in the policy component. An overall assessment score of passing or failing is provided to each spreadsheet file under assessment, based on automated and/or manual assessments. | 02-25-2010 |
| 20100050231 | Resolving retention policy conflicts - Resolving retention policy conflicts is disclosed. An indication is received that two or more retention policies apply to an item of content. A merged retention policy that is based at least in part on the respective requirements of the two or more retention policies is generated automatically for the item of content. | 02-25-2010 |
| 20100050232 | SYSTEMS AND METHODS FOR MANAGING POLICIES ON A COMPUTER - An apparatus, system, and method are disclosed for managing policies on a computer having a foreign operating system. Policies may specify hardware or software configuration information. Policies on a first computer with a native operating system are translated into configuration information usable on a second computer having a foreign operating system. In an embodiment, a translator manager manages the association between the policy on the first computer and the translator on the second computer. Computer management complexity and information technology management costs are reduced by centralizing computer management on the native operating system. Further reductions in management complexity are realized when the present invention is used in conjunction with network directory services. | 02-25-2010 |
| 20100058431 | Agentless Enforcement of Application Management through Virtualized Block I/O Redirection - Application authorization management is provided without installation of an agent at an operating system level. A component runs outside of the operating system, in an AMT environment. AMT is utilized to examine the operating system for applications. Identified applications are checked against a whitelist or a blacklist. Responsive to determining that an identified application is not authorized, AMT is used to redirect input/output requests targeting the application to an alternative image, which can, for example, warn the user that the application is not authorized. | 03-04-2010 |
| 20100058432 | PROTECTING A VIRTUAL GUEST MACHINE FROM ATTACKS BY AN INFECTED HOST - In a virtualization environment, a host machine on which a guest machine is operable is monitored to determine that it is healthy by being compliant with applicable policies (such as being up to date with the current security patches, running an anti-virus program, certified to run a guest machine, etc.) and free from malicious software or “malware” that could potentially disrupt or compromise the security of the guest machine. If the host machine is found to be non-compliant, then the guest machine is prevented from either booting up on the host machine or connecting to a network to ensure that the entire virtualization environment is compliant and that the guest machine, including its data and applications, etc., is protected against attacks that may be launched against it via malicious code that runs on the unhealthy host machine, or is isolated from the network until the non-compliancy is remediated. | 03-04-2010 |
| 20100058433 | MODULAR DATA SYNCHRONIZATION METHOD - In one embodiment, policies and sources may be used to synchronize data. Sources, which contain knowledge about files and metadata, can pass events to policies when changes in data are detected. The policies may then manage the data synchronization with other sources. The sources are agnostic as to how the data is synchronized between sources. Also, the policies are agnostic of the data that is being managed by sources. Accordingly, a modular infrastructure is provided that allows sources and policies to be configured to interact modularly. | 03-04-2010 |
| 20100058434 | HIERARCHICAL ACCESS CONTROL ADMINISTRATION PREVIEW - Embodiments of the present invention provide a method, system and computer program product for hierarchical access control administration preview of access control rights for hierarchically organized content. In an embodiment of the invention, a method for rendering a hierarchical access control administration preview of access control rights for hierarchically organized content can be provided. The method can include rendering a view of hierarchically organized content in connection with corresponding access rights and proposing explicitly assigned access rights for selected content in the hierarchically organized content. The method also can include re-rendering the view to reflect both the proposed explicitly assigned access rights for the selected content and also implicitly resulting assigned access rights for the children of the selected content. | 03-04-2010 |
| 20100058435 | SYSTEM AND METHOD FOR VIRTUAL INFORMATION CARDS - A client includes a card selector, and receives a security policy from a relying party. If the client does not have an information card that can satisfy the security policy, the client can define a virtual information card, either from the security policy or by augmenting an existing information card. The client can also use a local security policy that controls how and when a virtual information card is defined. The virtual information card can then be used to generate a security token to satisfy the security policy. | 03-04-2010 |
| 20100058436 | SERVICE LEVEL NETWORK QUALITY OF SERVICE POLICY ENFORCEMENT - Embodiments of the invention provide systems and methods for providing service level, policy-based QoS enforcement on a network or networks. According to one embodiment, a system can comprise at least one communications network, a first endpoint communicatively coupled with the communications network, and a second endpoint communicatively coupled with the communications network and can monitor traffic on the communications network between the first endpoint and the second endpoint. A policy enforcer can be communicatively coupled with the network monitor. The policy enforcer can apply one or more policies based the traffic between the first endpoint and the second endpoint. The one or more policies can define a Quality of Service (QoS) for the traffic between the first endpoint and the second endpoint and can apply the policies to affect the traffic between the endpoints to maintain the QoS defined by the one or more policies. | 03-04-2010 |
| 20100064340 | SYSTEMS AND METHODS FOR CONTROLLING ACCESS TO DATA THROUGH APPLICATION VIRTUALIZATION LAYERS - A computer-implemented method for controlling access to data is. A request to access data is received. A determination is made that an access-control policy of the data is satisfied. A virtualization layer is activated to allow access to the data after determining that the access-control policy is satisfied. Various other methods, systems, and computer-readable media are also disclosed. | 03-11-2010 |
| 20100064341 | System for Enforcing Security Policies on Mobile Communications Devices - A system for enforcing security policies on mobile communications devices is adapted to be used in a mobile communications network in operative association with a subscriber identity module. The system having a client-server architecture includes a server operated by a mobile communications network operator and a client resident on a mobile communications device on which security policies are to be enforced. The server is adapted to determine security policies to be applied on said mobile communications device, and to send thereto a security policy to be applied. The client is adapted to receive the security policy to be applied from the server, and to apply the received security policy. The server includes a server authentication function adapted to authenticate the security policy to be sent to the mobile communications device; the client is further adapted to assess authenticity of the security policy received from the server by exploiting a client authentication function resident on the subscriber identity module. | 03-11-2010 |
| 20100064342 | SECURITY MEASURE STATUS SELF-CHECKING SYSTEM - The present invention provides a security measure status self-checking system which can determine the measure status in a more simplified and effective manner by focusing on the information leakage measure in the security measures, managing the PC's security measure status and the user's take-out operation status in an integrated and unitary manner, and providing security policy samples. According to the present invention, the client computer collects security inventory information and operation log information and transmits the information to the server computer. Further, the server computer stores the security inventory information and the operation log information transmitted from the client computer and determines whether or not the information conforms to the security policy which has been set in advance. The check result is displayed on the server computer and when a policy violation is detected, the manager and the client are notified of that effect. | 03-11-2010 |
| 20100071024 | HIERARCHICAL APPLICATION OF SECURITY SERVICES WITHIN A COMPUTER NETWORK - In general, techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner. | 03-18-2010 |
| 20100071025 | SECURING LIVE MIGRATION OF A VIRTUAL MACHINE WITHIN A SERVICE LANDSCAPE - In an embodiment of the invention, a method for secure live migration of a virtual machine (VM) in a virtualized computing environment can include selecting a VM in a secure virtualized computing environment for live migration to a different virtualized computing environment and blocking data communications with the selected VM and other VMs in the secure virtualized computing environment. The selected VM can be live migrated to the different virtualized computing environment and the VM cna be restarted in the different virtualized computing environment. Notably, a secure communicative link can be established between the restarted VM and at least one other of the VMs in the secure virtualized computing environment. Finally, data communications between the restarted VM and the at least one other of the VMs can be enabled over the secure communicative link. | 03-18-2010 |
| 20100071026 | WIDGET HOST CONTAINER COMPONENT FOR A RAPID APPLICATION DEVELOPMENT TOOL - A widget host container serves as a component that may be added via a rapid application development tool, such as Oracle International Corporation's Application Development Framework. The rapid application development tool may be used to install the widget host container, for example, in a region of a user interaction environment, such as an application or a suite of user interactive applications, created by the rapid application development tool. If desired, one or more selection devices, such as a drop down menu, may be provided to select particular widgets for use and display. Features may be provided for organizing both personal and enterprise widgets. Security settings control access to web widgets, and an option to allow or restrict access to web widget display options in the container. | 03-18-2010 |
| 20100071027 | METHOD OF PROVIDING A MIXED GROUP COMMUNICATION SESSION - A method of providing a mixed group communication session for a mixed group containing protected users and a guest user is provided. The method uses a secure server to assign temporary Identities (IDs) to the protected users. The secure server forms a mixed group session containing desired participants from among the protected users and the guest user. The secure server provides limited group rights to the guest user in the mixed group session. During the mixed group session, the secure server uses the permanent IDs of the protected users towards other protected users and temporary IDs of the permanent users towards the guest user. Also provided is a method for providing a mixed group communication session for a mixed group containing protected users and a guest user, wherein temporary IDs are assigned to protected users and the guest user. | 03-18-2010 |
| 20100071028 | Governing Service Identification In A Service Oriented Architecture ('SOA') Governance Model - Methods and systems for governing service identification in an SOA governance model according to embodiments of the present invention are provided. Embodiments include receiving a set of input parameters for identifying candidate services for the SOA; determining whether the set of input parameters comply with a predetermined input parameter validation policy. If the set of input parameters comply with a predetermined input parameter validation policy, governing service identification includes identifying in dependence upon the set of input parameters one or more candidate services available for the SOA in existing SOA business applications and determining whether each candidate services available in existing SOA business applications comply with a predetermined service selection policy. If one of the candidate services available in existing SOA business applications complies with a predetermined service selection policy, governing service identification includes selecting the candidate service as a service available for the SOA and communicating the identification of that selected service to relevant stakeholders in the SOA. | 03-18-2010 |
| 20100071029 | Method for Granting an Access Authorization for a Computer-Based Object in an Automation System, Computer Program and Automation System - An access authorization for a computer-based object in an automation system comprising a plurality of network nodes is granted using a control file which is structured in line with a scheme for a markup language for granting access authorizations and which maps a hierarchic tree structure. In this case, access authorizations are mapped in an object model which has a hierarchic tree structure. A relevant subtree from the object model is ascertained for a selected network node, at which services are provided using computer-based objects, or when access to a computer-based object is requested, by an access guideline service. The control file is produced from the ascertained relevant subtree. The control file produced is made available for the selected network node or for access to the computer-based object. | 03-18-2010 |
| 20100077444 | BROWSER ACCESS CONTROL - Systems, methods and apparatus for a distributed security that monitors communications to manage client browser network access based upon the browser configuration of the client browser by use of a configuration script executed in the browser environment. Such management can reduce the exposure of potentially vulnerable client browsers to domains associated with malicious activity. | 03-25-2010 |
| 20100077445 | Graduated Enforcement of Restrictions According to an Application's Reputation - Security software on a client observes a request for a resource from an application on the client and then determines the application's reputation. The application's reputation may be measured by a reputation score obtained from a remote reputation server. The security software determines an access policy from a graduated set of possible access policies for the application based on the application's reputation. The security software applies the access policy to the application's request for the resource. In this way, the reputation-based system uses a graduated trust scale and a policy enforcement mechanism that restricts or grants application functionality for resource interactivity along a graduated scale. | 03-25-2010 |
| 20100083345 | METHODS AND APPARATUS RELATED TO PACKET CLASSIFICATION ASSOCIATED WITH A MULTI-STAGE SWITCH - In one embodiment, an apparatus can include a policy vector module configured to retrieve a compressed policy vector based on a portion of a data packet received at a multi-stage switch. The apparatus can also include a decompression module configured to receive the compressed policy vector and configured to define a decompressed policy vector based on the compressed policy vector. The decompressed policy vector can define a combination of bit values associated with a policy. | 04-01-2010 |
| 20100083346 | Information Scanning Across Multiple Devices - Provided are, among other things, systems, methods and techniques for scanning information across multiple different devices. In one representative system, remote data-processing devices are provided with scanning applications that repeatedly scan information on their respective data-processing devices to identify matching data units that satisfy a specified matching criterion, the specified matching criterion including required matches against a set of screening digests, and then transmit characteristic information regarding the matching data units; and a central processing facility receives the characteristic information from the remote data-processing devices and determines whether the corresponding matching data units satisfy a policy criterion. | 04-01-2010 |
| 20100083347 | VERIFYING AND ENFORCING CERTIFICATE USE - A method, system, and computer usable program product for verifying and enforcing certificate use are provided in the illustrative embodiments. A certificate is received from a sender. The certificate is validated before communicating a message associated with the certificate to a receiver. If the certificate is invalid, a policy is selected based on a type of invalidity of the certificate. An action is taken to enforce the policy for using the certificate. The certificate may be received from the sender at a proxy. The validating may further include verifying the validity of the certificate using a certificate from a certificate database accessible to the proxy over a network. the proxy may copy a part of the certificate database to a second certificate database local to the proxy. The validating may further include verifying the validity of the certificate using a certificate revocation list accessible to the proxy over a network. | 04-01-2010 |
| 20100083348 | Method and rule-repository for generating security-definitions for heterogeneous systems - The present invention concerns a method for generating one or more system-specific security-definitions ( | 04-01-2010 |
| 20100083349 | METHOD FOR REALIZING TRUSTED NETWORK MANAGEMENT - A method for realizing trusted network management is provided. A trusted management agent resides on a managed host, and a trusted management system resides on a management host. The trusted management agent and the trusted management system are software modules, which are both based on a trusted computing platform and signed after being authenticated by a trusted third party of the trusted management agent and the trusted management system. Trusted platform modules of the managed host and the management host can perform integrity measurement, storage, and report for the trusted management agent and the trusted management system. Therefore, the managed host and the management host can ensure that the trusted management agent and the trusted management system are trustworthy. Then, the trusted management agent and the trusted management system execute a network management function, thus realizing the trusted network management. Therefore, the technical problem in the prior art that the network management security cannot be ensured due to the mutual attack between an agent, a host where the agent resides, and a manager system is solved, and trusted network management is realized. | 04-01-2010 |
| 20100088738 | Global Object Access Auditing - Global object access auditing techniques are described. In an implementation, a global SACL for a resource and an object SACL are merged to form a merged SACL responsive to a request for access to an object. The merged SACL is checked to determine what activity is to generate an audit event. | 04-08-2010 |
| 20100088739 | Hardware Based Mandatory Access Control - Hardware mechanisms are provided for performing hardware based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with data to be processed by the processor. The instruction access policy label is passed along with the instruction through one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized to control access by the instruction to the data based on the instruction access policy label and the operand access policy label. | 04-08-2010 |
| 20100088740 | Methods for performing secure on-line testing without pre-installation of a secure browser - Methods for performing secure on-line testing without the need for pre-installation of a secure browser are provided. The methods use a general purpose web browser which is already installed on the user's computer and extend the browser so as to restrict the functionality of the user's computer in at least one way which makes the computer more secure with regard to testing. The extending occurs through the transmission of trusted code to the user's computer over the internet. The elimination of the need for pre-installation represents a major savings to school districts in terms of the amount of IT professional time that must be dedicated to on-line testing, especially for school districts having large numbers of installed computers. Apparatus for practicing the methods is also provided. | 04-08-2010 |
| 20100088741 | METHOD FOR DEFINING A SET OF RULES FOR A PACKET FORWARDING DEVICE - There are methods and apparatus, including computer program products, for defining a policy including a set of rules for a packet forwarding device by receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined. | 04-08-2010 |
| 20100088742 | APPARATUS FOR DEFINING A SET OF RULES FOR A PACKET FORWARDING DEVICE - There are methods and apparatus, including computer program products, for defining a policy including a set of rules for a packet forwarding device by receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined. | 04-08-2010 |
| 20100088743 | PERSONAL-INFORMATION MANAGING APPARATUS AND PERSONAL-INFORMATION HANDLING APPARATUS - A personal-information managing apparatus includes: a usage permission policy managing unit to manage usage permission policy in which a boundary between usage permission and usage prohibition of personal information is defined; a personal information request receiving unit to receive a request for the personal information from the personal-information handling apparatus; a usage-permission issuing unit to obtain the usage permission policy corresponding to the received request via the usage permission policy managing unit, and to issue a usage permit corresponding to the usage permission policy and the requested personal information to the personal-information handling apparatus; a usage permit issue history managing unit to manage the issued usage permit and usage permission issue history relating to the personal information; and a credibility establishing unit to establish credibility of information exchange with the personal-information handling apparatus in relation to the issuing of the usage permit and the personal information. | 04-08-2010 |
| 20100095348 | SYSTEM AND METHOD FOR MANAGEMENT AND TRANSLATION OF TECHNICAL SECURITY POLICIES AND CONFIGURATIONS - A system and method translating information of a source policy configuration into a universal data type useable with a target policy configuration. The disclosed system and method provide comprehensive and highly automated translation of security policies and configurations into a normalized format, thereby enabling management and transformation of information across various types of technologies. Normalized data format is utilized to output data into different formats or data types. | 04-15-2010 |
| 20100095349 | Approach for Managing Access to Electronic Documents on Network Devices Using Document Retention Policies and Document Security Policies - An approach for managing access to electronic documents uses document retention and document security policies. In response to detecting a request to access a particular electronic document stored on a network device, a document retention policy and a document security policy are applied to the particular electronic document. If, based upon application of the document retention policy to the particular electronic document, a determination is made that the particular electronic document is to be deleted, then the particular electronic document is deleted from the network device. If, based upon application of the document security policy to the particular electronic document, a determination is made that access to the particular electronic document should be denied, then access to the particular electronic document is denied. Retention policy audits, automatic or manual loading or auto-destruction code and self-extracting and executable data may also be used to enforce document retention and document security policies. | 04-15-2010 |
| 20100100924 | Digital Rights Management (DRM)-Enabled Policy Management For A Service Provider In A Federated Environment - A method operative at a service provider enforces a digital rights management (DRM) scheme associated with a piece of content. The service provider typically is a content provider. The service provider is an entity that participates in a “federation” with one or more other entities including, for example, an identity provider, a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins upon receipt at the service provider of a single sip on (SSO) message generated by the identity provider entity that includes a reference to a set of DRM privileges associated with an end user requesting access to the piece of content. In response to receiving the message, the service provider as necessary obtains the DRM privileges and at least one applicable DRM policy. It then evaluates the DRM privileges associated with the end user against the DRM policy, and provides the end user a response. | 04-22-2010 |
| 20100100925 | Digital Rights Management (DRM)-Enabled Policy Management For An Identity Provider In A Federated Environment - A method operative at an identity provider enforces a digital rights management (DRM) scheme associated with a piece of content. The identity provider is an entity that participates in a “federation” with one or more other entities including, for example, an service provider (e.g., a content provider), a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins by having the identity provider obtain and evaluate against a DRM policy a set of DRM privileges associated with the end user requesting access to the piece of content. Based on the evaluation, the identity provider generates a single sign on (SSO) message that includes a reference to the set of DRM privileges. The message is then forward to the service provider entity, which provides the end user a response. | 04-22-2010 |
| 20100100926 | INTERACTIVE SELECTION OF IDENTITY INFORMATOIN SATISFYING POLICY CONSTRAINTS - A system and method for verifying an attribute includes providing a compound policy by a relying party. The compound policy has one or more claims and/or sub-claims expressing conditions on attributes and constants. Identity providers are associated with aspects of the compound policy by mapping attributes of the compound policy with attributes of the identity providers. A selection of at least one identity provider that satisfies the compound policy is enabled. At least one attribute of the user is verified by at least one identity provider in accordance with the selection. | 04-22-2010 |
| 20100100927 | SYSTEMS AND METHODS FOR PROTECTING WEB BASED APPLICATIONS FROM CROSS SITE REQUEST FORGERY ATTACKS - Computer implemented methods ( | 04-22-2010 |
| 20100100928 | Secure network computing - A host based security system for a computer network includes in communication with the network a credential host that is operative in concert with a local computer and a destination site. The destination site has a credential authentication policy under which credentials associated with the local computer upon being authenticated authorizes data to be communicated between each of the destination site and the local computer during a communication session over the network. The credential host stores the credentials to be used by the destination and is operative to transmit the credentials onto the network in response to a request received from the local computer. The destination site upon the credentials being received and authenticated thereat is operative to transmit session information onto the network. In turn, the local computer is then operative to commence the communication session upon receipt of said the information. | 04-22-2010 |
| 20100100929 | APPARATUS AND METHOD FOR SECURITY MANAGING OF INFORMATION TERMINAL - Provided is an apparatus and a method for security managing of an information terminal. The provided classifies a plurality of information providing means into a plurality of domains including at least one information providing means and when a user process accesses any one domain and then attempts to access another domain, controls the access to said another domain by verifying whether or not the access of the user process to said another domain is allowed. According to the provided, security threats are monitored for each domain which an execution process accesses by simply constructing domain classification information of an entire system without specifically establishing a security policy of an information providing device, such that it is possible to protect a terminal from a multi-domain access process having high security risk. Accordingly, it is advantageous to increase security for the terminal from various security threats. | 04-22-2010 |
| 20100100930 | HOSTED VULNERABILITY MANAGEMENT FOR WIRELESS DEVICES - A method, a multi-tenant security server apparatus and associated system for securing wireless communication of devices. The method includes transferring security policy configuration information from the security server to wireless devices. The method also includes ascertaining compliance of wireless activity of the wireless devices with the security policy configuration using client software modules installed on the wireless devices. | 04-22-2010 |
| 20100100931 | TRANSACTION TOOL MANAGEMENT INTEGRATION WITH CHANGE MANAGEMENT - A change management system coordinates information of a transaction tool managed by a transaction tool management system. The system includes a receiver that receives, over a communications network, activity information and/or lifecycle event information for the transaction tool. The system also includes a storage that stores the received information. Additionally, the system includes a processor that manages a change in a status of the transaction tool based on the received information. | 04-22-2010 |
| 20100100932 | SYSTEM AND METHOD FOR DETERMINING A SECURITY ENCODING TO BE APPLIED TO OUTGOING MESSAGES - A system and method for determining a security encoding to be applied to a message being sent by a user of a computing device, such as a mobile device, for example. In one broad aspect, the method comprises determining, at the computing device, whether a general message encoding configuration setting thereon indicates that the security encoding to be applied to the message is to be established by a policy engine; if the general message encoding configuration setting on the computing device indicates that the security encoding to be applied to the message is to be established by the policy engine, determining the security encoding to be applied to the message by querying the policy engine for the security encoding to be applied to the message; applying the determined security encoding to the message; and transmitting the message to which the security encoding has been applied to the at least one recipient. In one embodiment, the policy engine is a PGP Universal Server. | 04-22-2010 |
| 20100107213 | Access Control State Determination Based on Security Policy and Secondary Access Control State - In accordance with one or more aspects, a current security policy for accessing a device or volume of a computing device is identified. A secondary access control state for the device or volume is also identified. An access state for the device is determined based on both the current security policy and the secondary access control state. | 04-29-2010 |
| 20100107214 | TEMPORARY USER ACCOUNT FOR A VIRTUAL WORLD WEBSITE - A computer system and method are provided that facilitate permitting temporary access to a website or other computer application in which temporary access is given to a generic virtual character and its corresponding user. Temporary access is made available through a temporary user account that is set up by the user. The temporary user account is active for a limited time and allows the user to learn about the website, for instance, via the generic virtual character. The generic virtual character has limited access to the website and in particular to various activities or areas on the website. Unlike temporary user account holders, users who have purchased a real world item and have created premium user accounts have full access to the website via their corresponding premium virtual characters. In addition, the system and method prevent at least some interaction between the generic virtual characters and the premium virtual characters. | 04-29-2010 |
| 20100107215 | SCALABLE FIREWALL POLICY MANAGEMENT PLATFORM - Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set. Other aspects include using more permissive and/or access control rules provided on network equipment to block known bad data, while providing host-based access control focused on application data flow. | 04-29-2010 |
| 20100107216 | INFORMATION PROCESSING DEVICE AND MEMORY MANAGEMENT METHOD - It is an object of the present invention to provide an information processing device and a memory management method that enable execution of memory management processing for simultaneously starting up two types of applications. During execution of an application in the form of a Java application, the application starts up another an application in the form of Flash data, and then a native software in the form of a Flash Player causes a memory management unit to secures a prescribed memory area from a memory area for the native software. A native software then starts up the other application using the secured memory area. | 04-29-2010 |
| 20100107217 | CONTENT CONTROL METHOD AND DEVICE - A content control method and device are provided. A method is as follows. A monitoring device sends a first acquisition request message carrying identification information to a content identity manager (CIM) to request attribute metadata and a registered fingerprint corresponding to the identification information when a first cumulative transmission amount of a content whose identification information is acquirable detected by the monitoring device in a first preset time period reaches a first preset threshold. The monitoring device acquires the attribute metadata and the registered fingerprint corresponding to the identification information returned by the CIM. Thus, at multiple concurrent accesses of the same content in any time periods, the monitoring device does not need to request the related policy control attribute metadata from the CIM each time, so that interactive processing for the repeated content with a high concurrent rate between the monitoring device and the CIM is reduced, thereby reducing resource loss of a network and the CIM. | 04-29-2010 |
| 20100115577 | Method of Role Creation - A method and a computer program product for creating roles in an enterprise system comprising monitoring a system for instances of a change from a first normal user to a first super user; mapping said first user with a terminal; scanning said system to derive a plurality of commands executed from said terminal; mapping at least one of the plurality of command executed from said terminal to said first super user; and creating a first role comprising an authorization to execute the at least one command executed by said first super user. | 05-06-2010 |
| 20100115578 | AUTHENTICATION IN A NETWORK USING CLIENT HEALTH ENFORCEMENT FRAMEWORK - A network with authentication implemented using a client health enforcement framework. The framework is adapted to receive plug-ins on clients that generate health information. Corresponding plug-ins on a server validate that health information. Based on the results of validation, the server may instruct the client to remediate or may authorize an underlying access enforcement mechanism to allow access. A client plug-in that generates authentication information formatted as a statement of health may be incorporated into such a framework. Similarly, on the server, a validator to determine, based on the authentication information, whether the client should be granted network access can be incorporated into the framework. Authentication can be simply applied or modified by changing the plug-ins, while relying on the framework to interface with an enforcement mechanism. Functions of the health enforcement framework can be leveraged to provide authentication-based functionality, such as revoking authorized access after a period of user inactivity or in response to a user command. | 05-06-2010 |
| 20100115579 | SYSTEM AND METHOD FOR LOST DATA DESTRUCTION OF ELECTRONIC DATA STORED ON PORTABLE ELECTRONIC DEVICES - A data security system and method protects stored data from unauthorized access. According to one aspect of the invention, a client computing device communicates periodically with a server. If communications is note established between the client and the server for a selected activation interval and a subsequent grace period, the data is determined to be lost, and programmed security rules are automatically executed. Rules relating to encryption, as well as other security procedures, can be defined and entered by an administrator with access to the server, and then disseminated to each of a plurality of clients that access the server. | 05-06-2010 |
| 20100115580 | RETROSPECTIVE POLICY SAFETY NET - These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. | 05-06-2010 |
| 20100115581 | SYSTEM METHOD AND DEVICE FOR MEDIATING CONNECTIONS BETWEEN POLICY SOURCE SERVERS, CORPORATE RESPOSITORIES, AND MOBILE DEVICES - The invention relates to providing policy from an integrated policy server to a mobile device, comprising identifying a policy in an integrated policy server applicable to the mobile device and supplying policy elements to policy transports for transmission to the mobile device. The invention also relates to providing policy from an integrated policy server to a mobile device, including identifying a policy in the integrated policy server applicable to the mobile device, determining whether the mobile device is in compliance with the policy, and supplying policy elements to policy transports for transmission to the mobile device when the mobile device is not in compliance with the policy. The invention further relates to controlling access to a data server by a mobile device, including identifying a policy in an integrated policy server applicable to the mobile device, and determining whether the mobile device is in compliance with the policy. | 05-06-2010 |
| 20100115582 | SYSTEM, METHOD, AND DEVICE FOR MEDIATING CONNECTIONS BETWEEN POLICY SOURCE SERVERS, CORPORATE RESPOSITORIES, AND MOBILE DEVICES - The invention relates to providing policy from an integrated policy server to a mobile device, comprising identifying a policy in an integrated policy server applicable to the mobile device and supplying policy elements to policy transports for transmission to the mobile device. The invention also relates to providing policy from an integrated policy server to a mobile device, including identifying a policy in the integrated policy server applicable to the mobile device, determining whether the mobile device is in compliance with the policy, and supplying policy elements to policy transports for transmission to the mobile device when the mobile device is not in compliance with the policy. The invention further relates to controlling access to a data server by a mobile device, including identifying a policy in an integrated policy server applicable to the mobile device, and determining whether the mobile device is in compliance with the policy. | 05-06-2010 |
| 20100122312 | PREDICTIVE SERVICE SYSTEMS - A predictive service system can include a gathering service to gather user information, a semantic service to generate a semantic abstract for the user information, a policy service to enforce a policy, and a predictive service to act on an actionable item that is created based on the user information, the semantic abstract, and the policy. The system can also include an analysis module to create the actionable item and send it to the predictive service. The system can also include an identity service to create a crafted identity for the user. | 05-13-2010 |
| 20100122313 | METHOD AND SYSTEM FOR RESTRICTING FILE ACCESS IN A COMPUTER SYSTEM - A computer-implemented method is provided of controlling file access in a computer system. The method includes: (a) reading file association information; (b) building a security policy in accordance with the file association information comprising rules that restrict the access of applications to files based on file type, format, or extension; and (c) providing additional rules for the security policy not based on the file association information; (d) storing the security policy; and (e) controlling file access in accordance with the security policy. | 05-13-2010 |
| 20100122314 | ACTIVE ACCESS MONITORING FOR SAFER COMPUTING ENVIRONMENTS AND SYSTEMS - Techniques for controlling access are disclosed. The techniques can be used for reference monitoring in various computing systems (e.g., computing device) including those that may be relatively more susceptible to threats (e.g., mobile phones). Allowed access can be disallowed. In other words, permission to access a component can be effectively withdrawn even though access may be on-going. After permission to access a component has been allowed, one or more disallow access conditions or events can be effectively monitored in order to determine whether to withdraw the permission to access the component. As a result, allowed access to the component can be disallowed. Access can be disallowed by effectively considering the behavior of a component in the aggregate and/or over a determined amount of time. By way of example, a messaging application can be disallowed access to a communication port if the messaging application sends more messages than an acceptable limit during a session or in 4 hours. Disallow-access policies, rules and/or conditions can be defined and modified, for example, by end-users and system administrators, allowing a customizable and flexible security environment that is more adaptable to change. | 05-13-2010 |
| 20100122315 | METHODS AND APPARATUS RELATED TO TRANSMISSION OF CONFIDENTIAL INFORMATION TO A RELYING ENTITY - In one embodiment, a method includes defining a request for confidential information from a domain of confidential information based on an input from a relying entity. The domain of confidential information can be associated with a subject entity. A response to the request can be defined at an information provider. The method can also include sending the response to the relying entity when the response has been approved by the subject entity. | 05-13-2010 |
| 20100122316 | User Controlled Identity Authentication - A system, method for user controlled identity authentication comprising: a) At least one central computer having at least one user within a user database having user data and at least one service provider within a service provider database with service provider data; b) At least one service provider having electronic communication with the central computer; c) At least one user having electronic devices capable of communications with the central computer and service provider; e) Providing a user with a set of controls within the central computer to customize privacy, security and authentication of the user data; f) Providing a set of access rights within the service provider data of the central computer having a set of transaction rules for the service provider. | 05-13-2010 |
| 20100122317 | Integrated Network Intrusion Detection - Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion. | 05-13-2010 |
| 20100122318 | POLICY-BASED SERVICE MANAGMENT SYSTEM - A policy-based management mechanism is provided, whereby the mechanism provides for at least the controlling of access to network resources, the integration of different frameworks into a common open standard, and modular components for assembling integrated date and voice services. The mechanism accomplishes this by using an access management component that checks for access credentials, a service management component that identifies which resources are available to a requestor of resources, and a resource management component that manages the requested resources. In one exemplary implementation, a fourth component, the policy management component links the first three components such that a resource request gains access to resources based on policy decisions determined by the fourth component for the first three components. | 05-13-2010 |
| 20100125891 | Activity Monitoring And Information Protection - Disclosed herein is a computer implemented method and system for monitoring user activity and protecting information in an online environment. A security client application is provided on a computing device of a user. A local software component preloaded on the computing device is embedded within the security client application on the computing device. The security client application queries a policy server for a security policy for the user on receiving a request for access to the information from the user. The user is granted controlled access to the information based on the security policy. The granted controlled access enables enforcement of the security policy. The security client application permits the user to perform predefined activities on the information using the granted controlled access. The security client application prevents the user from performing activities apart from the predefined activities. The security client application tracks the performed predefined activities. | 05-20-2010 |
| 20100132009 | Systems and Methods for HTTP Callouts for Policies - A method of identifying an action of a policy in association with communications between a client and one or more servers includes determining, by an intermediary, a policy action based on using a callout based policy. In one aspect, an intermediary receives communications between a client and one or more servers. The intermediary identifies a policy for the communications, the policy specifying a request and a server to communicate the request. Responsive to the policy, the intermediary transmits the request to the server. Based on the server response to the request, the intermediary determines an action of the policy. In another aspect, a system for the present method includes an intermediary and a policy engine for identifying a policy to specify a request and a destination server. Responsive to a server response to the request, the intermediary determines an action of the policy. | 05-27-2010 |
| 20100132010 | IMPLEMENTING POLICIES IN RESPONSE TO PHYSICAL SITUATIONS - A method and apparatus is described to implement policies associated with physical situations (e.g., supply of power, occurrence of a fire, etc.). The method may comprise accessing sensor data captured by a sensor monitoring a physical situation to identify at least one activity occurring during the physical situation. A policy database including a plurality of policies may be accessed to identify at least two lower-level policies associated with the physical situation. Further, the policy database may be accessed to identify at least one higher-level policy associated with the physical situation. The higher-level policy may control implementation of the at least two lower-level policies. | 05-27-2010 |
| 20100132011 | Mechanism to Implement Security in Process-Based Virtualization - In one embodiment, a mechanism to implement security in process-based virtualization is disclosed. In one embodiment, a method includes maintaining a security policy for a process-based virtualization system, initializing a virtual machine (VM) in the process-based virtualization system, assigning a security label to the VM, and enforcing the security policy on the VM based on the security label of the VM in order to isolate the VM from other VM's in the process-based virtualization system. | 05-27-2010 |
| 20100132012 | MERGING MANDATORY ACCESS CONTROL (MAC) POLICIES IN A SYSTEM WITH MULTIPLE EXECUTION CONTAINERS - Application of a local instance of a general security policy is described. In a system with an instance of a program executing in a path container, a security policy applicable the the instance of the program is managed locally for the path container. The path container provides a confined execution environment for the program instance, and the security policy defines permitted operations for the program an all its instances. The instance of the security policy is associated with the path container, which allows the program instance to “see” management within the path container as though with the security policy, while entities having permissions outside the path container “see” the program instance limited to the path container and its associated security policy instance. | 05-27-2010 |
| 20100132013 | RELIABLY TERMINATING PROCESSES IN A SYSTEM WITH CONFINED EXECUTION ENVIRONMENTS - Terminating a process executing within a container is described. An access restriction applicable to the process is temporarily modified with a policy change that prevents creating new processes within the container. The policy change prevents operations that would allow processes within the container from performing a fork operation, or otherwise spawning new processes within the container. The policy change may be, for example, applied by means of a rule added or removed from an access restriction policy. While the processes are prevented from creating new processes, one specified process or all processes within the container are terminated. After termination of the process(es), the policy change can be reversed, allowing normal use of the container. | 05-27-2010 |
| 20100132014 | SECURE COMPOSITION OF WEB SERVICES - A method includes providing a model which allows to define acceptable sets of security features ((sf | 05-27-2010 |
| 20100138893 | PROCESSING METHOD FOR ACCELERATING PACKET FILTERING - A processing method for accelerating packet filtering is used for accelerating the filtering process of packet data in a computer. The processing method accelerating packet filtering includes the steps. A plurality of packet filtering policies is loaded. Feature values of each packet filtering policy are resolved. A grouping procedure is performed on the packet filtering policies according to the feature values, so as to add the packet filtering policies meeting a threshold value to corresponding policy groups. A performing sequence of the packet filtering policies in the policy groups is determined according to a performing sequence of the packet filtering policies. A performing sequence of the policy groups is determined according to a producing sequence of the policy groups. A plurality of packet data is received. When the packets don't match the policy groups, the default policy is processed according to protocol information of the packets. | 06-03-2010 |
| 20100138894 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE MEDIUM - An information processing apparatus includes: a storage that associates each of a plurality of pieces of use limitation information with a characteristic information, and that stores each of the plurality of pieces of use limitation information and the characteristic information, which are associated with each other; and a selection unit that refers to the storage, and that selects, based on a result of comparison between a second document characteristic information of a document acquired from a specified document specified by and in response to an instruction specifying a document for which a policy for limitation on use is to be determined and the characteristic information associated with each of the plurality of pieces of use limitation information stored in the storage, a candidate for use limitation information to be used for the limitation on use of the specified document from the plurality of pieces of use limitation information. | 06-03-2010 |
| 20100138895 | Module and associated method for TR-069 Object management - The present invention relates to a security module for use in management of a TR-069 Object Model of a device. The Object Model comprises a plurality of parameters for selection by a view selector module based on credentials and for defining thereby an object model view associated to the device. The security module comprises means for associating the object model view to a security policy and means for configuring the security attributes of the security policy on an intermediate network entity. | 06-03-2010 |
| 20100138896 | INFORMATION PROCESSING SYSTEM AND INFORMATION PROCESSING METHOD - In an information processing system, when an application is added to an information processing apparatus, an identifier of an resource of the information processing apparatus which is used by the application is acquired, and a rule suitable for the application is generated based on a rule defined in advance in correspondence to the resource identifier. The generated rule is applied to the information processing apparatus. | 06-03-2010 |
| 20100138897 | POLICY-BASED SELECTION OF REMEDIATION - A method, of automatically determining one or more remediations for a device that includes a processor, may include: receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device; automatically determining, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and automatically selecting one or more remediations for the device according to the satisfied policies, respectively. | 06-03-2010 |
| 20100146582 | ENCRYPTION MANAGEMENT IN AN INFORMATION HANDLING SYSTEM - A method of enforcing an encryption policy in an information handling system for receiving a request for access to data, automatically identifying from a plurality of encryption policies a particular encryption policy associated with the requested data, selecting an available encryption implementation module capable of enforcing the identified encryption policy, and initiating an encryption or decryption of the requested data using the selected encryption implementation module. | 06-10-2010 |
| 20100146583 | METHOD AND APPARATUS FOR OBFUSCATING CONTEXT INFORMATION - In some examples, context information is determined. The context information is associated with a user and based on information of a communication device associated with the user. The context information is obfuscated based on a user information, such privacy policy, user profile, user preferences, user activity, and/or any combination of the aforementioned, associated with the user. In other examples, the context information is determined based on a user location and/or user information. | 06-10-2010 |
| 20100146584 | AUTOMATIC GENERATION OF POLICIES AND ROLES FOR ROLE BASED ACCESS CONTROL | 06-10-2010 |
| 20100146585 | Content Access Policy Management for Mobile Handheld Devices - Devices and methods are disclosed which relate to a mobile communications device which presents a user with content optimized for the mobile communications device based on connection speed, device capabilities, and user preferences. When a user wishes to view content, the user inputs an address. The mobile communications device accesses a policy management agent. The policy management agent checks an onboard database of websites, their mobile counterparts, and attributes of each. An optimal website is selected and the mobile communications device requests content from that website instead. | 06-10-2010 |
| 20100146586 | APPARATUS AND METHOD FOR MANAGING IDENTITY INFORMATION - Provided are an apparatus and method for managing identity information. The apparatus includes a contract detail manager managing details of an identity information sharing contract made between a user and an identity provider (IdP) wanting to provide identity information about the user, and details of an identity information sharing contract made between the user and an identity consumer (IdC) wanting to be provided with the identity information about the user, an IdP selector selecting an IdP capable of providing the identity information about the user based on the details of the sharing contract when a request for the identity information about the user is input from the IdC, and an information provider obtaining information according to the identity information request from the selected IdP, and providing the obtained information to the IdC. The apparatus and method can solve a problem that all of a user's identity information is provided to an IdC according to the user's comprehensive agreement. | 06-10-2010 |
| 20100154024 | METHODS, APPLIANCES, AND COMPUTER PROGRAM PRODUCTS FOR CONTROLLING ACCESS TO A COMMUNICATION NETWORK BASED ON POLICY INFORMATION - A method of operating an appliance in a communication network includes receiving policy information associated with at least one network access account from a responsible party associated with the account, the policy information restricting and/or expanding allowable use of the communication network, and controlling access to the communication network based on the received policy information. | 06-17-2010 |
| 20100154025 | INTEGRATING POLICIES FROM A PLURALITY OF DISPARATE MANAGEMENT AGENTS - Described herein are embodiments for managing policies of a mobile device. In embodiments, a mobile device receives policy containers from a plurality of disparate management agents. Each policy container has one or more policies. Each policy corresponds to a particular category that governs various aspects of the device. The policies described herein may be device wide policies corresponding to various features on the device. The policies may also be data specific policies which dictate how data is stored on and transferred to and from the device. Once the policies are received, a determination is made as to which policy in each category is the most secure policy. The most secure policy for each category is merged to create a global policy that is applied to the mobile device. | 06-17-2010 |
| 20100154026 | AUTOMATED SOFTWARE RESTRICTION POLICY RULE GENERATION - Software restriction policy rules can be automatically generated by parsing through a specified metadata source and generating the rules in accordance with indicated preferences. Metadata sources can include storage locations, such as folders, in which case rules for each executable file in the folder can be generated. Metadata sources can also include trusted publisher stores, installation logs, difference files, and other like data sources. Indicated preferences can select from among rules based on the publisher, for files that are signed, or rules based on hashes or path information for unsigned files. In generating rules to prevent the execution of specified files, if an optimized set of rules is desired, a check can be made to determine if an exception to an existing rule can be generated instead of a new rule. The automated parsing of the indicated metadata source can provide for both completeness and correctness. | 06-17-2010 |
| 20100154027 | Methods and Systems for Enabling Community-Tested Security Features for Legacy Applications - A computer-implemented method for enabling community-tested security features for legacy applications may include: 1) identifying a plurality of client systems, 2) identifying a legacy application on a client system within the plurality of client systems, 3) identifying a security-feature-enablement rule for the legacy application, 4) enabling at least one security feature for the legacy application by executing the security-feature-enablement rule, 5) determining the impact of the security-feature-enablement rule on the health of the legacy application, and then 6) relaying the impact of the security-feature-enablement rule on the health of the legacy application to a server. Various other methods, systems, and computer-readable media are also disclosed. | 06-17-2010 |
| 20100154028 | MIGRATING A NETWORK TO TUNNEL-LESS ENCRYPTION - A method comprises, in a network comprising VPN gateway devices configured only for plaintext data communication, configuring a policy server with a security policy including DO NOT ENCRYPT statements temporarily overriding PERMIT statements defining which packets should be encrypted; selecting one sub-group of the VPN gateway devices in which tunnel-less encryption is not configured; configuring of the VPN gateway devices in the sub-group for tunnel-less encryption by: configuring each device in a passive mode of operation in which the device is configured to receive either encrypted packets or plaintext packets matching encryption policy; configuring local DO NOT ENCRYPT statements matching traffic that is currently being converted to ciphertext; removing, from the access control list of the policy server, DO NOT ENCRYPT statements referring to protected LAN CIDR blocks behind the VPN gateway devices in the selected sub-group; configuring the sub-group to send encrypted packets by removing, from each of the VPN gateway devices in the selected sub-group, the local DO NOT ENCRYPT statements for the CIDR blocks currently being converted and protected by the selected sub-group; repeating the configuring each of the VPN gateway devices in the selected sub-group for tunnel-less encryption, and the configuring the sub-group to send encrypted packets, for each other one of the sub-groups; and removing the passive mode on each of the VPN gateway devices. | 06-17-2010 |
| 20100154029 | Method, Apparatuses and Computer Program for Dynamically Configuring a Proxy Call Session Control Function of the IP Multimedia Subsystem From a Policy Control Rules Server - The present invention faces the problem of network scenarios where there is no user differentiation, and where sessions established through an IP Multimedia Subsystem always proceed in the same way regardless user categories and regardless whether a user has accessed through a fixed or a mobile network. To this end, the present invention provides for a new method for dynamically configuring a Proxy Call Session Control Function of the IP Multimedia Subsystem from a Policy Control Rules server responsible for installing control rules to authorize media flows at an entity in the bearer layer. This entity in the bearer layer may be a Policy and Charging Enforcement Point of a PCC architecture, whereas the Policy Control Rules server may be a Policy and Charging Control Rules of the PCC architecture. | 06-17-2010 |
| 20100154030 | Methods and Apparatus for Providing Alternative Paths to Obtain Session Policy - A method for a user agent to access a session policy in a network is provided. The method comprises the user agent receiving in a header field of a response message a plurality of uniform resource identifiers (URIs) for a policy server, wherein each of the plurality of URIs uses a different policy channel protocol. | 06-17-2010 |
| 20100154031 | Methods and Apparatus for Providing Indirect Alternative Paths to Obtain Session Policy - A method for a user agent to access a session policy in a network is provided. The method comprises sending, from the user agent, a single session policy request to a single network component, the single network component contacting a plurality of network components, wherein sending the single session policy request to the single network component utilizes a lower layer protocol. The lower layer protocol is at least one of Extensible Authentication Protocol (EAP), Point to Point Protocol (PPP), and General Packet Radio Service (GPRS) Activate Packet Data Protocol (PDP) context. The method further comprises aggregating policy information and providing the aggregated policy information to the user agent. | 06-17-2010 |
| 20100162346 | SELECTING SECURITY OFFERINGS - Methods, systems, and computer-readable media are disclosed for selecting a set of security offerings. A particular method includes receiving a security need profile associated with a computing environment and receiving security offering information related to a plurality of security offerings. The security offerings of the plurality of security offerings are evaluated with respect to the security need profile. A set of security offerings from the plurality of security offerings are automatically selected. | 06-24-2010 |
| 20100162347 | ADAPTIVE DATA LOSS PREVENTION POLICIES - A monitor detects a policy violation on a computing device, wherein the policy violation includes a user attempt to perform an operation to move data that includes sensitive information off the computing device. The monitor determines whether one or more previous policy violations have occurred on the computing device. The monitor performs an action to minimize a risk of data loss based on the one or more previous policy violations. | 06-24-2010 |
| 20100162348 | METHOD AND APPARATUS FOR PROVIDING NETWORK COMMUNICATION ASSOCIATION INFORMATION TO APPLICATIONS AND SERVICES - A system and method are provided that allow an application on a first terminal to inquire about available network communication associations that it can use to send data to another terminal, thereby avoiding the establishment of a new network communication association with the other terminal. A security information module may serve to collect and/or store information about available network communication associations between the first terminal and another terminal across different layers. The security information module may also assess a trust level for the network communication associations based on security mechanisms used to establish each association and/or past experience information reported for these network communication associations. Upon receiving a request for available network communication associations, the security information module provides this to the requesting application which can use it to establish communications with a corresponding application on the other terminal. | 06-24-2010 |
| 20100162349 | CONTENT PROTECTION DEVICE, CONTENT PROTECTION METHOD, AND COMPUTER READABLE MEDIUM - A content protection device includes: a use restriction definition information storage that stores one or more pieces of use restriction definition information in which at least use restriction conditions to restrict use of contents are defined; a comparison unit that monitors writing of an access log into an access log accumulation unit, and that when the access log is written into the access log accumulation unit, compares a use manner in which content specified by the access log is used and the use restriction conditions included in the use restriction definition information; and a restriction unit that if a result of the comparing by the comparison unit indicates that the use manner meets any of the use restriction conditions, restricts at least a same kind of use as the use manner. | 06-24-2010 |
| 20100162350 | SECURITY SYSTEM OF MANAGING IRC AND HTTP BOTNETS, AND METHOD THEREFOR - The present invention relates to a security system of managing IRC and HTTP botnets and a method therefor. More specifically, the present invention relates to a system and a method that detects a botnet in an Internet service provider network to store information related to the detected botnet in a database and performs security management of IRC and HTTP botnets, including a botnet management security management (BMSM) system, configured to visualize the information related to the detected botnet and establish an against policy related to the detected botnet. Accordingly, the present invention provides a security system of managing IRC and HTTP botnets that can efficiently performs the security management of IRC and HTTP botnets by using the BMSM system | 06-24-2010 |
| 20100162351 | SYSTEM AND METHOD FOR DOCUMENT ACCESS MANAGEMENT - In a system for document access management, each page of the electronic document is converted into an image, and viewing and download permission to view and download each converted image are set. The page of the electronic document is further converted into a restricted image comprising only designated elements. | 06-24-2010 |
| 20100169947 | SYSTEM AND METHOD FOR MOBILE USER AUTHENTICATION - As individuals increasingly employ their wireless devices to engage in different types of activities they face a growing threat from, possibly among other things, identity theft, financial fraud, information misuse, etc. and the serious consequences or repercussions of same. Leveraging the ubiquitous nature of wireless devices and the popularity of (Short Message Service, Multimedia Message Service, etc.) messaging, an infrastructure that enhances the security of the different types of activities within which a wireless device user may participate through dynamically configurable levels of authentication. The infrastructure may optionally leverage the capabilities of a centrally-located Messaging Inter-Carrier Vendor. | 07-01-2010 |
| 20100169948 | INTELLIGENT SECURITY CONTROL SYSTEM FOR VIRTUALIZED ECOSYSTEMS - Resources of a virtualized ecosystem are intelligently secured by defining and analyzing object handling security control information for one or more logical resources in the virtualized ecosystem and deriving therefrom object properties for each of the logical resources involved in the execution of a virtual machine in any given context within the virtualized ecosystem. | 07-01-2010 |
| 20100169949 | SYSTEM AND METHOD TO PROVIDE ADDED SECURITY TO A PLATFORM USING LOCALITY-BASED DATA - In some embodiments, the invention involves protecting a platform using locality-based data and, more specifically, to using the locality-based data to ensure that the platform has not been stolen or subject to unauthorized access. In some embodiments, a second level of security, such as a key fob, badge or other source device having an identifying RFID is used for added security. Other embodiments are described and claimed. | 07-01-2010 |
| 20100169950 | POLICY MANAGEMENT IN A ROAMING OR HANDOVER SCENARIO IN AN IP NETWORK - The invention comprises methods and arrangements for Policy Decision Point discovery in a roaming or handover scenario in an IP network (IN) comprising a plurality of network elements. The invention comprises methods and arrangement in an user equipment for receiving the address of the serving policy decision point and sending to the Home Agent a registration request comprising the local IP address of the user equipment so that the home agent can register the local IP address. The registration request will also comprise the address (ASPDP1) of the serving policy decision point (SPDP1) so that the Home Agent can forward the address of the serving policy decision point to the anchor Policy Decision Point and so that the anchor Policy Decision Point can contact the serving policy decision point by using said address of the serving Policy Decision Point. | 07-01-2010 |
| 20100175103 | REACTIVE THROTTLING OF INBOUND MESSAGES AND RANGES - A method for throttling inbound email messages in an enterprise email system including a plurality of inbound mail servers and at least one management server is provided. Policies defining message event limits for each unique sender are applied to messaging events from the unique sender at each inbound server. Feedback from each of the inbound mail servers to the management server is provided. When events from a unique sender exceed a threshold, as determined by the management server using the feedback, an alert is generated and a new, more restrictive policy for the unique sender is created. The more restrictive policy is broadcast the more restrictive policy to each of the inbound mail servers. | 07-08-2010 |
| 20100175104 | SAFE AND SECURE PROGRAM EXECUTION FRAMEWORK WITH GUEST APPLICATION SPACE - A system and method is provided here that allow computer user to create a temporary guest running space for application without switching user environment. This unique method allows user to run trusted applications in regular running space while keeping a separate working space for applications that uses or visit non trusted data sources. | 07-08-2010 |
| 20100175105 | Systems and Processes for Managing Policy Change in a Distributed Enterprise - A method for managing changes to policies in an enterprise includes receiving a systems policy change request to change a systems policy that implements a published enterprise policy, determining whether the requested systems policy change complies with the published enterprise policy, and updating the systems policy according to the requested systems policy change if the requested systems policy change complies with the published enterprise policy. A system for managing policies in an enterprise includes a policy management module configured for receiving published policies and generating corresponding systems policies having data for implementing the published policies, and a policy library storing the published policies and the systems policies. | 07-08-2010 |
| 20100175106 | Systems and Methods for Performing Remote Configuration Compliance Assessment of a Networked Computer Device - The disclosed principles describe systems and methods for assessing the policy compliance of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Also, conducting a compliance assessment according to the disclosed principles allows for the target device to be assessed after policy updates and changes, without requiring the target device to be re-scanned. Thus, the disclosed principles reduce the need for internal IT resources to manage the assessment and updates of client configuration settings on the target device. | 07-08-2010 |
| 20100180318 | Flexible supplicant access control - Systems, methods, and other embodiments associated with flexible supplicant access control are described. One example method includes collecting a network information associated with a network to which an endpoint is to be communicatively coupled. The network information comprises a network identification and information to facilitate the evaluation of network threats. The example method may also include classifying the network based, at least in part, on the network information, to assign a variable level access parameter (VLAP) to the network based on the policy locally configured on the endpoint or centrally managed by the administrator. The VLAP may establish three or more access levels for the network at the endpoint. The example method may also include communicating the network identification and the network VLAP to a second endpoint, a security agent, a security application, and so on. | 07-15-2010 |
| 20100180319 | Method and System for Session Modification - A method and system for session modification are provided. The method includes these steps: A home policy and charging rules function (h-PCRF) sends a policy and charging control (PCC) rule providing message to a first policy and charging enforcement function (PCEF) according to a received PCC rule request message, an application layer service message, or an h-PCRF self-trigger event; and the h-PCRF sends a PCC rule providing message to a second PCEF according to a PCC rule response message received from the first PCEF. With this present disclosure, session modification may be implemented when two or more PCEFs are included in the PCC architecture of a system architecture evolution (SAE) system. | 07-15-2010 |
| 20100186062 | PROTECTING CONTENT FROM THIRD PARTY USING CLIENT-SIDE SECURITY PROTECTION - Architecture that employs encryption and storage of encryption keys to protect trusted client message content from an untrusted third-party hosted service. Each trusted user machine is configured to optionally apply security to messages. Rules determine when automatic protection is applied and the level of protection to apply. The trusted client automatically downloads the rules (or rules policies) from a trusted rules service and caches the rules locally. During composition, the rules analyze the message and automatically apply security template(s) to the message. The security template(s) encrypt the body of the message, but not the headers or subject. The untrusted message service processes the header and delivers the message to the correct recipient. The hosted service cannot view the contents of the message body, and only intended recipients of the protected message can view the message body. Offline protection is supported, and the user can override protection by the rules. | 07-22-2010 |
| 20100186063 | SYSTEM AND METHOD FOR SETTING SECURITY CONFIGURATION TO A DEVICE - A method of accessing an image forming apparatus (IFA) or a multifunction printer (MFP) using a management device (MD) via a network, transmitting security information from the MD to the IFA, updating an original security configuration of the IFA with a new security configuration using the security information, using the new security configuration by the IFA, and confirming the new security configuration with the MD. After confirming, it is preferable the security information is deleted. Also, an IFA including a confirmation unit and a write protection unit for use with the method. | 07-22-2010 |
| 20100186064 | METHOD AND DEVICE FOR OBTAINING CAPABILITIES OF POLICY AND CHARGING ENFORCEMENT FUNCTION - A method for obtaining capabilities of a Policy and Charging Enforcement Function (PCEF) includes these steps: a Policy Control and Charging Rules Function (PCRF) obtains capability information of the PCEF; and the PCRF performs processing according to the capability information. A PCRF is also disclosed. With the present disclosure, the PCEF reports its capabilities in advance so that the PCRF makes policy decisions for a service or subscribes to appropriate application events from the PCEF when it knows the capabilities of the PCEF. This avoids possible subscription errors and decision failures arising when the PCRF is unable to know the capabilities of the PCEF. | 07-22-2010 |
| 20100186065 | METHOD FOR PROTECTING CONTENTS, METHOD FOR SHARING CONTENTS AND DEVICE BASED ON SECURITY LEVEL - A method for using contents, a method for sharing contents, and a device based on security level are disclosed. A method for using contents based on security level creates a device security level according to the number of device identification elements, receives contents, and if the device security level is found to be a minimum allowed device security level for using the contents, uses the contents. Therefore, a device that does not satisfy the conditions required for using contents cannot use the contents, whereby security is reinforced. | 07-22-2010 |
| 20100192193 | SECURITY RESTRICTION TECHNIQUES FOR BROWSER-BASED APPLICATIONS - Various technologies and techniques are disclosed for restricting security levels that can be used with browser-based applications. When a request is received from an external application to retrieve data for use in a client browser, an intersection is performed on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the requested data. Techniques for restricting operations of an external application that is being run in a client browser are also described. A session token is returned to a client browser after validating access can be granted to the client browser. Validation is performed to confirm access can be granted to an external application. A request for data is received from the external application, with the request for data containing the session token. The requested data is retrieved and returned to the external application. | 07-29-2010 |
| 20100192194 | EXTRACTION OF CODE LEVEL SECURITY SPECIFICATION - A method comprising, receiving a source code, identifying a data structure access in the source code, determining whether the data structure access is associated with a security check function, defining the data structure access as a security sensitive operation responsive to determining that the data structure access is associated with the security check function, and defining a security specification to include the security check function and the security sensitive operation. | 07-29-2010 |
| 20100192195 | MANAGING SECURITY CONFIGURATION THROUGH MACHINE LEARNING, COMBINATORIAL OPTIMIZATION AND ATTACK GRAPHS - The claimed subject matter provides systems and/or methods that combat identity follow-on attacks. The system can include components for receiving a plurality of security configuration changes, selecting which of the changes included in the plurality of security changes to approve or disapprove, and based on which of the changes are approved or disapproved by an administrator, generating a further plurality of security configuration changes that the administrator can once again approve or disapprove until the administrator is satisfied with the security configuration changes. | 07-29-2010 |
| 20100192196 | HEALTH-BASED ACCESS TO NETWORK RESOURCES - A protection system is described herein that dynamically determines whether a computer system can access a particular resource based on a combination of a dynamic health state of the computer system and a dynamic reputation of the resource. When a user attempts to access a resource, the protection system intercepts the request. The protection system determines the reputation of the resource that the user is attempting to access and the health of the computer system through which the user is attempting to access the resource. Based on the determined resource reputation and the determined computer system health, the protection system determines whether to allow the requested access to the resource. | 07-29-2010 |
| 20100199323 | System for Dynamically Turning On or Off Log On Methods Used for Access to PC or Network Based Systems - A method or system for dynamically changing the log on environment to a PC or networked based system that allows IT administrators, security personnel or system owners to decide to enable or disable log on methods used for access. | 08-05-2010 |
| 20100199324 | SYSTEM AND METHOD FOR POLICY-BASED REGISTRATION OF CLIENT DEVICES - A system and method for policy-based registration of client devices is provided. Policy-based registration may use registration keys to register devices on a network. For example, registration keys may include policy assignments, folder assignments, group assignments, or other assignments for registering, identifying, and managing the device on the network. Devices can register one or more times (e.g., using one or more registration keys), resulting in the device being added to any number of folders and groups. Further, the policies may be used to control a registration process or to enforce registration rules. As such, administrators can construct folders or groups of devices with a set of keys, providing a consistent mechanism to easily register and manage a device. | 08-05-2010 |
| 20100205649 | CREDENTIAL GATHERING WITH DEFERRED INSTANTIATION - Credentials may be gathered to support an access request. In one example, a template describes the credentials to be gathered. A set of credential providers may be consulted, in a particular sequence, to provide the credentials. Credentials may contain variables, and each credential provider may impose its own constraints on the values to be assigned to the variables. Instantiation of the variables may be deferred to a downstream credential provider, thereby allowing each credential provider to specify its constraints on the variables before specific values for the variables are chosen. In one example, an instantiation fact (or “inst fact”) is used to represent the deferred instantiation. A provider may use an inst fact to make its credentials conditional on the instantiation of the variables that the credential contains, where some downstream provider may attempt to instantiate the variables to specific values. | 08-12-2010 |
| 20100205650 | METHOD OF PERFORMING SOFTWARE UPDATES (INSTALLATIONS), ON NETWORKED 32/64-BIT MICROSOFT COMPUTERS IN AN AUTOMATED ENVIRONMENT WITHOUT INTRODUCING A POSSIBLE SECURITY THREAT - A method of monitoring all network communications, including a real-time analysis of intercepting all networked connections and closing those network connections, including all connections across the Internet, except for those specific connections that will function to update a networked computer with new software or updates to existing software. | 08-12-2010 |
| 20100205651 | SECURITY OPERATION MANAGEMENT SYSTEM, SECURITY OPERATION MANAGEMENT METHOD, AND SECURITY OPERATION MANAGEMENT PROGRAM - Provided is a security management system for managing the security of a managed system including during operation of the managed system, the security management system comprising: state changing means for determining a state that satisfies a state rule, which defines a desired state of the managed system, as a target state if the state of the managed system does not satisfy the state rule; and action determining means for determining a predetermined process, which is for changing the difference between the state of the managed system when the target state is determined and the target state, as a countermeasure that needs to be carried out in the state of the managed system when the target state is determined. | 08-12-2010 |
| 20100211989 | METHOD AND APPARATUS FOR AUTOMATED ASSIGNMENT OF ACCESS PERMISSIONS TO USERS - Given a new user U or a user whose role in the organization changed, an automated method of the present disclosure in one aspect determines the new or revised access permissions the user should have. In one aspect, the method of the present disclosure automatically determines access rights based on the access rights held by similar users. This general idea, including a formalization of similarity between users, the details of how access rights are determined, and an algorithm to test if the presented methods are safe to use are provided. | 08-19-2010 |
| 20100218233 | TECHNIQUES FOR CREDENTIAL AUDITING - Techniques for credential auditing are provided. Histories for credentials are evaluated against a principal credential policy for a user and an enterprise credential policy for an enterprise as a whole. An audit trail is produced within a report for the histories. The report indicates whether compliance with the principal and enterprise credential policies occurred and if not at least one reason is provided as to why compliance was not met within the histories. | 08-26-2010 |
| 20100218234 | METHOD AND APPARATUS FOR LIMITING OPERATION OF DIGITAL RIGHTS MANAGEMENT MODULE - A method and apparatus for limiting an operation of a digital rights management (DRM) module includes checking an operation mode that is currently set in the DRM module, deciding a DRM policy that will be applied to the DRM module, and selectively limiting an operation of the DRM module based on the checked operation mode and the decided DRM policy. | 08-26-2010 |
| 20100218235 | METHOD AND SYSTEM FOR TEMPORARILY REMOVING GROUP POLICY RESTRICTIONS REMOTELY - A device, system and method is provided for remotely changing a policy setting on a first computer. A second computer may remotely connect to the first computer. The first computer may have an initial policy setting. The second computer may change one or more key values stored in the registry of the first computer. The key values may define the policy setting of the first computer. The second computer may start an application in the first computer that automatically retrieves the key values stored in the registry of the first computer to apply a corresponding new policy setting to the first computer. The second computer may be operated by an administrator investigating a problem and providing maintenance to the first computer in a system network by temporarily removing a restrictive policy setting on the first computer. | 08-26-2010 |
| 20100223654 | MULTIPLE TIERED NETWORK SECURITY SYSTEM, METHOD AND APPARATUS USING DYNAMIC USER POLICY ASSIGNMENT - A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1 | 09-02-2010 |
| 20100223655 | Method, System, and Apparatus for DHCP Authentication - A Dynamic Host Configuration Protocol (DHCP) authentication method includes: authenticating a Routing Gateway (RG) by an Authentication Server (AS) that serves the RG; receiving an access policy from a DHCP authenticator after the RG passes the authentication; and starting DHCP authentication according to the access policy, and performing DHCP authentication for a DHCP client connected to the RG. With the present invention, the DHCP authentication is started on the RG, and the DHCP authentication is performed for the DHCP client connected to the RG. Therefore, the DHCP client connected to the RG can undergo DHCP authentication through the RG to access the network. | 09-02-2010 |
| 20100235877 | POLICY-BASED PRIVACY PROTECTION IN CONVERGED COMMUNICATION NETWORKS - System(s) and method(s) that employ deep packet inspection (DPI) of data flow relating to a requested service associated with a communication device to facilitate customizing the service or results provided by the service are presented. A service request can be received by a gateway identification of the service is attempted. If the service is identified, a privacy rule(s), which is contained in a user privacy profile of a user associated with the communication device, is analyzed to determine whether the privacy rule(s) applies to the service. If the privacy rule(s) is applicable, a DPI engine performs DPI on the data flow, in accordance with the privacy rule(s), to obtain information that can be used to customize the service or results provided by the service. The user can specify the level of DPI to be applied. A default rule can specify that no DPI is performed on the data flow. | 09-16-2010 |
| 20100235878 | METHOD AND SYSTEM FOR FILE DISTRIBUTION - A method and system for file distribution, the system comprising: a first data storage device for distributing a content file by seeding the content file for downloading by another data storage device; a second data storage device configured for distributing the content file; a third data storage device configured for distributing the content file; and a data file comprising at least one data entry, a data entry in the data file being associated with the content file, the first data storage device being configured for pushing the data file to the second data storage device, the second data storage device being configured for initiating downloading of the content file if the data entry associated with the content file is present in the pushed data file and the content file is not stored at the second data storage device, and sharing downloaded data of the content file with the third data storage device by simultaneously uploading downloaded data of the content file to the third data storage device while downloading the content file from the first data storage device. | 09-16-2010 |
| 20100235879 | SYSTEMS, METHODS, AND MEDIA FOR ENFORCING A SECURITY POLICY IN A NETWORK INCLUDING A PLURALITY OF COMPONENTS - Systems, methods, and media for enforcing a security policy in a network are provided, including, for example, receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of a plurality of components; attributing a first event of the plurality of events to a first principal; attributing a second event of the plurality of events to a second principal; determining whether the first and second events are correlated; storing a data structure that attributes each of the first and second events to the first principal, if it is determined that the first and second events are correlated; comparing the second event to the security policy; and modifying network behavior to enforce the security policy against the first principal based on the comparison of the second event to the security policy and the attribution of the second event to the first principal. | 09-16-2010 |
| 20100235880 | System and Method to Apply Network Traffic Policy to an Application Session - Method for applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session. | 09-16-2010 |
| 20100242082 | PROTECTING SENSITIVE INFORMATION FROM A SECURE DATA STORE - In embodiments of the present invention improved capabilities are described for the steps of receiving an indication that a computer facility has access to a secure data store, causing a security parameter of a storage medium local to the computer facility to be assessed, determining if the security parameter is compliant with a security policy relating to computer access of the remote secure data store, and in response to an indication that the security parameter is non-compliant, cause the computer facility to implement an action to prevent further dissemination of information, to disable access to network communications, to implement an action to prevent further dissemination of information, and the like. | 09-23-2010 |
| 20100242083 | RESTRICTING ACCESS TO OBJECTS CREATED BY PRIVILEGED COMMANDS - A method and system for restricting access to objects created by privileged commands. In an RBAC environment, execution of certain privileged commands creates objects, which typically, have traditional access permissions based on the user ID and not the role. To enhance security of these objects, a new security attribute is introduced. The security attribute can be associated to the privileged command. Therefore, whenever a privileged command creates an object, the security attribute associated with the privileged command is applied on the object. The security attribute can mask the traditional access permissions of the object, and modify the access permissions, which can be stored along with the object. An AND operation can be performed on the traditional access permissions and the security attribute, to determine the modified permissions of the object. Further, an authorized user can modify, add, delete, or customize the security attribute at any time. | 09-23-2010 |
| 20100242084 | NETWORK SECURITY MONITOR APPARATUS AND NETWORK SECURITY MONITOR SYSTEM - A network security monitoring apparatus and a network security monitoring system manages “permitted” or “not permitted” communication between nodes based on an access policy. A network security monitoring system includes nodes | 09-23-2010 |
| 20100242085 | SYSTEM AND METHOD FOR DOCUMENT ISOLATION - A computer based system and method of providing document isolation during routing of a document through a workflow is disclosed. The method comprises maintaining a separate “working” copy of the original base document while the document is routed through a workflow. Access controls, which define who may access the original document as well as any versions of the working copy document, are defined and stored in relation to the documents. The access controls further define the types of actions users may take with respect to the document. Users are selectively directed to the appropriate document, either the base document or working copy, and selectively granted permission to perform publishing operations on the working copy document, as determined by the access controls. | 09-23-2010 |
| 20100242086 | SYSTEM AND METHOD FOR HANDLING DATA TRANSFERS - Systems and methods for managing data transfers between a secure location and a less secure location. A data transfer checker operating on a mobile device determines whether an attempted data transfer between two locations is permitted. If it is not permitted, then the data transfer is prevented and the user may be notified of the data transfer prevention. | 09-23-2010 |
| 20100251327 | SOA POLICY ENGINE FRAMEWORK - Methods, including service methods, articles of manufacture, systems, articles and programmable devices provide a policy engine framework. A consumer policy request for a web service is mediated through a functional web service or a policy web service. A single unified method call is made to policy adapters in response to the mediated customer request, each of the policy adapters in communication with a policy server. The policy adapters transform the single unified method call into formats acceptable by each associated policy servers and place the transformed requests to the associated servers. Results from the policy servers are formatted by policy adapters and a policy is selected from a policy registry repository as a function of the formatted results and returned to a requesting consumer. | 09-30-2010 |
| 20100251328 | MODEL BASED SECURITY FOR CLOUD SERVICES - Applications, such as cloud services, may be deployed within a network environment (e.g., a cloud computing environment). Unfortunately, when the applications are instantiated within the network environment, they have the ability to compromise the security of other applications and/or the infrastructure of the network environment. Accordingly, as provided herein, a security scheme may be applied to a network environment within which an application is to be instantiated. The security scheme may comprise one or more security layers (e.g., virtual machine level security, application level security, operating system level security, etc.) derived from an application service model describing the application and/or resources allocated to the application. | 09-30-2010 |
| 20100251329 | SYSTEM AND METHOD FOR ACCESS MANAGEMENT AND SECURITY PROTECTION FOR NETWORK ACCESSIBLE COMPUTER SERVICES - A method for providing access management and security protection to a computer service includes providing a computer service that is hosted at one or more servers and is accessible to clients via a first network, providing a second network that includes a plurality of traffic processing nodes and providing means for redirecting network traffic from the first network to the second network. Next, redirecting network traffic targeted to access the computer service via the first network to a traffic processing node of the second network via the means for redirecting network traffic. Next, inspecting and processing the redirected network traffic by the traffic processing node and then routing only redirected network traffic that has been inspected, processed and approved by the traffic processing node to access the computer service via the second network. | 09-30-2010 |
| 20100263017 | POLICY MANAGEMENT IN A ROAMING OR HANDOVER SCENARIO IN AN IP NETWORK - The invention comprises methods and arrangements for Policy Decision Point discovery in a roaming or handover scenario in an IP network (IN) comprising a plurality of network elements. The authentication function, e.g. an AAA-server, receives the address (ASPDP | 10-14-2010 |
| 20100263018 | ELECTRONIC TRANSACTIONS SYSTEM - A system for processing electronic transactions according to policies is disclosed. The system includes a user module configured to store computer-readable information related to a user, and a policy module configured to store a plurality of policies for electronic transactions. Each policy for an electronic transaction includes a permission to access a physical space or item by a user. The system also includes a processor configured to receive a request to complete an electronic transaction by the user, and configured to dynamically apply, upon receipt of the request by the processor, the plurality of policies to the user based on the request to complete the electronic transaction. Methods and machine-readable mediums are also disclosed. | 10-14-2010 |
| 20100263019 | SECURE EXCHANGE OF MESSAGES - An arrangement for declaration of security level of transport paths/routes in one or more data networks where the arrangement at least comprises: an entity ( | 10-14-2010 |
| 20100263020 | POLICY-BASED VIDEO CONTENT SYNDICATION - An item of hosted content is received from a media host. A match metric representing an aspect of a match between the item of hosted content and an item of reference content, the item of reference content provided by a content owner having rights to the item of reference content. A policy associated with the item of reference content is identified responsive to the value to that represents the correspondence, the policy including terms of use for the hosted content. The policy is provided to the media host. | 10-14-2010 |
| 20100263021 | SYSTEM AND METHOD FOR SELECTION OF SECURITY ALGORITHMS - There is described a method and apparatus for managing security for a connection between a user device and a communications network comprising at least one base station and a core network. In one embodiment, the method includes receiving at the core network security capability information for the user device connecting to the communications network. Security capability information for the base station is then obtained from memory or from the base station itself. The security capability information for the user device and the security capability information for the base station is then processed in the core network to select a security policy for a connection between the user device and the base station and the selected security policy is transmitted to the base station. | 10-14-2010 |
| 20100269148 | POLICY-PROVISIONING - Presented is an automated policy-provisioning method for a computing system having a service-oriented architecture. The system comprises at least one managed service and at least one policy enforcement point operable to enforce a runtime policy for the service. The method comprises: receiving in machine-readable form at least one semantic rule defining a condition imposed by a business policy; receiving machine-readable data describing a runtime policy enforcement capability of the at least one policy enforcement point; determining based on the at least one rule and the capability whether the at least one policy enforcement point can meet the condition; based on the determination, deriving a runtime policy suitable for enforcing the condition; and communicating the runtime policy to the at least one policy enforcement point. | 10-21-2010 |
| 20100269149 | METHOD OF WEB SERVICE AND ITS APPARATUS - The present invention relates to a web service method and an apparatus therefor. A service apparatus in accordance with the present invention includes a message security gateway for security, an authentication server, an authorization server, a security policy server, a harmful site database, and an application server. User authentication employs SAML assertion of an SAML authority server. A service method in accordance with the present invention analyzes a message format and can employ security technologies although they have different message formats. | 10-21-2010 |
| 20100275241 | SECURELY HOSTING WORKLOADS IN VIRTUAL COMPUTING ENVIRONMENTS - Methods and apparatus involve securely hosting workloads. Broadly, computing workloads are classified according to security concerns and those with common concerns are deployed together on common hardware platforms. In one instance, security tags are bi-modally attached or not to workloads meeting a predetermined security threshold. Those with tags are deployed on a common machine while those without tags are deployed on other machines. Tags may be embedded in meta data of open virtual machine formats (OVF). Considerations for re-booting computing devices are also contemplated as are multiplexing workloads. Computer program products are further disclosed. | 10-28-2010 |
| 20100281512 | DYNAMIC COMMUNITY GENERATOR - Embodiments of the invention are directed to systems, methods, and computer program products configured to determine communities within an organization dynamically based on the distribution of entitlements within the organization. | 11-04-2010 |
| 20100281513 | DYNAMIC ENTITLEMENT MANAGER - Embodiments of the invention are directed to systems, methods, and computer program products configured to calculate an indicator of the likelihood that an entitlement exists in a first community relative to a second community. The calculated indicator is then used to determine the appropriateness of entitlements within the first community or after a transfer of a person from the first community to the second. | 11-04-2010 |
| 20100281514 | SYSTEM FOR MANAGING IDENTITY WITH PRIVACY POLICY USING NUMBER AND METHOD THEREOF - The present invention includes a request module that creates a user information request message and a communication module that transmits the user information request message to an attribute provider server, wherein the user information request message includes a privacy policy that represents at least one term of use subjects, use purposes, and use periods using a grade. With the present invention, the representation of the privacy policy can be simplified and the comparison of policies can be conveniently processed. | 11-04-2010 |
| 20100281515 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 11-04-2010 |
| 20100281516 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR NETWORK AUTHORIZATION - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 11-04-2010 |
| 20100287597 | SECURITY POLICY TRIGGER FOR POLICY ENFORCEMENT - Described is a technology by which a user (or other entity) may be temporarily granted or denied permissions with respect to performing an upcoming a database operation. A “before” security policy trigger is executed prior to executing the database statement, so as to modify the user's security context (e.g., to add a role) prior to execution if information associated with the operation meets criteria defined in the policy trigger. The existing security system uses the (possibly modified) security context to determine whether to execute the database statement. The security context is reverted after the successful or unsuccessful execution of the database statement. The security policy trigger may also cause an error to be raised. | 11-11-2010 |
| 20100287598 | METHOD AND SYSTEM FOR PROVIDING SECURITY POLICY FOR LINUX-BASED SECURITY OPERATING SYSTEM - A system for providing security policy for a Linux-based security operating system, which includes a template policy module configured to set an authority using policy information of a downloaded application so that the template policy module can set an access control rule for accessing a system resource of the application, a base policy module executing the access control rule for the system resource in accordance with the access control rule set by the template policy module, and a template policy module editor generating a custom application for the corresponding application using information output from the template policy module. | 11-11-2010 |
| 20100287599 | METHOD, APPARATUS AND SYSTEM FOR IMPLEMENTING POLICY CONTROL - A method, an apparatus and a system for implementing policy control are disclosed. The method includes: an SPDF receives a service request that carries service property of a session from an AF, makes a service policy decision according to the service property of the session and policy pre-configuration parameters to obtain authorized service parameters; and determines a corresponding local network transmission PDF according to a type of an access network; the SPDF sends an access network resource authorization request that carries the authorized service parameters to the determined local network transmission PDF, to enable the local network transmission PDF to generate a local network transmission policy according to the authorized service parameters and deliver the policy to a corresponding policy enforcement point for enforcing. Through the embodiments of the present invention, the converged policy control can be implemented for different types of networks. | 11-11-2010 |
| 20100293590 | LOCATION DETERMINED NETWORK ACCESS - A system and method for network authentication is provided. A network access device is operable to establish a communications with an internal network. A client device is operable to request and establish the communications over the internal network by interfacing with the network access device. A processor is operable to interface with the network access device to establish the communications between the client device and the internal network. The processor is also operable to establish a communications level for the communications based on the location of the client device. | 11-18-2010 |
| 20100293591 | Licensing and Management of Shared Graphical Data Flow Web Applications - System and method for performing program-related operations over a network via a web browser. A network connection is established between a server computer and a client computer over a network. A universal resource identifier (URI) is sent from the client computer to the server computer over the network, where the URI indicates a program, e.g., a graphical program (GP), or at least a portion of a graphical program interactive development environment (GPIDE), e.g., a graphical program editor, an execution engine, a static or dynamic analyzer, and/or compiler. The at least a portion of the GPIDE is received from the server computer over the network in response to the URI, and executed in a web browser of the client computer to perform some specified functionality with respect to the GP. | 11-18-2010 |
| 20100293592 | SYSTEM AND DEVICE FOR PARALLELIZED PROCESSING - The invention relates to a system for processing data that can be exchanged between at least a first domain having a security level A and a second domain having a security level B, A being different from B, characterised in that it comprises at least one elementary entity EEi including a routing module URi and a device UTi for processing data, the routing module URi including at least one input Ii into the domain having the A security level for the data to be processed, and at least one first output Pi for the data that has not been processed and remains in the domain with the A security level, and a second output Li connected to the processing device UTi for the data processed and transferred into the domain with the B security level via the output Oi. | 11-18-2010 |
| 20100293593 | SECURING CONTACT INFORMATION - A method of controlling user access to contact information associated with public user identities (IMPUs) registered in respect of the user's subscription within an IP Multimedia Subsystem. The method comprises installing into a Serving Call/Session Control Function assigned to the user, one or more contact information access policies, the contact information access policy or policies defining if and under what circumstances the user can view or delete contact information. Upon a request by the user to view and/or modify said contact information, the Serving Call/Session Control Function evaluates and enforces these contact information policies. | 11-18-2010 |
| 20100293594 | Mobile Authorization Using Policy Based Access Control - An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device. | 11-18-2010 |
| 20100293595 | Security Policy Distribution to Communication Terminals - A method and arrangement for distributing a security policy to a communication terminal having an association with a home communication network, but being present in a visited communication network. The home communication network ( | 11-18-2010 |
| 20100299716 | Model Based Multi-Tier Authentication - Authentication is widely used to protect consumer data and computing services, such as email, document storage, and online banking. Current authentication models, such as those employed by online identity providers, may have limited options and configurations for authentication schemes. Accordingly, as provided herein, a model based authentication scheme may be configured based upon a policy and/or an authentication mechanism list. The policy may define the target resource, a user, a group the user belongs to, devices used to connect to the target resource, a service owning the target resource, etc. The authentication mechanism list may comprise predefined authentication mechanisms and/or user plug-in authentication mechanisms (e.g., user created authentication mechanism). Once the authentication scheme is configured, it may be enforced upon authentication requests from a user. Feedback may be provided to the user based upon patterns of usage of the target resource. | 11-25-2010 |
| 20100299717 | System for Annotation-Based Access Control - A system for annotation-based access control stores a network of interconnected data entities including Person, Resource and Policy entities, each Resource entity designated as being owned by a Person entity. The system enables a user to: define Annotations and to associate the Annotations with stored entities, each Annotation comprising terms defining the sharing of a Resource with Person entities; define Policies having associated Annotation(s); define Actions for each Policy, an action being performed on a Resource; and assign a Policy including an Annotation referring to a Person, a Person Annotation, to selected Resources. The system responds to a request from a user associated with a Person entity to perform an Action on a Resource if the Person satisfies Policies assigned to the Resource i.e. if a Resource is assigned a Policy having a Person Annotation and the Person entity has an Annotation corresponding to the Person Annotation. | 11-25-2010 |
| 20100299718 | METHODS AND APPARATUS FOR TITLE PROTOCOL, AUTHENTICATION, AND SHARING - A title management apparatus resident on a first computer including a memory for storing a control program and data, and a processor for executing the control program and for managing the data. The apparatus includes a title object resident in the memory including a title structure, the title structure further comprising a content element, a set of attributes, and a set of title object security indicia. The apparatus further includes an authorization structure configured to selectively redeem the content element based at least in part on the user security indicia, and further configured to use a set of protocols. The apparatus also includes a title management structure configured to associate a user with the title object based at least in part on the user data and the title attributes. | 11-25-2010 |
| 20100306816 | AUTHENTICATION VIA MONITORING - Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision. | 12-02-2010 |
| 20100306817 | DELEGATION MODEL FOR ROLE-BASED ACCESS CONTROL ADMINISTRATION - Role-based security architecture that facilitates delegated role assignments where role functionality is monotonically decreasing. In furtherance thereof decreasing monotonicity roles are arranged in a hierarchy. Moreover, delegated roles can be obtained by creating a derived role (from a parent role) and removing entries from the derived role to decrease the permissions for the derived role. Delegated role assignments are scoped (bounded), which automatically applies a given scope to the assignment created by the user receiving the delegation. | 12-02-2010 |
| 20100306818 | Computer-Implemented Method, Computer System, And Computer Program Product for Optimization Of Evaluation Of A Policy Specification - The present description relates to a computer-implemented method, computer system, and computer program product for optimization of evaluation of a policy specification. In one aspect, the computer-implemented method for optimization of evaluation of a policy specification may comprise receiving the policy specification represented as a tree, the tree comprising a plurality of nodes. A visiting history of the tree may be determined by computing a density at least for each node in a subset of the plurality of nodes having been visited. The density may be determined by a relationship between a position of a node v in the tree and a frequency F(v) in which the node v is visited. The tree may be transformed with respect to the visiting history into a similar tree such that sibling nodes in the subset of the plurality of nodes are sorted in decreasing order according to their density. | 12-02-2010 |
| 20100319049 | TRUSTED AGENT FOR ADVERTISEMENT PROTECTION - Embodiments are disclosed for providing trusted local enforcement of advertisement policies that are associated with digital content. One method includes receiving digital content and an associated advertisement policy at a network client. These items are received at the network client via a network from a content provider. A request is received to present the digital content with a media application of the network client. The method includes using a trusted agent of the network client to verify the authenticity of the advertisement policy in response to the request to present the content. The trusted agent operates to enforce the advertisement policy as a condition of presentation of the digital content at the media application. | 12-16-2010 |
| 20100319050 | Controlling Access to Software Component State - A request is received from a software component of a software product to access a value of a public setting of the software component. A check is made as to whether the request conforms to an appropriate format for the public setting. If the request conforms to the appropriate format, then the requested access is performed. However, if the request does not conform to the appropriate format, then the requested access is denied. Multiple values for the public setting can be received and maintained concurrently. | 12-16-2010 |
| 20100319051 | CONTROLLING ACCESS TO RESOURCES BY HOSTED ENTITIES - Controlling resource access by entities hosted by an execution extension environment via entity identifiers associated with the resources or with the execution extension environment. Policy sets define the access to the resources. Each policy set includes a principal identifier for execution extension environment, a resource identifier for one of the resources, and access rights. The principal identifier or the resource identifier includes one of the entity identifiers. Access requests from entities are evaluated by comparing the entity identifiers to the policy sets. In some embodiments, the policy sets implement access control for web browsers hosting executable code that attempts to access resources on a computing device. | 12-16-2010 |
| 20100325684 | ROLE-BASED SECURITY FOR MESSAGING ADMINISTRATION AND MANAGEMENT - A role-based access control (RBAC) for the administration of complex services, such as for messaging. The RBAC architecture facilitates the creation of a role mechanism that describes any end-user, administrator, or partner action, of a set of scopes that address all populations, and a single authorization mechanism to handle role assignments through various mechanisms. Moreover, role and scope concepts are provided that universally apply to various management scenarios. A common set of primitives is defined that represent actions of enterprise and tenant end-users, partners, tenant administrators, datacenter administrators, and enterprise administrators. The primitives can include actions, action parameters, and API calls. Additionally, a set of scopes is defined that include self-relative scopes for end-users and tenants, and, absolute and filter-based scopes for administrators. | 12-23-2010 |
| 20100325685 | Security Integration System and Device - The present disclosure generally relates to systems and devices that share information related to computer and network security. In an embodiment, an integration device can receive a notification of a security event at a security device. The integration device can compare the contents of the notification against a set of rules, select actions to take based on the set of rules at other security devices, establish a connection to the other security devices, and take the actions over the connection. The integration device can take the actions by sending commands understood by the other security devices over the connection. The other security devices can be of different platforms than the security device or not interoperable with the security device. Additionally, the integration device can receive information related to log entries, security incidents, transaction data, or configuration data, and take actions based on this information at other security devices. | 12-23-2010 |
| 20100325686 | DYNAMIC ACCESS CONTROL LISTS - Disclosed are methods and apparatus for creating and managing dynamic access control lists (ACL's). In a specific embodiment, a method of creating or modifying a dynamic access control policy (ACP) is disclosed. A current ACP for one or more specified resources is defined based on one or more membership rules for specifying users who can access the one or more specified resources based on user information that was or will be collected for a plurality of users. The collected user information includes at least user presence information or user communication data. The current ACP is retained for the one or more specified resources, wherein the current ACP is accessibly usable so as to dynamically allow a selected set of users, who each have corresponding collected user information which meets the one or more membership rules of the current ACP, to access the one or more specified resources. The selected set of users is changeable over time as different user information is collected over time. | 12-23-2010 |
| 20100325687 | Systems and Methods for Custom Device Automatic Password Management - In various embodiments, a method comprises receiving a custom login script from a first user, receiving a custom change password script from the first user, logging onto an account on a digital device using the custom login script from the first user, changing an old password on the account to a new password at predetermined intervals using the custom change password script from the first user, receiving a password request from a second user, approving the password request, and checking out the new password to the second user. | 12-23-2010 |
| 20100325688 | INFORMATION PROCESSING APPARATUS, AND COMPUTER READABLE MEDIUM - An information processing apparatus, includes: a registering unit for referring to a first storing unit for storing usage limitation information indicating a policy of usage limitation of a document which corresponds to a pair of a stamp image corresponding to an image representing that the document is limited in use, and the number of the stamp images, extracting the stamp image from document image information obtained by reading a paper document containing at least one of the stamp images, obtaining the usage limitation information corresponding to a pair of the extracted stamp image and the number of the extracted stamp images from the first storing unit, and registering the obtained usage limitation information and the document containing the document image information in correlation with each other into a second storing unit. | 12-23-2010 |
| 20100325689 | USE AUTHORITY ATTACHING DEVICE AND COMPUTER READABLE MEDIUM - A use authority attaching device includes: a storing unit that stores use authority information corresponding to each of stamped images of various forms; a detecting unit that detects a stamped image from a document image obtained by reading a stamped paper document; and a storage control unit that specifies use authority information corresponding to the stamped image detected by the detecting unit from the storing unit and stores an electronic document corresponding to the document image in a predetermined saving unit, in association with the specified use authority information under control. | 12-23-2010 |
| 20100325690 | INFORMATION PROCESSING APPARATUS AND COMPUTER READABLE MEDIUM - An information processing apparatus, includes: a registration unit that refers to a use limit information memory which stores use limit information indicating a policy of a use limit of a document corresponding to a set of a mark image indicating that use of the document is limited and user associated information relating to a user associated to the document, extracts the mark image and person in charge information from document image information obtained by reading a paper document including the mark image and the person in charge information indicating a person in charge with respect to contents of the paper document, acquires the use limit information corresponding to a set of the extracted mark image and the user associated information corresponding to the extracted person in charge information from the use limit information memory, and registers the acquired use limit information associated with a document including the document image information in a document memory. | 12-23-2010 |
| 20100325691 | Systems and Methods for Enabling a Service Provider to Obtain and Use User Information - In one aspect, the present invention provides a method for providing user information to a service provider. The method may include receiving a message including a communication device identifier; storing the communication device identifier with an identifier associated with a user of the communication device so that the communication device identifier is associated with the user identifier; transmitting a consent request message to the user; receiving a response to the consent request message, which response indicates that the user has provided the requested consent; and in response to receiving the response to the consent request message, transmitting a consent confirmation message to the service provider. | 12-23-2010 |
| 20100325692 | SYSTEM AND METHOD FOR CONTROLLING POLICY DISTRIBUTION WITH PARTIAL EVALUATION - The present invention relates to a system ( | 12-23-2010 |
| 20100325693 | REMOTE AUTHORIZATION FOR OPERATIONS - Techniques for the remote authorization of secure operations are provided. A secure security system restricts access to a secure operation via an access key. An authorization acquisition service obtains the access key on request from the secure security system when an attempt is made to initiate the secure operation. The authorization acquisition service gains access the access key from a secure store via a secret. That is, the secret store is accessible via the secret. The secret is obtained directly or indirectly from a remote authorization principal over a network. | 12-23-2010 |
| 20100333165 | FIREWALL CONFIGURED WITH DYNAMIC MEMBERSHIP SETS REPRESENTING MACHINE ATTRIBUTES - A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules. | 12-30-2010 |
| 20100333166 | METHODS AND APPARATUS FOR RATING DEVICE SECURITY AND AUTOMATICALLY ASSESSING SECURITY COMPLIANCE - Automatic Security Compliance Assessment (ASCA) systems and methods are provided for automatically generating and determining a security rating for a plurality of Settings Objects (SOs), where each of the SOs define particular configurations of subsystems of a wireless computing device. Each SO collectively defines a collection of Values specified for Configurable Attributes that can be used to define a different configuration for a particular subsystem associated with a particular Setting Class that is used to guide the creation of that particular SO. The server can store a group of security rating templates, each of which includes the information needed to determine an expected security rating for any SOs created per a particular Settings Class. For any combination of device settings, the resultant SOs can be used to generate an expected security rating. In addition, a security interaction template (SIT) and security test scripts can be generated that correspond to each particular group of SOs, and can be used to produce an Overall Device Security Rating (ODSR) for that particular group of SOs or a sub-set thereof. | 12-30-2010 |
| 20100333167 | Adaptive Rule Loading and Session Control for Securing Network Delivered Services - Mechanisms are provided for handling client computing device requests with adaptive rule loading and session control. The mechanisms partition a set of rules, into a plurality of filter sets with each filter set having a different subset of the set of rules and being directed to identifying a different type of attack on a backend application or service. A subset of filter sets is selected to be used to validate client computing device requests received from client computing devices. The selected filter sets are applied to requests and/or responses to requests. The mechanisms dynamically modify which filter sets are included in the subset of filter sets based on an adaptive reinforcement learning operation on results of applying the selected filter sets to the requests and/or responses to requests. | 12-30-2010 |
| 20100333168 | METHODS AND APPARATUS FOR RATING DEVICE SECURITY AND AUTOMATICALLY ASSESSING SECURITY COMPLIANCE - Automatic Security Compliance Assessment (ASCA) systems and methods are provided. The disclosed systems and methods can automatically determine whether all of the devices in an enterprise network comply with security policies or standards, and can automatically take remedial or corrective action to bring those devices into compliance with security policies or standards if they are determined not to be in compliance. The disclosed systems and methods can automatically ensure that all of the devices in an enterprise network remain in compliance with the security policies or standards, and automatically create records that establish whether each of the devices are in compliance and regularly update those records over time so that the enterprise can quickly and easily provide evidence of compliance and/or corrective actions taken to bring devices into compliance if required to do so. | 12-30-2010 |
| 20100333169 | Classifying an Operating Environment of a Remote Computer - Systems and techniques are provided for controlling requests for resources from remote computers. A remote computer's ability to access a resource is determined based upon the computer's operating environment. The computer or computers responsible for controlling access to a resource will interrogate the remote computer to ascertain its operating environment. The computer or computers responsible for controlling access to a resource may, for example, download one or more interrogator agents onto the remote computer to determine its operating environment. Based upon the interrogation results, the computer or computers responsible for controlling access to a resource will control the remote computer's access to the requested resource. | 12-30-2010 |
| 20100333170 | Smart Mouse System and Method of Use - The Smart Mouse technology is a computer mouse with its own computer, memory, Software, OS, networking and GUI. The Mousetop Window GUI is the viewport into the mouse and gateway between the mouse and computer(s). The mouse becomes a computer network where data can be stored and retrieved in the mouse buffer memory, mouse memory or between connected computer(s). Software and licenses can be served from the mouse allowing the sharing of software and licenses across multiple computers in proximity or remotely located. Shared cursor switching, drag and drop data and other interactive functions are available. Profile storage in the mouse allows for multiple configurations of networking or isolating the window. Concepts like keyboard switching, biometric access, child security and numerous other novel concepts are included with this technology. Added physical features like removable memory and connectivity to other hand held technology like Iphone or Ipad provide expanded communication functionality. | 12-30-2010 |
| 20100333171 | A METHOD FOR SELECTING POLICY DECISION FUNCTIONAL ENTITY IN A RESOURCE AND ADMISSION CONTROL SYSTEM - The present invention discloses a method for selecting policy decision functional entity in the Resource and Admission Control System. The method includes that: for resource and admission control in the PULL mode, after the Transport Resource Control Function Entity (TRC-FE) receives a resource request message from the Customer Premises Equipment (CPE) or after the Policy Enforcement Function Entity (PE-FE) receives a transport layer signaling sent by CPE, if the TRC-FE or PE-FE is interacting with more than one Policy Decision Functional Entities (PD-FEs), the TRC-FE or the PE-FE may select a PD-FE according to the stored identification information of PD-FE or statically configured PD-FE, and send a resource decision request message to the selected PD-FE. With the application of the present invention, in resource and admission control in the PULL mode, after receiving the resource request initiated by CPE through the transport layer signaling message, the TRC-FE or PE-FE may select the exact PD-FE to implement the resource reservation process, thereby resolving the problem in prior art that during the resource and admission control process the TRC-FE or PE-FE can not select the exact PD-FE to send resource decision requests. | 12-30-2010 |
| 20100333172 | METHOD, APPARATUS AND SYSTEM FOR MONITORING DATABASE SECURITY - A system for monitoring database security includes a front-end probe that obtains network data information of a service system, a back-end probe that obtains database information accessed by the service system in a database system, and an analyzer that analyzes and integrates the obtained network data information and database information. The obtained network data information and database information are analyzed and integrated. The complete information about user operations at the front end of the service system and the front end of the database is obtained. User operations of the application system are associated with user operations of the database, and user operations can be audited completely. | 12-30-2010 |
| 20110004913 | ARCHITECTURE FOR SEAMLESS ENFORCEMENT OF SECURITY POLICIES WHEN ROAMING ACROSS IP SUBNETS IN IEEE 802.11 WIRELESS NETWORKS - In a network which includes a first subnet which includes a home wireless switch which includes at least one first interface, and a second subnet which includes a current wireless switch, a method is provided for applying a first set of original security policies associated with the at least one first interface to a packet transmitted from a particular wireless communication device after the particular wireless communication device roams from the first subnet to the second subnet. A method is also provided for applying a first set of original security policies associated with the at least one first interface to a packet being transmitted to a particular wireless communication device after the particular wireless communication device roams from the first subnet to the second subnet. | 01-06-2011 |
| 20110004914 | Methods and Apparatus for Identifying the Impact of Changes in Computer Networks - The impact of device configuration changes on operational issues and policy compliance in a computer network can be discerned from a visual data presentation that jointly shows representations of changes, issues, and policy compliance in a common view for a group of network devices. Configuration information is collected from devices in the computer network and processed to determine whether a change has occurred in a configuration of any of the devices, whether any operational issues exist for each of the devices, and whether any of the devices are not in compliance with any applicable operational policies. A display device displays the visual data presentation to allow an operator to see trends and relationships between device configuration changes and operational issues and incidents of policy non-compliance. The visual data presentation can be depicted as a graphical timeline view, a network topology view, or a table view of the information. | 01-06-2011 |
| 20110004915 | METHOD AND APPARATUS FOR MANAGING ACCESS TO IDENTITY INFORMATION - Various methods for managing access to identity information are provided. One example method includes accessing media content received via a broadcast. The media content may be formatted such that a presentation of the media content is adaptable based at least in part on user identity information. The example method may also include determining whether the user identity information is accessible for retrieval based at least in part on an access control rule. Similar and related example methods and example apparatuses are also provided. | 01-06-2011 |
| 20110004916 | SECURELY USING SERVICE PROVIDERS IN ELASTIC COMPUTING SYSTEMS AND ENVIRONMENTS - Access permission can be assigned to a particular individually executable portion of computer executable code (“component-specific access permission”) and enforced in connection with accessing the services of a service provider by the individually executable portion (or component). It should be noted that least one of the individually executable portions can request the services when executed by a dynamically scalable computing resource provider. In addition, general and component-specific access permissions respectively associated with executable computer code as a whole or one of it specific portions (or components) can be cancelled or rendered inoperable in response to an explicit request for cancellation. | 01-06-2011 |
| 20110004917 | Integration Platform for Collecting Security Audit Trail - An audit processor is interposed between production servers and an auditing server, and is a client to both. The audit processor is an integration point, receiving security audit data from production servers, processing the data (e.g., converting the data from binary to text format), and sending processed audit trails to the auditing server. The audit processor includes data buffering capacity and flow control; accordingly, temporary unavailability of the auditing server does not impact the production servers. The production servers will purge stale audit data; accordingly, temporary unavailability of the audit processor does not impact the production servers. Since the audit processor may process security audit data according to any protocol or format imposed or requested by the auditing server; the production servers are unaffected by auditing server changes. The audit processor integrates production servers with existing auditing servers without jeopardizing the telecom grade availability of the wireless telecommunication network. | 01-06-2011 |
| 20110010751 | Systems and Methods for Self-Organizing Networks Using Dynamic Policies and Situation Semantics - Communication nodes, systems and methods are described which manage and process management information using dynamic semantic variable entities governed by a formal logic and upon which computations can be performed. Such semantic variable entities include, for example, management infons and or management situations which can be used, for example, to manage policy enforcement in communication networks. Action logic is amalgamated with static situation semantics to enable dynamic policy enforcement in such networks. | 01-13-2011 |
| 20110010752 | ENABLING INCOMING VOIP CALLS BEHIND A NETWORK FIREWALL - A network device is configured to receive a registration message from a private user device including a private internet protocol (IP) address associated with the private user device. A public IP address and discrete port number are assigned to the private user device and private IP address and stored in an incoming call table. The registration message is translated to include the public IP address and discrete port number. The registration message is forwarded to a proxy server for registration. An incoming call invitation message is received from a public user device, where the call invitation message is directed to the public IP address and discrete port number associated with the private user device. The call invitation message is translated to include the private IP address associated with the private user device based on the received public IP address and discrete port number and the incoming call table. The call invitation message is forwarded to the private user device. | 01-13-2011 |
| 20110010753 | METHOD FOR DATA TRANSFER IN A NETWORK - A sophisticated gateway is connectable with at least one device, further sophisticated gateways, and/or a network. The sophisticated gateway includes an emulator proxy module and/or a presenter proxy module. The emulator proxy module receives higher layer data of a higher network layer, and processes the higher layer data thereby generating second intermediate layer data of an intermediate network layer. The processing includes a security function ensuring that the second intermediate layer data conform with a predetermined security level. The presenter proxy module receives and/or processes first intermediate layer data thereby generating the higher layer data. The processing within the presenter proxy module includes a security function ensuring that the higher layer data conform with a predetermined security level. | 01-13-2011 |
| 20110010754 | ACCESS CONTROL SYSTEM, ACCESS CONTROL METHOD, AND RECORDING MEDIUM - When access control implementing sections of many types different depending on an object are connected simultaneously, an access control list applied to each of the access control implementing sections is generated in a format corresponding to each access control implementing section, and a process of transferring to each access control implementing section is collectively executed based on an access control policy. Specifically, the access control lists different every access control implementing section are generated from a same access control policy based on a relation between an object and an access control implementing section for the access control implementing sections. A setting file in a format different every access control implementing section is generated from the access control list described in a format which does not depend on a kind of the access control implementing section, based on a relation of a format template of the setting file describing contents of the access control list and the access control implementing section. The setting file is distributed based on a relation of a distribution destination of the setting file and the access control implementing section. | 01-13-2011 |
| 20110016507 | State-Updating Authorization - State-updating authorization is described. In an embodiment, an authorization system comprises an authorization node, a storage device and a reference monitor. The authorization node executes an authorization policy, and the storage device stores an authorization state associated with the authorization policy. Requests for access to a secured resource are received at the reference monitor, and the reference monitor queries the authorization node, which uses the authorization policy to determine whether to grant access to the secured resource based on a rule having at least one access condition. The rule, executed as part of the authorization policy on the authorization node, is configured to update all the entries in the authorization state for which an update condition is met. | 01-20-2011 |
| 20110016508 | Security Deployment System - To address security that can arise in information systems, the present invention uses novel methods and/or systems to enhance security in information systems, using a new way to deploy selected security policies. Instead of trying to modify a whole binary file all at once to add in code to implement additional security policies, the current invention modifies the code in memory in a piecemeal, as-needed fashion. | 01-20-2011 |
| 20110016509 | Method And Apparatus For Passing Security Configuration Information Between A Client And A Security Policy Server - Techniques for passing security configuration information between a security policy server and a client includes the client forming a request for security configuration information that configures the client for secure communications. The client is separated by an untrusted network from a trusted network that includes the security policy sever. A tag is generated that indicates a generic security configuration attribute. An Internet Security Association and Key Management Protocol (ISAKMP) configuration mode request message is sent to a security gateway on an edge of the trusted network connected to the untrusted network. The message includes the request in association with the tag. The gateway sends the request associated with the tag to the security policy server on the trusted network and does not interpret the request. The techniques allow client configuration extensions to be added by modifying the policy server or security client, or both, without modifying the gateway. | 01-20-2011 |
| 20110016510 | SECRET INFORMATION MANAGEMENT APPARATUS, INFORMATION PROCESSING APPARATUS, AND SECRET INFORMATION MANAGEMENT SYSTEM - Secret key backup is safely implemented even if a role base access structure in which the access structure is specified using roles is used. An all combination generating unit | 01-20-2011 |
| 20110023082 | TECHNIQUES FOR ENFORCING APPLICATION ENVIRONMENT BASED SECURITY POLICIES USING ROLE BASED ACCESS CONTROL - An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user. Further, such activations may occur in the context of establishing or maintaining a user session for a user of an application. | 01-27-2011 |
| 20110023083 | METHOD AND APPARATUS FOR DIGITAL RIGHTS MANAGEMENT FOR USE IN MOBILE COMMUNICATION TERMINAL - A digital rights management (DRM) apparatus in a mobile terminal includes DRM middleware that makes different types of DRM systems compatible. The DRM middleware includes at least one plug-in module to perform a conversion between different types of DRM contents. A part of the at least one plug-in module is downloaded in real time from a server and is executed. A part of the at least one plug-in module is executed by a server by remote control through a plug-in interface. | 01-27-2011 |
| 20110023084 | PROTECTION OF COMPUTER RESOURCES - In one embodiment, local software code present in a computer system enables real-time detection of whether the computer system is properly protected against malicious attacks from harmful software. For example, software code such as one or more agents executing in the computer system support real-time protection validation based upon detection of the behavior of the computer system (as opposed to mere detection of the presence of resources or applications in the computer system). In response to detecting that the computer system or an application accesses or provides a particular type of resource and should be protected via one or more appropriate protection policies, if the computer system is not already protected, an agent of the computer system can provide immediate remediation (e.g., a security measure) to temporarily protect the computer system until the appropriate protection policy can be activated to protect the computer system against malicious software threats. | 01-27-2011 |
| 20110023085 | INFORMATION PROCESSING APPARATUS, CONTROL METHOD OF THE INFORMATION PROCESSING APPARATUS, STORAGE MEDIUM, AND PROGRAM - An information processing apparatus for suitably registering policy information by considering an order of priority while reducing the burden on a user has the following structure. When policy information used for communication with an apparatus of a communication partner is to be registered in a storage unit, and when an address of the apparatus of the communication partner of the policy information to be registered in the storage unit is included in an address of an apparatus of a communication partner of policy information already stored in the storage unit, registering of the policy information to be registered so that an order of priority of the policy information to be registered in the storage unit is set lower than an order of priority of the policy information whose address includes the address of the apparatus of the communication partner of the policy information to be registered is restricted. | 01-27-2011 |
| 20110030028 | Extensible Protocol Validation - A method comprises operations for receiving a binary data structure including a portion representing a protocol validation specification expressed in a respective protocol validation specification language and for receiving a security policy rule having an action part specifying that the binary data structure is to be used for verifying that application protocol payload of network packets complies with the protocol validation specification. After receiving the binary data structure and the security policy rule, an operation is performed for verifying that application protocol payload of received network packets complies with the protocol validation specification. Such verifying is initiated in response to determining that the security policy rule applies to the received network packets and such verifying includes validating the application protocol payload of the received network packets against the binary data structure. | 02-03-2011 |
| 20110030029 | REMOTE MANAGEMENT AND NETWORK ACCESS CONTROL OF PRINTING DEVICES WITHIN SECURE NETWORKS - Systems and methods are disclosed for enabling remote management of printing devices and for providing access control of printing devices within secure health policy based networks. A printing device transmits device status information to a status server and operational health information to a compliance server. The compliance server receives a health policy for the network from the status server. The compliance server evaluates the operational health information using the health policy and configures the printing device for operations within a secure portion of the network if the operational health information is in compliance with the health policy. | 02-03-2011 |
| 20110030030 | UNIVERSAL SERIAL BUS - HARDWARE FIREWALL (USB-HF) ADAPTOR - A system and method in accordance with the present invention provides a protected area for software to execute on a separate hardware firewall adaptor when a storage device is operating in an unprotected environment when connected to an uncontrolled or unmonitored host system. This software provides security through a plurality of security, access management and monitoring (SAMM) applications when a USB storage device is connected to a computer in an uncontrolled, unprotected environment. | 02-03-2011 |
| 20110030031 | Systems and Methods for Receiving, Processing and Organizing of Content Including Video - Methods and systems for receiving, processing and organizing video. Organizational tools are provided that allow users the capacity to solicit, mine, clip, aggregate, organize, and search submitted footage. These tools include: a set of electronic folders, a media clipper and a media submit portal. Studios, projects, folders and subfolders exist in a hierarchical relationship in order to arrange media. The hierarchy of folders created by producers may be made accessible by the public for the purpose of submitting media to a particular project. Various content creators may upload video to the system, may create electronic video clips from the uploaded video by selecting subportions of that video, and may submit the electronic video clips to a specific folder which is associated with a project. Producers may view various folders to select submitted video clips for use in a project. | 02-03-2011 |
| 20110035781 | Distributed data search, audit and analytics - A system that comprises of a set of components that interact together to achieve large-scale distributed data auditing, searching, and analytics. Traditional systems require auditing data to be captured and centralized for analytics, which leads to scaling and bottleneck issues (both on network and processing side). Unlike these systems, the system described herein leverages the combination of distributed storage and intelligence, along with centralized policy intelligence and coordination, to allow for large-scale data auditing that scales. This architecture allows for data auditing in “billions” of events, unlike traditional architectures that struggled in the realm of “millions” of events. | 02-10-2011 |
| 20110035782 | METHOD, APPARATUS AND SYSTEM FOR UPDATING PCC RULES - A method, an apparatus, and a system for updating PCC rules are disclosed herein to ensure normal process of the user service in the process of updating the PCC rules. A method for updating PCC rules includes: obtaining a response made by a PCEF after the PCEF updates the PCC rules; and keeping consistency between PCC rules stored in the PCRF and the PCC rules currently executed in the PCEF according to the obtained response. | 02-10-2011 |
| 20110035783 | CONFIDENTIAL INFORMATION LEAK PREVENTION SYSTEM AND CONFIDENTIAL INFORMATION LEAK PREVENTION METHOD - There is provided a confidential information leak prevention system in which confidential information and normal information can be simultaneously used without switching an execution environment, and which can prevent information from being leaked. An application behavior controlling unit ( | 02-10-2011 |
| 20110041158 | System and method for message handling - Systems and methods employable, for example, in the handling of various electronically-dispatched messages, fiber-optic or light based messages, wireless based messages, and/or the like. According to various such systems and methods, in the case where a dispatched message is, for instance, found to be inadequate, undesirable, and/or not wanted or the like in some way, an entity receiving the message and/or one or more entities associated with the recipient entity may, for example, come to possess all or some of funds required by network rules, database rules, file based rules, message based rules, in memory based rules, computer program based rules and/or the like to be made available for possession by the sender (either directly or indirectly) of the message in association with the message. | 02-17-2011 |
| 20110047589 | DYNAMIC SWITCHING OF SECURITY CONFIGURATIONS - Disclosed is a computer implemented method, computer program product, and apparatus to switch security configurations. A data processing system accesses a first security configuration via a thread of execution, wherein a security configuration comprises at least one security parameter. The thread receives an incoming request. The thread switches to a second security configuration that specifies a resource, based on the incoming request, responsive to receiving the incoming request. The thread stores the second security configuration or a reference to the second security configuration to a stack. The thread authenticates the incoming request based on the second security configuration. The thread grants or denies access to the resource. The thread executes a method referenced in the incoming request. The thread restores to a first security configuration, responsive to completing the method. | 02-24-2011 |
| 20110047590 | APPARATUS, SYSTEM, AND METHOD FOR SHARING REFERENCED CONTENT THROUGH COLLABORATIVE BUSINESS APPLICATIONS - An apparatus, system, and method are disclosed for sharing referenced content through collaborative business applications. The method includes detecting referenced content in an electronic communication. The referenced content references content stored in an external repository. The referenced content identifies a registered external repository connector. The method also includes determining that an Access Control List (“ACL”) for the referenced content lacks an entry for a recipient of the electronic communication. The method includes generating an ACL entry for the recipient in response to the recipient lacking an entry in the ACL for the referenced content. The ACL entry controls access to the referenced content for the recipient. The ACL entry is defined based on a security policy associated with the recipient. | 02-24-2011 |
| 20110047591 | APPLICATION NETWORK COMMUNICATION METHOD AND APPARATUS - A method and apparatus is provided to discover and integrate applications in an application router framework. The discovery operation includes receiving a registration notification for an application on a network, adding information describing the application to a repository into a data structure and publishing the data structure onto an application router. The association operations include querying one or more application routers on an application network for meta-data and other information on applications, exchanging the meta-data and other information between the application routers and associating the applications together automatically using their respective application protocols. Routing operations include receiving application information in an application protocol format, converting the application information in the application protocol format into a neutral protocol format and forwarding the application information in the neutral protocol format along with state information to other application router devices on the network. | 02-24-2011 |
| 20110047592 | PRE-REGISTRATION SECURITY SUPPORT IN MULTI-TECHNOLOGY INTERWORKING - Pre-registration security support in a multiple access technology environment is disclosed. For example, a method is disclosed for use in a computing device of a communication system. The communication system supports two or more access technologies for permitting a communication device to access the communication system, and at least part of a first security context is generated at the computing device for a given communication device permitting the given communication device to access the communication system via a first access technology. The method comprises generating at the computing device at least part of at least a second security context for the given communication device such that the given communication device is pre-registered to access the communication system via at least a second access technology while maintaining the first security context such that the given communication device continues to access the communication system via the first access technology and is pre-registered to subsequently access the communication system via the second access technology. | 02-24-2011 |
| 20110047593 | SYSTEM AND METHOD FOR SECURE MANAGEMENT OF TRANSACTIONS - Secure management of electronic transactions is provided by a system server that is communicatively coupled to terminals configured as thin client devices (TCD) and to one or more application servers. A TCD completes a secure communications link with the system server, and transfers information concerning the identity of a user and account information from a secure transaction card (STC). Upon authentication, the system server drives the display of available applications at the TCD, allowing the user to select and engage in a desired transaction with the application server hosting the selected application. During the transaction, the system server brokers communications according to the different security schemes used by the TCD and the application server and, ultimately, stores a transaction ticket that memorializes the transaction. The transaction ticket can later be retrieved by presenting appropriate authentication information. | 02-24-2011 |
| 20110047594 | SYSTEM AND METHOD FOR MOBILE COMMUNICATION DEVICE APPLICATION ADVISEMENT - This disclosure is directed to a system and method for providing advisement about applications on mobile communication devices such as smartphones, netbooks, and tablets. A server gathers data about mobile applications, analyzes the applications, and produces an assessment that may advise users on a variety of factors, including security, privacy, battery impact, performance impact, and network usage. The disclosure helps users understand the impact of applications to improve the experience in using their mobile device. The disclosure also enables a server to feed information about applications to other protection systems such as application policy systems and network infrastructure. The disclosure also enables advisement about applications to be presented in a variety of forms, such as through a mobile application, as part of a web application, or integrated into other services via an API. | 02-24-2011 |
| 20110055890 | METHOD AND SYSTEM TO CONFIGURE SECURITY RIGHTS BASED ON CONTEXTUAL INFORMATION - Disclosed are methods and systems for modifying access of a business intelligence report on a client computing device according to contextual information of a user. The method includes obtaining a context update message from a context acquisition model associated with the client computing device through one or more software interfaces provided by the context, based on the contextual information of the user, retrieving one or more security policies associated with the contextual information, applying the one or more security policies to the business intelligence report according to the contextual information of the user and displaying the business intelligence report on the client computing device to the user according to the one or more security policies. | 03-03-2011 |
| 20110061089 | DIFFERENTIAL SECURITY POLICIES IN EMAIL SYSTEMS - A differential message security policy includes receiving information regarding activities of a user, determining a security risk for the user based on the activities of the user, and setting a security policy for the user based on the security risk. The security policy of the user may be modified based on a change in the security risk of the user or the security risk of the user exceeding a predetermined level. The security risk may be determined based on an aggregated scoring system that uses security variables related to the activities of the user. | 03-10-2011 |
| 20110067084 | METHOD AND APPARATUS FOR SECURING A DATABASE CONFIGURATION - One embodiment of the present invention provides a system that secures a database configuration from undesired modifications. This system allows a security officer to issue a configuration-locking command, which activates a lock for the configuration of a database object. When a configuration lock is activated for a database object, the system prevents a user (e.g., a database administrator) from modifying the configuration of the database object, without restricting the user from accessing the database object itself. The security officer is a trusted user that is responsible for maintaining the stability of the database configuration, such that a configuration lock activated by the security officer preserves the database configuration by overriding the privileges assigned to a database administrator. | 03-17-2011 |
| 20110067085 | METHOD FOR DELIVERING DYNAMIC POLICY RULES TO AN END USER, ACCORDING ON HIS/HER ACCOUNT BALANCE AND SERVICE SUBSCRIPTION LEVEL, IN A TELECOMMUNICATION NETWORK - The method comprises the steps of:
| 03-17-2011 |
| 20110072486 | System, Method, and Software for Enforcing Access Control Policy Rules on Utility Computing Virtualization in Cloud Computing Systems - According to one embodiment, a system comprises one or more processors coupled to a memory and executing logic. A policy life cycle component is configured to maintain a repository of security policies. The repository of security policies comprises policies governing access to a virtual host and to a plurality of virtual machines running on the virtual host. The policy life cycle component is also configured to issue a compound policy for an identified virtual operating system running on the virtual host. The compound policy provides a virtual host policy and access rules for each of the plurality of virtual machines running on the virtual host. A topology manager is configured to receive the compound policy from the policy life cycle component, assign the compound to an access control agent, and maintain a security policy topology. The security policy topology stores associations between access control agents and compound policies. | 03-24-2011 |
| 20110072487 | System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems - According to one embodiment, a system comprises one or more processors coupled to a memory. The one or more processors when executing logic encoded in the memory provide a topology manager. The topology manager is configured to maintain a security topology of a plurality of hosts. The security topology associates one or more virtual hosts policies with a plurality of virtual hosts in a cloud computing deployment. The topology manager is also configured to request a query for one or more hosts that are candidates to be enforced. A portability manager is configured to receive a request to deploy an access control agent on the one or more candidate hosts, determine an optimal agent to be deployed from a list of available agents, and deploy the optimal agent on the one or more candidate hosts. | 03-24-2011 |
| 20110072488 | METHOD AND APPARATUS FOR AUTHENTICATION - A method and an apparatus for authentication are disclosed. The method includes: deciding to release a connection or continue a current service according to native information and network policy after an AKA authentication procedure fails. When the EPS AKA authentication procedure fails, the connection is not released immediately in the present invention, but the connection is released or the current service is continued according to the native information and network policy, thus avoiding unnecessary release of connections and saving resources. | 03-24-2011 |
| 20110072489 | METHODS, DEVICES, AND MEDIA FOR SECURELY UTILIZING A NON-SECURED, DISTRIBUTED, VIRTUALIZED NETWORK RESOURCE WITH APPLICATIONS TO CLOUD-COMPUTING SECURITY AND MANAGEMENT - The present invention discloses methods, devices, and media for securely utilizing a non-secured, distributed, virtualized network resource with applications to cloud-computing security and management. Methods including the steps of: receiving, by a deployed security mechanism, a user request over a network; parsing the user request by the deployed security mechanism; preparing, including applying security measures, the user request to transmit to a computing-service resource; and submitting, by the deployed security mechanism, the user request to the computing-service resource. Methods further including the steps of: dividing an original data stream into a set of split data streams; applying a first invertible transformation function to the split data streams, which produces an intermediate set of data streams; and extracting a final set of data streams from the intermediate set by applying a selection rule which produces the final set, thereby transforming the original data stream into individually-unintelligible parts. | 03-24-2011 |
| 20110072490 | METHOD AND APPARATUS FOR CONSTRUCTING AN ACCSS CONTROL MATRIX FOR A SET-TOP BOX SECURITY - In multimedia systems requiring secure access, a method and apparatus for constructing an access control matrix for a set-top box security processor are provided. A security processor may comprise multiple security components and may support multiple user modes. For each user mode supported, at least one access rule table may be generated to indicate access rules to a security component in the security processor. An access control list comprises information regarding the access rules for a particular user mode to the security components in the security processor. An access control matrix may be generated based on the access control lists for the user modes supported by the security component. The access control matrix may be implemented and/or stored in the security processor for verifying access rights of a user mode. Results of operations associated with security components may be transferred to other processors communicatively coupled to the security processor. | 03-24-2011 |
| 20110078758 | METHOD AND DEVICE FOR CONTROLLING USE OF CONTEXT INFORMATION OF A USER - A method and device for controlling use of context information of a user includes establishing a context policy enforcement engine on a mobile computing device. The context policy enforcement engine may be embodied as software and/or hardware components. The context policy enforcement engine retrieves context policy data in response to receiving a request for context information related to a user. The context policy data defines a set of context rules for responding to context requests. The context policy enforcement engine responds to the request based on the set of context rules. | 03-31-2011 |
| 20110078759 | Method and System For Automating Security Policy Definition Based On Recorded Transactions - Following development of an application, the application is deployed in a pre-production environment. A user role plays against that application, typically by performing one or more operations as a particular user in a particular group. As the operator role plays, access logs are written, and these logs are then analyzed and consolidated into a set of commands that drive a policy generator. The policy generator creates an optimized security policy that it then deploys to one or more enforcement points. In this manner, the framework enables automated configuration and deployment of one or more security policies. | 03-31-2011 |
| 20110078760 | SECURE DIRECT MEMORY ACCESS - A data processing system comprises a memory, a memory protection unit, and one or more IP units connected to the memory via the memory protection unit. The memory protection unit is arranged to logically partition the memory into different regions, to maintain a policy for each region, the policy defining access rights to the respective region and defining the safety status of data written in the respective region, to check access requests writing data from a first region to a second region, and to refuse the access request if the safety status, according to the respective policy, of the written data in the second region is not maintained. | 03-31-2011 |
| 20110083159 | SYSTEM AND METHOD FOR ROLE DISCOVERY - According to one embodiment, a method for role determination includes detecting access to sensitive data and determining user information related to the access to sensitive data in response to detecting the access to sensitive data. The method also includes modifying at least one role in response to determining the user information related to the access to sensitive data. In addition, the method includes storing the modified at least one role. | 04-07-2011 |
| 20110093913 | MANAGEMENT OF ACCESS TO SERVICE IN AN ACCESS POINT - System(s) and method(s) are provided to configure access rights to wireless resources and telecommunication service(s) supplied through a set of access points (APs). Access to wireless resources is authorized by access attributes in access control list(s) (ACL(s)) while a profile of service attributes linked to the ACL(s) regulate provision of telecommunication service(s). Access and service attributes can be automatically or dynamically configured, at least in part, in response to changes in data that directly or indirectly affects an operation environment in which the set of APs is deployed. Automatic or dynamic configuration of access or service attributes enable control or coordination of wireless service provided through the set of APs; degree of control or coordination is determined at least in part by enablement or disablement of disparate services for disparate devices at disparate access points at disparate times and with disparate service priority. | 04-21-2011 |
| 20110093914 | NETWORK POLICY MANAGEMENT AND EFFECTIVENESS SYSTEM - The present disclosure relates to a method and apparatus for maintaining policy compliance on a computer network. A system in accordance with some embodiments disclosed herein performs the steps of electronically monitoring network user compliance with a network security policy stored in a database, electronically evaluating network security policy compliance based on network user compliance and electronically undertaking a network policy compliance action in response to network security policy non-compliance. The network policy compliance actions may include automatically implementing a different network security policy selected from network security policies stored in the database, generating policy effectiveness reports and providing a retraining module to network users. | 04-21-2011 |
| 20110093915 | METHOD OF SECURING A CHANGING SCENE, CORRESPONDING DEVICE, SIGNAL AND COMPUTER PROGRAM, METHOD OF UPDATING A CHANGING SCENE, CORRESPONDING DEVICE AND COMPUTER PROGRAM - The invention relates to a method of securing a changing scene composed of at least one element and intended to be played back on a terminal. According to the invention, such a method comprises the following steps: creation ( | 04-21-2011 |
| 20110093916 | METHOD AND SYSTEM FOR RAPID ACCREDITATION/RE-ACCREDITATION OF AGILE IT ENVIRONMENTS, FOR EXAMPLE SERVICE ORIENTED ARCHITECTURE (SOA) - A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed. | 04-21-2011 |
| 20110093917 | Hierarchical Policy Management - A system and method for administering access to a central resource by a remote access device. A system includes a remote access device and a computer executing a hierarchical policy manager. The remote access device requests access to a central resource. The hierarchical policy manager determines a policy for allowing the device to access the resource by evaluating access policies at a plurality of precedence levels of a policy hierarchy. The hierarchical policy manager allows the device to access the resource based on the policy set at the highest precedence level of the policy hierarchy at which access control is specified. | 04-21-2011 |
| 20110099602 | System and method for implementing adaptive security zones - A system for managing adaptive security zones in complex business operations, comprising a rules engine adapted to receive events from a plurality of event sources and a security manager coupled to the rules engine via a data network, wherein upon receiving an event, the rules engine determines what rules, if any, are triggered by the event and, upon triggering a rule, the rules engine determines if the rule pertains to security and, if so, sends a notification message to the security manager informing it of the triggered event, and wherein the security manager, on receiving a notification message from the rules engine, automatically establishes a new security zone based at least in part on the contents of the notification message, is disclosed | 04-28-2011 |
| 20110099603 | POLICY CONFIGURATION AND SIMULATION - Techniques for policy configuration and simulation are presented. A graphical user interface (GUI) permits a user to visualize network resources and their relationships to one another. The user can select a resource and receive another view within the GUI to see policies for that resource and relationships between the policies. The user can also select a particular policy and alter its configuration. The altered configuration can then be simulated within the network and the results presented back to the user within the GUI. | 04-28-2011 |
| 20110099604 | ACCESS CONTROL METHOD AND SYSTEM FOR PACKET DATA NETWORK, PCRF ENTITY - An access control method and system for packet data network, Policy and Charging Rules Function (PCRF) entity, the method includes: a policy and charging rules function entity receiving an indication of gateway control session establishment from a bearer binding and event report function entity, wherein the indication of gateway control session establishment carries a session identifier, and the session identifier is used to identify whether a user equipment accesses the same packet data network again or the bearer binding and event report function entity relocation occurs; the policy and charging rules function entity receiving the indication of gateway control session establishment, acquiring the session identifier, and judging whether the user equipment accesses the same packet data network again or the bearer binding and event report function entity relocation occurs according to the session identifier. | 04-28-2011 |
| 20110107391 | METHODS AND DEVICES FOR IMPLEMENTING NETWORK POLICY MECHANISMS - Embodiments of the invention provide a network device for implementing a host-based network policy mechanism, having a port for receiving packets wherein each packet identifies a host and a destination, and a processing engine configured to inspect packets received on the port, wherein if at least one of the packets matches a predetermined pattern, a rule regulating packet transmission originating from the host is defined and applied against subsequent packets received on the port. | 05-05-2011 |
| 20110107392 | MANAGEMENT OF OBSERVABLE COLLECTIONS OF VALUES - Architecture that a mathematical duality established herein between an asynchronous observable design pattern and a synchronous iterator design pattern. This provides a mechanism for processing multiple observable collection and asynchronous values associated with those collections, including situations where a single observable collection is directed to multiple subscribers or multiple observable collections are directed to a single subscriber. Operators are presented that facilitate multi-collection processing based on this proven duality. As a result of this duality concurrent asynchronous and event-driven programs can be elegantly formulated. Consequently, asynchronous and event-based programming can now be unified into single conceptual framework, based on sound mathematical principles such as monads and duality. | 05-05-2011 |
| 20110107393 | Enforcing a File Protection Policy by a Storage Device - A file attribute, which is called herein “enforcement bit”, is used for each file that is stored in a storage device. If the protection particulars associated with a stored file are allowed to be changed, the enforcement bit is set to a first value, and if the protection particulars or properties are not to be changed, the enforcement bit is set to a second value. When the storage device is connected to a host device, the storage device provides to the host device protection particulars and an enforcement bit, which collectively form a “file protection policy”, for each stored file in response to a file system read command that the host device issues, in order to notify the host device of files in the storage device whose protection particulars are allowed to be changed freely, and of files whose protection particulars are not allowed to be changed by unauthorized users or devices. | 05-05-2011 |
| 20110113466 | Systems and Methods for Processing and Managing Object-Related Data for use by a Plurality of Applications - A computer-implemented method for indexing data for use by a plurality of applications may include receiving a data object at a first application of a plurality of applications. The method may include tokenizing the common-form data object to extract tokens from the data object and creating an index of the tokens extracted from the data object, the index being formatted to be utilized by each of the plurality of applications. The method may further include storing the index in a database that is accessible by the plurality of applications. The plurality of applications may comprise two or more application types. Various other methods and systems are also disclosed. | 05-12-2011 |
| 20110113467 | SYSTEM AND METHOD FOR PREVENTING DATA LOSS USING VIRTUAL MACHINE WRAPPED APPLICATIONS - A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion. | 05-12-2011 |
| 20110113468 | ESTABLISHING AND ENFORCING SECURITY AND PRIVACY POLICIES IN WEB-BASED APPLICATIONS - Method, system, and computer code for implementing privacy protection in a web application, wherein the web application is executed in a web application language execution environment within a web server, the method containing the steps of: establishing at least one inbound tagging rule for tagging objects entering the web application language execution environment, referred to as inbound objects, according to a respective source of each of the inbound objects; assigning a tag to at least one of the inbound objects being operated on by the web application language execution environment based on the at least one inbound tagging rule; establishing at least one privacy rule for performing privacy actions on at least one object that is outbound from the web application language execution environment, referred to as outbound objects, according to a respective tag of each of the outbound objects; and performing a privacy action on the at least one outbound object being operated on by the web application language execution environment based on the at least one privacy rule. | 05-12-2011 |
| 20110113469 | Network synchronization system and information processing apparatus - In a network synchronization system, setting information synchronized among plural information processing apparatuses contains at least user information; user operating policy information; first equipment group information that prescribes a first equipment group to which the information processing apparatus belongs; and equipment operating policy information. The information processing apparatus includes a user authentication unit; a storage unit that stores the setting information and second equipment group information that prescribes a second equipment group to which the information processing - apparatus belongs; and an operating policy generation unit that generates an applied operating policy to be applied to a login user. The operating policy generation unit generates, when the second equipment group information is contained in the first equipment group information, the applied operating policy in accordance with the equipment operating policy information corresponding to the first equipment group information in preference to the user operating policy information corresponding to authenticated user information. | 05-12-2011 |
| 20110113470 | MASHUP SERVICE DEVICE AND SYSTEM, AND METHOD FOR ESTABLISHING AND USING MASHUP SERVICE - A mashup service terminal, a mashup service server, a mashup service system, a method for establishing a mashup service, and a method for using a mashup service are provided. A user terminal capability is introduced into the mashup service as a service and an information source of a mashup application, so that a user can establish and use the mashup service conveniently and flexibly, and the user experience is improved. | 05-12-2011 |
| 20110113471 | METHOD AND APPARATUS FOR CONTEXT-BASED CONTENT MANAGEMENT - In one embodiment, a system for context-based management of cached content includes policy and context servers. The policy server makes policy decisions controlling, e.g., usage of a content cache by a user, based on a contextualized policy that includes one or more context-dependent policy rules. The context server collects context information for the user and generates the contextualized policy by inserting the updated context-parameter(s) into the context-dependent policy rule(s). The policy server thus obtains or otherwise updates the contextualized policy responsive to a policy decision request received from a caching agent operating as a policy enforcement point, and returns a policy decision to the caching agent. In support, the context server may be configured to collect context information for the user at least in part by receiving context information from a user agent associated with the user. | 05-12-2011 |
| 20110119729 | IDENTITY AND POLICY ENFORCED INTER-CLOUD AND INTRA-CLOUD CHANNEL - Techniques for identity and policy enforced cloud communications are presented. Cloud channel managers monitor messages occurring within a cloud or between independent clouds. Policy actions are enforced when processing the messages. The policy actions can include identity-based restrictions and the policy actions are specific to the messages and/or clouds within which the messages are being processed. | 05-19-2011 |
| 20110119730 | Enforcing Centralized Communication Policies - A system provides centralized policies to be applied in a distributed manner to all communication channels used by a set of mobile communication devices, including communication channels which do not pass through a centralized communication server, such PIN-to-PIN communication channels. Such policies may include address-based and content-based policies. The system also allows all such communications to be archived. | 05-19-2011 |
| 20110119731 | INFORMATION PROCESSING APPARATUS AND METHOD OF SETTING SECURITY THEREOF - An information processing apparatus includes an accepting unit that accepts from a user a command relating to security; a setting unit that makes a setting relating to security of the information processing apparatus based upon the command from the user accepted by the accepting unit; a recording unit that performs the following operation in a case where the accepting unit has accepted a command for changing a security-related setting that has already been made by the setting unit: before the setting unit changes the security-related setting, the recording unit records an event, among events that occur in the information processing apparatus, the content of which will be different between a case where the security-related setting is changed and a case where the security-related setting is not changed; and a notification unit that notifies the user based upon the event that has been recorded by the recording unit. | 05-19-2011 |
| 20110119732 | SYSTEM AND METHOD FOR USER-CENTRIC AUTHORIZATION TO ACCESS USER-SPECIFIC INFORMATION - In a network computing environment, a user-centric system and method for controlling access to user-specific information maintained in association with a web-services service. When a web-services client desires access to the user-specific information, the client sends a request. The request identifies the reasons/intentions for accessing the desired information. The request is compared to the user's existing access permissions. If there is no existing access permission, the request is compared to the user's default preferences. If the default preferences permit the requested access, an access rule is created dynamically and the client's request is filled, without interrupting the user. If the default preferences do not permit the request to be filled, a consent user interface may be invoked. The consent user interface presents the user with one or more consent options, thereby permitting the user to control whether the client will be given access to the user-specific information. | 05-19-2011 |
| 20110119733 | ENFORCING POLICIES IN WIRELESS COMMUNICATION USING EXCHANGED IDENTITIES - Techniques for facilitating the exchange of information and transactions between two entities associated with two wireless devices when the devices are in close proximity to each other. A first device uses a first short range wireless capability to detect an identifier transmitted from a second device in proximity, ideally using existing radio capabilities such as Bluetooth (IEEE802.15.1-2002) or Wi-Fi (IEEE802.11). The detected identifier, being associated with the device, is also associated with an entity. Rather than directly exchanging application data flow between the two devices using the short range wireless capability, a second wireless capability allows for one or more of the devices to communicate with a central server via the internet, and perform the exchange of application data flow. By using a central server to draw on stored information and content associated with the entities the server can broker the exchange of information between the entities and the devices. | 05-19-2011 |
| 20110126259 | Gated Network Service - A method includes identifying at a gateway device of a network a plurality of devices connected to the network. The method includes monitoring network traffic at the gateway device and determining that a particular traffic flow associated with one of the plurality of devices violates a privacy constraint. The method also includes providing a risk assessment associated with the privacy constraint violation. The risk assessment is at least partially based on terms and conditions associated with a particular device of the plurality of devices. | 05-26-2011 |
| 20110126260 | ACCESS AUTHORIZATION HAVING EMBEDDED POLICIES - A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image's integrity prior to extracting the embedded policy. | 05-26-2011 |
| 20110126261 | METHODS AND SYSTEMS FOR IMPLEMENTING SERVICE LEVEL CONSOLIDATED USER INFORMATION MANAGEMENT - Embodiments of the invention provide methods and systems for implementing service level consolidated user information management. According to one embodiment, a method comprises intercepting, at a policy enforcer, a manipulation request of data. The method may further include analyzing the request to determine which data the manipulation request is associated with and, based on that analysis, selecting a policy from a plurality of policies. Furthermore, the method may execute the selected policy. The policy may be configured to direct the policy enforcer to allow the manipulation request to pass through to the associated destination data system to process the request, delegate processing of the manipulation request to at least one of a plurality of data systems, or process the manipulation request by the policy enforcer. | 05-26-2011 |
| 20110126262 | SPECIFYING A SET OF FORBIDDEN PASSWORDS - Various embodiments are described for providing password approval on a device. The password approval includes getting the user password, generating at least one symbolically equivalent password and then comparing the at least one symbolically equivalent password with at least one specified forbidden password. The user password is disapproved if one of the symbolically equivalent passwords corresponds to the at least one forbidden password. | 05-26-2011 |
| 20110131627 | METHOD AND DEVICE FOR DATA PROCESSING AND COMMUNICATION SYSTEM COMPRISING SUCH DEVICE - A method and a device for data processing are provided comprising a first instance comprising at least one local trusted unit (LTU) and a local trust manager (LTM), the method comprising the step: The local trust manager provides a policy related information to the at least one local trusted unit and/or to a second instance. | 06-02-2011 |
| 20110131628 | SYSTEM AND METHOD FOR AUTOMATICALLY DISCOVERING SECURITY CLASSIFICATION OF HOSTS - A system and method for discovering security classifications of network areas includes representing actually allowed network flows and flows permitted by a security policy in a format that enables comparison. The actually allowed network flows and the security policy are provided in a networked computing environment including network areas, wherein each network area is a collection of one or more computing and network devices, and enterprise security policy defines security requirements for security classifications. An assignment of security classifications to network areas is determined by comparing the actually allowed network flows with the flows permitted by the security policy. | 06-02-2011 |
| 20110131629 | METHOD AND SYSTEM FOR CONTENT LEVEL REACTIVE AUTHORIZATION - Disclosed is a new system and method for the “Content-level Reactive Presence Authorization”, wherein the Presentity would be able to reactively authorize the Watcher requested contents of the Presentity's Presence Information. According to the system and method for the Content-level Reactive Presence Authorization, it is possible for the Presence Server to convey the identity of the Watchers and the protected contents to the Presentity on the states of the Watcher's requested contents of the Presence Information. According to the systems and methods, it is also possible for Presentity to specify the conditions when the Presence Server triggers such Content-level Reactive Presence Authorization. | 06-02-2011 |
| 20110138441 | MODEL BASED SYSTEMS MANAGEMENT IN VIRTUALIZED AND NON-VIRTUALIZED ENVIRONMENTS - Architecture that provides model-based systems management in virtualized and non-virtualized environments. A security component provides security models which define security requirements for services. A management component applies one or more of the security models during the lifecycle of virtual machines and services. The lifecycle can include initial deployment, expansion, moving servers, monitoring, and reporting. The architecture creates a formal description model of how a virtual machine or a service (composition of multiple virtual machines) is secured. The security requirements information can also be fed back to the general management system which uses this information in its own activities such as to guide the placement of workloads on servers can be security related. | 06-09-2011 |
| 20110138442 | AUTOMATED SECURITY CLASSIFICATION AND PROPAGATION OF VIRTUALIZED AND PHYSICAL VIRTUAL MACHINES - Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine. | 06-09-2011 |
| 20110145884 | Policy Needs Assessment - Methods, computer readable media, and apparatuses for policy development and management are presented. One or more policy needs may be identified, and a score for each policy need may be determined The score for each policy need may be determined based on audit issue closure date information, legal compliance information, and regulatory impact information. Based on the determined scores, development of one or more policy needs may be prioritized. | 06-16-2011 |
| 20110145885 | Policy Adherence And Compliance Model - Methods, computer readable media, and apparatuses for policy development and management are presented. Input corresponding to an implemented policy may be received. An adherence rating for the implemented policy may be determined based on a measured level of compliance with at least one guiding principle. An effectiveness rating for the implemented policy may be determined based on a determined level of responsiveness. Subsequently, a report may be generated. | 06-16-2011 |
| 20110145886 | METHODS AND SYSTEMS FOR ALLOCATING A USB DEVICE TO A TRUSTED VIRTUAL MACHINE OR A NON-TRUSTED VIRTUAL MACHINE - The methods and systems described herein provide for allocating a universal serial bus (USB) device to one of a trusted virtual machine and a non-trusted virtual machine. A control program receives data indicating a USB port on the computing machine received a USB device and identifies at least one attribute of the USB device. The control program selects, based on application of a policy to the identified at least one device attribute, one of a trusted virtual machine and a non-trusted virtual machine executing. The control program grants, to the virtual machine selected by the control program, access to the USB device. | 06-16-2011 |
| 20110154431 | SYSTEMS AND METHODS FOR PROVIDING MULTIPLE ISOLATED EXECUTION ENVIRONMENTS FOR SECURELY ACCESSING UNTRUSTED CONTENT - A sandbox tool can create and maintain multiple isolated execution environments, simultaneously. The sandbox tool can assign a unique security label to each isolated execution environment. In order to ensure the security labels are unique, the sandbox tool, for each security label, can bind a communication socket in an abstract name space of the operating system with a name that is the same as the security label. If the operating system returns an error that the name for the communication socket is already in use, the sandbox tool can determine that the security label is already in use by another isolated execution environment or other process. | 06-23-2011 |
| 20110154432 | IP Mobility Security Control - In a non-limiting and exemplary embodiment, a method is provided for adapting security level between a mobile node and a mobility anchor. An IP mobility binding with an indication of a security mode is established for a mobile node connected to an IP sub-network and identified in the IP sub-network by a care of address. A trigger to adapt the security mode for the mobile node connected to the IP sub-network is detected. The security mode for the mobile node connected to the IP sub-network and identified by the care of address is adapted in response to the trigger. | 06-23-2011 |
| 20110154433 | SYSTEM AND METHOD OF ACCESSING DATA OBJECTS IN A DYNAMIC LANGUAGE ENVIRONMENT - An embodiment includes a computer-implemented method of managing access control policies on a computer system having two high-level programming language environments. The method includes managing, by the computer system, a structured language environment. The method further includes managing, by the computer system, a dynamic language environment within the structured language environment. The method further includes receiving a policy. The policy is written in a dynamic language. The method further includes storing the policy in the dynamic language environment. The method further includes converting the policy from the dynamic language environment to the structured language environment. The method further includes generating a runtime in the structured language environment that includes the policy. | 06-23-2011 |
| 20110154434 | Utilizing Location Information to Minimize User Interaction Required for Authentication on a Device - A system and a method are disclosed for authenticating a user of a mobile computing device. Information is received describing the location of the mobile computing device. The information can include the current location of the device or a current type of user activity associated with a location. A current timeout length is determined based on this information. If the mobile computing device has remained idle for a time period equal to the current timeout length, the user of the mobile computing device is authenticated. | 06-23-2011 |
| 20110154435 | IDENTITY MEDIATION IN ENTERPRISE SERVICE BUS - A method, system, and computer usable program product for identity mediation in an enterprise service bus are provided in the illustrative embodiments. A security information is received at the enterprise service bus from a first application executing in a first data processing system. The security information is a part of a request for service from a second application executing in a second data processing system. A part of the security information is identified to be transformed such that the part upon transformation is usable for handling the request by the second application. A security policy applicable to the identified part is selected and the identified part is transformed according to the security policy. The transforming results in a transformed security information. The transformed security information is sent to the second application. | 06-23-2011 |
| 20110162033 | LOCATION BASED SECURITY OVER WIRELESS NETWORKS - A method, system, and computer usable program product for location based security over wireless networks are provided in the illustrative embodiments. A location of a data processing system is determined based on information about a network. A security policy is selected based on the location. The security policy is applied to the data processing system such that the data processing system is configured in a security configuration for using the network while maintaining security according to the security policy. | 06-30-2011 |
| 20110162034 | DISCOVERY AND MANAGEMENT OF CONTEXT-BASED ENTITLEMENTS ACROSS LOOSELY-COUPLED ENVIRONMENTS - A method, apparatus and computer program product are provided to model and manage context-based entitlements that govern a user's access to information, applications and systems across a loosely-coupled distributed environment. One such distributed environment is a federated environment, which may span across companies, organizations, and geographical locations and regions. According to one embodiment, an entitlement modeling framework comprises a discovery module and an entitlement generator module. The discovery framework generates a data model for storing information concerning user identity, context, relationships between users, relationships between users and contexts and relationships between contexts. Preferably, the user identity, context, relationships between users, relationships between users and contexts, and relationships between contexts, are stored as attributes in the data model. An entitlement generator generates an entitlement according to the data model, wherein the entitlement (e.g., a user entitlement) is generated according to one or more contexts. | 06-30-2011 |
| 20110162035 | LOCATION-BASED DOCK FOR A COMPUTING DEVICE - One particular implementation conforming to aspects of the present disclosure takes the form of docking station for a computing device that maintains an indication of a docking station location. The location of the docking station may be utilized by the docking station and/or the computing device coupled to the docking station to configure the functionality and other aspects of the computing device. For example, the functionality of the computing device may be altered in response to the location of the docking station. Additionally, security features, display configurations and the availability of software applications may also be configured in response to the location of the docking station. In this manner, a single computing device may perform the functions of several computing devices based on the location of the docking station, without the need for the user of the device to configure the device manually. | 06-30-2011 |
| 20110162036 | IMAGE FORMING APPARATUS AND METHOD OF SETTING SECURITY POLICY THEREOF - An image forming apparatus including a communication interface unit to access an external device storing at least one security provider corresponding to user authentication, a user interface (UI) unit to select the security provider, a storage unit to receive the selected security provider from the external device and store the received security provider, a control unit to install the stored security provider in the image forming apparatus, select at least one application to apply the installed security provider, and set the installed security provider as a user authenticator for the at least one selected application. | 06-30-2011 |
| 20110162037 | IMAGE PROCESSING APPARATUS AND METHOD OF CONTROLLING THE SAME - A conventional method of verifying alteration of an image file has a problem of security and may negatively affect user convenience. An image processing apparatus according to the present invention records, as an image file, input image data and a plurality of types of parameters input by the user, and stores, for each of parameter types classified in accordance with the features of the parameters, first security information based on the plurality of types of parameters. When reading out the image file, second security information is decided for each of parameter types based on the plurality of types of parameters included in the image file. If determined that the pieces of security information for any of the parameter types do not coincide, processing for the image file is changed in accordance with information to be used to restrict the processing to be executed for the image file. | 06-30-2011 |
| 20110162038 | METHOD AND SYSTEM FOR SHARING USER AND CONNECTED USERS' DATA WITH EXTERNAL DOMAINS, APPLICATIONS AND SERVICES AND RELATED OR CONNECTED USERS OF THE SOCIAL NETWORK - A system for transmission, reception and accumulation of the knowledge packets to plurality of channel nodes in the network operating distributedly in a peer to peer environment via installable one or more role active Human Operating System (HOS) applications in a digital devise of each of channel node, a network controller registering and providing desired HOS applications and multiple developers developing advance communication and knowledge management applications and each of subscribers exploiting the said network resources by leveraging and augmenting taxonomically and ontologically classified knowledge classes expressed via plurality search macros and UKID structures facilitating said expert human agents for knowledge invocation and support services and service providers providing information services in the preidentified taxonomical classes, wherein each of channel nodes communicating with the unknown via domain specific supernodes each facilitating social networking and relationships development leading to human grid which is searchable via Universal Desktop Search by black box search module. | 06-30-2011 |
| 20110162039 | SECURE RESOURCE NAME RESOLUTION - Techniques for securing name resolution technologies and for ensuring that name resolution technologies can function in modern networks that have a plurality of overlay networks accessible via a single network interface. In accordance with some of the principles described herein, a set of resolution parameters may be implemented by a user, such as an end user or an administrator, to be used during a name resolution process for securing the process and/or for conducting the process in an overlay network. In some implementations, the set of resolution parameters may be maintained as a table of rules, and used to govern name resolution processes. For example, resolution parameters may be created that govern a DNSSEC session, or that govern how to communicate with networks implemented with Microsoft's Direct Access overlay technologies, or that govern communications using any other networking technology. | 06-30-2011 |
| 20110162040 | Owner Controlled Transmitted File Protection and Access Control System and Method - An owner controlled file protection and control system that uses a protected file that is encrypted and has embedded with access and use control features. The file is selected and encrypted and combined with a set of encrypted policy rules by an encryption software program. The policy rules are one or more ‘access rules’ and ‘use rules’ that determine who, what, when, and where the protected file may be accessed and how the protected file will be used. They may be selectively changed at any time and may be location, time and date sensitive. The protected file may be sent to the recipient or stored in a file that the recipient may accessed. During use, each recipient must register with the system and is assigned a registered ID. Using the ‘access rule’, the owner may assign a particular recipient ID to the protected file. A recipient then uses a reader program to generate a request to access and use the protected file to a management server. Management server then reviews the policy rules associated with the protected file to determine if they are satisfied. If the rules are satisfied, then time sensitive digital certificate is sent to the recipient that allows the protected file to be accessed and used according to the policy rules. | 06-30-2011 |
| 20110167469 | MONITORING FEDERATION FOR CLOUD BASED SERVICES AND APPLICATIONS - Technologies are described herein for cloud monitoring federations that can include cloud monitoring services (CMS) that collect monitoring information from point of presence (POP) agents. The cloud monitoring POPs may be located in the cloud, on client machines, embedded within cloud applications, or wherever they can obtain visibility into managed entities associated with the cloud. Management systems, acting as cloud monitoring clients (CMC), may interface with the CMS to obtain a complete view of services and application used by their enterprise including those that operate outside of the enterprise premises as part of a cloud or outside network. The publishing by POPs and consumption by CMCs of management information across components within the enterprise and out in the cloud may be supported by managing roles, responsibilities, scopes, security boundaries, authenticity of information, service level agreements, and other aspects of cloud monitoring operations. | 07-07-2011 |
| 20110167470 | MOBILE DATA SECURITY SYSTEM AND METHODS - Policy is provided from an integrated policy server to a mobile device, comprising identifying a policy in an integrated policy server applicable to the mobile device and supplying policy elements to policy transports for transmission to the mobile device. Policy can also be provided from an integrated policy server to a mobile device, including identifying a policy in the integrated policy server applicable to the mobile device, determining whether the mobile device is in compliance with the policy, and supplying policy elements to policy transports for transmission to the mobile device when the mobile device is not in compliance with the policy. Access to a data server by a mobile device can be controlled, including identifying a policy in an integrated policy server applicable to the mobile device, and determining whether the mobile device is in compliance with the policy. | 07-07-2011 |
| 20110167471 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR PROVIDING GROUP POLICY CONFIGURATION IN A COMMUNICATIONS NETWORK USING A FAKE USER - Methods, systems, and computer readable media for providing group policy configuration in a communications network using a fake user are disclosed. The method is performed at a policy charging and rules function (PCRF) node. According to one method, first policy profile information associated with a first subscriber identifier is obtained from a policy profile database, where the first subscriber identifier is associated with a first subscriber. Second policy profile information associated with a second subscriber identifier is obtained from the policy profile database, where the second subscriber identifier is associated with a group of subscribers that also includes the first subscriber. At least a portion of the second policy profile information is applied to the first subscriber. | 07-07-2011 |
| 20110167472 | Endpoint-Hosted Hypervisor Management - A client hypervisor comprises a virtual agent that runs outside of a system OS and that allows device management independent of the OS and user. The virtual agent is tied to a device and not a specific instance of the OS. Such client hypervisors expose new functionality to ease managing systems. Some of these capabilities come from the persistence and privileges outside the OS. In some embodiments of the invention, this new management functionality is exposed to allow device management via new virtualization concepts, such as multiple VMs per system, VM replacement, snapshot/rollback, etc. | 07-07-2011 |
| 20110167473 | Endpoint-Hosted Hypervisor Management - A client hypervisor comprises a virtual agent that runs outside of a system OS and that allows device management independent of the OS and user. The virtual agent is tied to a device and not a specific instance of the OS. Such client hypervisors expose new functionality to ease managing systems. Some of these capabilities come from the persistence and privileges outside the OS. In some embodiments of the invention, this new management functionality is exposed to allow device management via new virtualization concepts, such as multiple VMs per system, VM replacement, snapshot/rollback, etc. | 07-07-2011 |
| 20110167474 | SYSTEMS AND METHODS FOR MOBILE APPLICATION SECURITY CLASSIFICATION AND ENFORCEMENT - The present disclosure provides systems and methods for mobile application security classification and enforcement. In particular, the present invention includes a method, a mobile device, and a distributed security system (e.g., a “cloud”) that is utilized to enforce security on mobile devices communicatively coupled to external networks (i.e., the Internet). Advantageously, the present invention is platform independent allowing it to operate with any current or emerging mobile device. Specifically, preventing malicious applications from running on an end user's mobile device is challenging with potentially millions of applications and billions of user devices; the only effective way to enforce application security is through the network that applications use to communicate. | 07-07-2011 |
| 20110173674 | METHOD AND SYSTEM FOR PROVIDING LOCATION OF TARGET DEVICE USING STATELESS USER INFORMATION - A method of providing a location of a target device to an application implementing a location based service includes receiving a request for a location of the target device from the application at a location server, the request including a location reference having a user reference referring to user information corresponding to the target device and stored in at least one data source. The method further includes retrieving the user information from the at least one data source using the user reference, determining the location of the target device based at least in part on the retrieved user information, and providing the determined location of the target device to the application. | 07-14-2011 |
| 20110179464 | Client-Side Security Management for an Operations, Administration, and Maintenance System for Wireless Clients - An Operations, Administration, and Maintenance (OA&M) | 07-21-2011 |
| 20110185395 | COMPUTER READABLE MEDIUM FOR ACCESS RIGHT MANAGEMENT, ACCESS RIGHT MANAGEMENT APPARATUS AND DATA PROCESSING SYSTEM - A non-transitory computer readable medium for an access right management includes: reading correspondence information from a storage unit for storing correspondence information indicating the correspondence between (i) a unique access right of an access right in a data management unit for managing electronic data and the access right to the electronic data and (ii) a common access right of an access right in an interface providing unit intervening between an operation main body for giving an operation command to the electronic data and the data management unit; accepting a setting request for requesting setting of the common access right; and determining whether or not the setting request of the common access right accepted by the accepting is a non-match request. | 07-28-2011 |
| 20110185396 | INFORMATION-PROCESSING APPARATUS, INFORMATION-PROCESSING METHOD, AND COMPUTER-READABLE STORAGE MEDIUM - An information-processing apparatus comprises: an environment storage unit that stores a set of instructions for implementing a plurality of runtime environments including a first runtime environment and a second runtime environment; an execution unit that executes the set of instructions stored in the environment storage unit; a status-holding unit that stores an item(s) of status information to be transmitted from the first runtime environment to the second runtime environment; a timing storage unit that stores a condition relating to a status of execution of one of the first runtime environment and the second runtime environment; and a transmission unit that transmits the item(s) of status information stored in the status-holding unit to the second runtime environment in a case where the condition stored in the timing storage unit is fulfilled. | 07-28-2011 |
| 20110191817 | Host apparatus, image forming apparatus, and method of managing security settings - An image forming apparatus is provided. The image forming apparatus includes a storage unit which stores security settings information of the image forming apparatus, an image forming unit to perform an image forming job, a function management unit which controls the functions of the image forming unit, a communications interface unit which is connected to a host apparatus, and a security settings management unit which transmits stored security settings information through the communications interface unit and changes stored security settings information according to a packet of changing the received security settings, if a packet of changing the security settings is received from the host apparatus through the communications interface unit. | 08-04-2011 |
| 20110191818 | METHOD, APPARATUS, AND SYSTEM FOR IMPLEMENTING HOT-LINING FUNCTION - A method, an apparatus, and a system for implementing a hot-lining function are provided, which relate to the field of communications, so as to solve a problem in the prior art that a solution for implementing the hot-lining function is unable to be provided. The technical solution includes: acquiring a hot-lining function enabling message sent from a hot-lining application (HLA) network element, where the hot-lining function enabling message carries hot-lining rule information; enabling the hot-lining function according to the hot-lining rule information in the enabling message, and instructing a hot-lining device (HLD) to enable the hot-lining function according to the hot-lining rule information. The technical solution is applicable to a fixed network and a wireless network. | 08-04-2011 |
| 20110197253 | Method and System of Responding to Buffer Overflow Vulnerabilities - The application discloses a method of protecting a computer against buffer overflow attacks by creating a security policy based on information about the buffer overflow. This results in a dynamic and “on-the-fly” security policy that can be applied to an application to protect the computer. The application also discloses a method where the buffer overflow is reported to central server. The central server monitors the publisher to determine when a patch becomes available to remedy the problem. The server notifies the security software when a patch is available so that either the security software or computer user can download and install the patch. | 08-11-2011 |
| 20110197254 | POLICY BASED PROVISIONING IN A COMPUTING ENVIRONMENT - A system and method for policy based provisioning in a computing environment. In an example embodiment, the system is adapted to selectively allocate usage rights and access privileges to computing resources of a computing environment. The system includes a provisioning policy; a centralized resource provisioning module; one or more applications in communication with the centralized resource provisioning module; and software running on the resource provisioning module, wherein the software is adapted to initiate selective provisioning of computing resources offered by the one or more applications to a user in accordance with the provisioning policy. | 08-11-2011 |
| 20110197255 | SOCIAL NETWORK PRIVACY BY MEANS OF EVOLVING ACCESS CONTROL - A method and software product for limit privacy loss due to data shared in a social network, where the basic underlying assumptions are that users are interested in sharing data and cannot be assumed to constantly follow appropriate privacy policies. Social networks deploy an additional layer of server-assisted access control which, even under no action from a user, automatically evolves over time, by restricting access to the user's data. The evolving access control mechanism provides non-trivial quantifiable guarantees for formally specified requirements of utility (i.e., users share as much data as possible to all other users) and privacy (i.e., users expose combinations of sensitive data only with low probability and over a long time). | 08-11-2011 |
| 20110197256 | METHODS FOR SECURING A PROCESSING SYSTEM AND DEVICES THEREOF - A method, computer readable medium, and apparatus for securing a processing system includes implementing a virtual machine manager (VMM) using a hardware assisted handler in secure processing apparatus. One or more critical events are monitored with the VMM in the secure processing apparatus. One or more behaviors in response to the one or more monitored critical events are controlled with VMM. | 08-11-2011 |
| 20110197257 | ON DEVICE POLICY ENFORCEMENT TO SECURE OPEN PLATFORM VIA NETWORK AND OPEN NETWORK - Embodiments of the invention provide methods and systems for using policy enforcement for securing open devices and networks. The method includes accessing, by a policy enforcer, a plurality of policies configured to enforce network integrity and monitoring programs and/or services running on a device. The method further includes based on at least one of the plurality of policies, comparing the programs and/or services running on the device against the programs and/or services allowed by the at least one of the plurality of policies, and based on the comparison, determining that the device is running at least one program and/or service disallowed by the at least one policy. Further, the method includes in response, prohibiting access of the device to the network. | 08-11-2011 |
| 20110197258 | SYSTEM AND METHOD FOR LOST DATA DESTRUCTION OF ELECTRONIC DATA STORED ON PORTABLE ELECTRONIC DEVICES - A data security system and method protects stored data from unauthorized access. According to one aspect of the invention, a client computing device communicates periodically with a server. If communications is note established between the client and the server for a selected activation interval and a subsequent grace period, the data is determined to be lost, and programmed security rules are automatically executed. Rules relating to encryption, as well as other security procedures, can be defined and entered by an administrator with access to the server, and then disseminated to each of a plurality of clients that access the server. | 08-11-2011 |
| 20110202968 | METHOD AND APPARATUS FOR PREVENTING UNAUTHORIZED USE OF MEDIA ITEMS - An approach is provided for preventing unauthorized use of media items. One or more features associated with a user are identified in one or more media items. It is determined whether the identified features are registered with a privacy service. One or more privacy rules are applied on the media items based on the determination. | 08-18-2011 |
| 20110202969 | ANOMALOUS ACTIVITY DETECTION - The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards a system for receiving an indication relating to a plurality of controls, identification information associated with a responsible account, and instructions from a responsible account associated with the monitoring of thresholds of controls being monitored. The plurality of user account may be organized into groups based upon information relating to the user accounts, and instructions may be applied to the groups to create a dynamic security policy. | 08-18-2011 |
| 20110202970 | Secure Access In A Communication Network - A method of providing secure access to a remote communication network via a local communication network for a terminal device. A gateway node located outside the local communication network allocates an IP address to the terminal device. The gateway node subsequently receives a request to establish a secure tunnel between the gateway node and the terminal device. It identifies the terminal device as the same terminal device to which an IP address is allocated, and allocates the same IP address for use by the terminal device as both an inner IP address and an outer IP address for packets sent via the secure tunnel. This ensures that there are no issues as described above in selecting the IP address for use in the secure tunnel, and reduces the risk of a successful man-in-the-middle attack. | 08-18-2011 |
| 20110209192 | BIOMETRIC SOCIAL NETWORKING - A method for maintaining a social network includes registering users in the social network, wherein registering users includes storing in association with a user ID for each registered user at least one image and verifying the user during a subsequent login by comparing a current image with the stored image. User interactions within the social networking system are restricted by a third party. | 08-25-2011 |
| 20110209193 | SECURE, POLICY-BASED COMMUNICATIONS SECURITY AND FILE SHARING ACROSS MIXED MEDIA, MIXED-COMMUNICATIONS MODALITIES AND EXTENSIBLE TO CLOUD COMPUTING SUCH AS SOA - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers. | 08-25-2011 |
| 20110209194 | NODE-BASED POLICY-ENFORCEMENT ACROSS MIXED MEDIA, MIXED-COMMUNICATIONS MODALITIES AND EXTENSIBLE TO CLOUD COMPUTING SUCH AS SOA - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers. | 08-25-2011 |
| 20110209195 | FLEXIBLE SECURITY BOUNDARIES IN AN ENTERPRISE NETWORK - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers. | 08-25-2011 |
| 20110209196 | FLEXIBLE SECURITY REQUIREMENTS IN AN ENTERPRISE NETWORK - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers. | 08-25-2011 |
| 20110209197 | WEB-BASED AUDIT SYSTEM AND RELATED AUDIT TOOL - A web-based audit system and related tool implemented by a computer or personal digital assistant providing user with access to the internet, comprising access to a repository of audit content; wherein said audit content is associated with appropriate regulatory rules, notices policies and information ; a means to update said regulatory rules, notices, policies and information associated with said audit content with changes. | 08-25-2011 |
| 20110214157 | SECURING A NETWORK WITH DATA FLOW PROCESSING - An apparatus and method to distribute applications and services in and throughout a network and to secure the network includes the functionality of a switch with the ability to apply applications and services to received data according to respective subscriber profiles. Front-end processors, or Network Processor Modules (NPMs), receive and recognize data flows from subscribers, extract profile information for the respective subscribers, utilize flow scheduling techniques to forward the data to applications processors, or Flow Processor Modules (FPMs). The FPMs utilize resident applications to process data received from the NPMs. A Control Processor Module (CPM) facilitates applications processing and maintains connections to the NPMs, FPMs, local and remote storage devices, and a Management Server (MS) module that can monitor the health and maintenance of the various modules. | 09-01-2011 |
| 20110219422 | SYSTEM AND METHOD FOR DISPLAYING A DENSITY OF OBJECTS IN A SOCIAL NETWORK APPLICATION - A social network application system stores profile information of one or more types of objects, such as users, places, events, things, organizations and other types of objects. The system maintains current information for the various types of objects. The current information is updated periodically. The system generates a dataset for generating density reports for one or more types of objects based on search criteria. The dataset includes current information for one or more types of objects. The dataset is transmitted to a user device. The user device displays a graphical representation of density of objects in a geographical area. | 09-08-2011 |
| 20110219423 | METHOD AND APPARATUS FOR TRIGGERING USER COMMUNICATIONS BASED ON PRIVACY INFORMATION - An approach is provided for protecting a user identity in communication based on privacy information. The privacy engine selects one or more parameters associated with a privacy metric. Next, the privacy engine determines the parameters in a communication environment, the communication environment including a user device and a plurality of other devices. Next, the privacy engine computes a privacy level based, at least in part, on the parameters and the privacy metric. Next, the privacy engine compares the computed privacy level against a predetermined privacy level. Then, the privacy engine triggers a communication to one or more of the other devices in the communication environment based, at least in part, on the comparison. | 09-08-2011 |
| 20110219424 | INFORMATION PROTECTION USING ZONES - Some embodiments are directed to an information protection scheme in which devices, users, and domains in an information space may be grouped into zones. When information is transferred across a zone boundary, information protection rules may be applied to determine whether the transfer should be permitted or blocked, and/or whether any other policy actions should be taken (e.g., requiring encryption, prompting the user for confirmation of the intended transfer, or some other action). | 09-08-2011 |
| 20110219425 | ACCESS CONTROL USING ROLES AND MULTI-DIMENSIONAL CONSTRAINTS - Methods, systems, and computer-readable media of access control using roles and multi-dimensional constraints are disclosed are disclosed. A particular method includes assigning a user a particular role of a plurality of roles and associating the user with one or more multi-dimensional constraints. A request from the user to perform an operation permitted by the particular role may be received. The method includes determining whether any of the multi-dimensional constraints allows the user to perform the operation. The request is granted when at least one of the multi-dimensional constraints allows the user to perform the operation. The request is denied when none of the multi-dimensional constraints allows the user to perform the operation. | 09-08-2011 |
| 20110219426 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR ENHANCED SERVICE DETECTION AND POLICY RULE DETERMINATION - Methods, systems, and computer readable media for enhanced service detection and policy rule determination are disclosed. According to one method, a policy charging and rules function (PCRF) node requests, from a deep packet inspection (DPI) node notification of detection of traffic relating to a service. The DPI node identifies at least one traffic classifier usable to detect traffic corresponding to the service, uses the traffic classifier to detect traffic corresponding to the service, and notifies the PCRF of the detection and of the traffic classifier. The PCRF node receives the at least one traffic classifier, determines a policy rule based on the at least one traffic classifier, and communicates the policy rule to a policy enforcement node. | 09-08-2011 |
| 20110225622 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DISPLAYING NETWORK EVENTS IN TERMS OF OBJECTS MANAGED BY A SECURITY APPLIANCE AND/OR A ROUTING DEVICE - A system, method, and computer program product are provided for displaying network events in terms of objects managed by at least one of a security appliance and a routing device. In use, network events are received. Furthermore, the network events are displayed in terms of objects being managed by at least one of a security appliance and a routing device. | 09-15-2011 |
| 20110225623 | Web-Hosted Self-Managed Virtual Systems With Complex Rule-Based Content Access - A computer-based service provides methods and apparatus for a user to manage a collection of information that the user wishes to share with, or distribute to, one or more designated recipients, typically at a future time, where the user controls the contents of the collection, and the times and rules under which the collection, or portions of the collection, may be accessed by, or delivered to, the one or more designated recipients; and where the resources for storing, retrieving, processing and communicating the collection of information is logically centralized and remote from the user. | 09-15-2011 |
| 20110225624 | Systems and Methods for Providing Network Access Control in Virtual Environments - A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein. | 09-15-2011 |
| 20110225625 | DYNAMIC AUTHENTICATION OF A USER - According to an example embodiment, a system may include at least one processor and at least one memory comprising a policy module configured to receive data indicating risk factors associated with users of the system; update risk levels for the users by applying the data to risk factor rules; and provide the updated risk levels and/or authentication levels associated with the updated risk levels to an authentication module in response to receiving requests from the authentication module. The at least one processor and at least one memory may also comprise the authentication module configured to receive a first access request from a user; in response to receiving the first access request, request a first updated risk and/or authentication level for the user from the policy module; and require the user to provide a first authentication technique to grant the first access request based on the first updated risk and/or authentication level received from the policy module. | 09-15-2011 |
| 20110225626 | Reliable Reporting Of Location Data - A machine, such as a mobile device having telephony features, such as a voice over Internet Protocol (VoIP) telephony application, is configured with a secure environment in which a location provider within (more reliable) or external to (less reliable) the machine may determine location data for the machine and securely provide it to a telephony application program for incorporation into a call setup for calling a callee. The secure environment may be created through use of one or more of Intel's LaGrande Technology™ (LT), Vanderpool Technology (VT), or a Trusted Platform Module (TPM). The LT and VT allow defining secure independent components within the machine, such as by instantiating them as Virtual Machines, and the TPM allows components to cryptographically sign data, such as to facilitate ensuring the location data is not tampered with. A recipient of a telephone call setup including cryptographically secured location data may validate the location data and accept the call. Other embodiments may be described. | 09-15-2011 |
| 20110231889 | SECURITY POLICY AS QUERY PREDICATE - A method, system, and computer usable program product for applying a security policy as a query predicate. A query is received. The query is a request for data directed to a data repository executing in a data processing system. The security policy is identified, the security policy being a security policy applicable to the query. A predicate that corresponds to the security policy is determined. The query is modified to include the predicate. The modified query is sent to the data repository. | 09-22-2011 |
| 20110231890 | Systems and Methods for Managing Internet Access - Various embodiments of the present invention include methods and systems for managing Internet access. An exemplary method for managing Internet access includes three steps. First a request is received to access the Internet. Second, a determination is made whether the request is being made during a restricted time period. Third, Internet access is selectively managed Internet access for an end user via a computing device, by blocking Internet access if the determination is that the request was made during a restricted time period or granting Internet access if the determination is that the request was made outside the restricted time period. | 09-22-2011 |
| 20110231891 | Systems and Methods for Expression of Disassociation with Online Content - Systems and methods are provided for expression of disassociation with online content, including a user interface module to provide a user interface between a network user with administrative authority and an Internet service and a communication module to receive disassociation parameters for a disassociation policy for the Internet service. The disassociation parameters may include a name associated with an Internet content and a message corresponding to the Internet content. The name may be indicated as a website category or an affiliated website. The system may further include a confirmation module to confirm the disassociation policy with the network user with administrative authority, a policy generating module to establish, based on the disassociation parameters, the disassociation policy for the network, and a policy enforcement module to apply the disassociation policy to a user request to access the Internet content. The policy enforcement module may determine whether or not the disassociation policy is in effect to block the Internet content and provide the network user with the message corresponding to the Internet content. | 09-22-2011 |
| 20110231892 | Systems and Methods for Restricting Online Access - Systems and methods for restricting online access include a user interface module to establish a user interface between a network user with administrative authority and an Internet service or a DNS server and a communication module to receive, from the network user with administrative authority, restriction parameters associated with a restriction policy for a network. The restriction parameters may include a company name, a website name, and a category name. Based on the parameters, the system may determine one or more Uniform Resource Locators (URLs) to be associated with the restriction policy. The system may further comprise an activation module to activate and deactivate the restriction policy. The system may restrict a URL requested by a network user based on the determination that the restriction policy is activated and the URL is associated with the restriction policy. | 09-22-2011 |
| 20110231893 | Systems and Methods for Mediating Internet Access Provided to End Users - Systems and methods for creating age based mediation policies and applying those age based mediation policies to Internet service are provided herein. A method for mediating Internet service provided to an end user includes creating an age based mediation policy by receiving information indicative of the end user's age, locating age-appropriate Internet content corresponding to the end user's age and combining the located age-appropriate Internet content with administrator approved Internet content, and applying the age based mediation policy to the Internet service such that only Internet content included in the mediation policy is accessible. | 09-22-2011 |
| 20110231894 | Systems and Methods for Mediating an Internet Service Delivered to a Particular Location - Systems and methods for an Internet service delivered to a selected location are provided herein. According to some exemplary embodiments a method for mediating an Internet service delivered to a selected location having an Internet connection operatively coupling at least one user device to the Internet service includes executing instructions stored in a memory by a processor to prevent delivery of restricted Internet content via the Internet service. The restricted Internet content includes Internet content included in one or more categories of restricted Internet content included in a mediation policy adapted to be selectively applied to the Internet service. | 09-22-2011 |
| 20110231895 | Systems and Methods for Mediating Internet Service - Systems and methods for an Internet service delivered to a particular location are provided herein. Exemplary methods for mediating an Internet service include executing instructions stored in a memory by a processor to selectively apply, on-demand, a mediation policy to the Internet service, the mediation policy adapted to prevent the delivery of Internet content for a predetermined period of time. The method may include establishing a user interface between a computing system and Internet service, the user interface receiving a request to apply the mediation policy to the Internet service via the user interface to prevent the delivery of Internet content for a predetermined period of time. | 09-22-2011 |
| 20110231896 | SYSTEMS AND METHODS FOR REDIRECTION OF ONLINE QUERIES TO GENUINE CONTENT - A system for redirection of online queries to a genuine content includes a user interface module to provide a user interface between a network user with administrative authority and an Internet service, a communication module to receive a request to establish a genuine content resolution policy for a network, a policy generating module to establish the genuine content resolution policy for the network, and a policy enforcement module to apply the genuine content resolution policy to a user request to access an intended website. The policy enforcement module may determine whether or not the genuine content resolution policy is activated, determine whether or not that the intended website is the genuine website, and based on the determination, selectively redirect the user to the genuine website. | 09-22-2011 |
| 20110231897 | Systems and Methods for Mediating the Delivery of Internet Service - Systems and methods for mediating the delivery of Internet service are provided herein. According to some exemplary embodiments a method for mediating the delivery of Internet service includes a processor executing instructions stored in a memory to selectively apply a mediation policy to the Internet service according to an administrator-defined schedule, wherein only Internet content included in the mediation policy is accessible when the mediation policy is applied to the Internet service, wherein the Internet content comprises educationally appropriate Internet content for at least one end user. | 09-22-2011 |
| 20110231898 | SYSTEMS AND METHODS FOR COLLABORATIVELY CREATING AN INTERNET MEDIATION POLICY - Methods and systems of collaboratively creating an Internet service mediation policy are disclosed. Various embodiments include an initiating Internet service user establishing a base mediation policy via a DNS server, one or more other Internet service users collaborating with the initiating Internet service user to modify the mediation policy, the collaborating including the other Internet service users submitting content for the mediation policy to the initiating Internet service user, and the initiating Internet service user publishing the mediation policy. In some embodiments, the initiating Internet service user determines what submitted Internet content may be included in the mediation policy. | 09-22-2011 |
| 20110231899 | SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER - According to one system of the invention, the system provides a cloud-computing service from a cloud-computing environment comprising a plurality of cloud-computing resources. The system may comprise: a management module configured to manage a cloud-computing resource of the plurality of cloud-computing resources as a cloud-computing service, wherein the cloud-computing service performs a computer workload; an adapter configured to connect to the cloud-computing resource to the system and translate a management instruction received from the management module into a proprietary cloud application program interface call for the cloud-computing resource; a cloud service bus configured to route the management instruction from the management module to the adapter; a consumption module configured to allow a user to subscribe the cloud-computing service; a planning module configured to plan the cloud-computing service; and a build module configured to build the cloud-computing service from the cloud-computing resource and publish the cloud-computing service to the consumption module. | 09-22-2011 |
| 20110231900 | APPARATUS, METHOD, AND COMPUTER-READABLE MEDIUM FOR DISTRIBUTING ACCESS CONTROL INFORMATION - An access-control-information distributing apparatus includes: a processor configured to determine a destination device to which access control information is to be distributed, the access control information describing an object on an information processing device and a condition which permits access to the object, on the basis of at least the condition or an attribute of the object. | 09-22-2011 |
| 20110239267 | PASSWORD COMPLEXITY POLICY FOR EXTERNALLY CONTROLLED SYSTEMS - In embodiments of the present invention improved capabilities are described for password policy enforcement, such as passwords not normally in the administrative domain of the corporation, unlike common local policy enforcement. Password policy enforcement may include the steps of identifying a presentation of a software application user interface, wherein the presentation involves communicating the user interface over the Internet; evaluating the user interface for a presence of a user password field; and in response to a positive detection of the user password field, implementing a compliance process to ensure that any password entered into the user password field is compliant with a corporate policy relating to passwords. | 09-29-2011 |
| 20110239268 | NETWORK POLICY IMPLEMENTATION FOR A MULTI-VIRTUAL MACHINE APPLIANCE - A networking policy implementation for a multi-virtual machine appliance that includes a method for selecting a network implementation by applying a network policy to existing network configurations within a virtualization environment of a computing device. A control program that executes within the virtualization environment, receives an event notification generated by a virtual machine in response to a lifecycle event. The control program, in response to receiving the notification, invokes a policy engine that applies a network policy to existing network configurations of the virtualization environment. This network policy can correspond to the virtual machine or to a network object connected to virtual interface objects of the virtual machine. The policy engine then identifies an existing network configuration that has attributes which satisfy the network policy, and selects a network implementation that satisfies the network policy and the network configuration. | 09-29-2011 |
| 20110239269 | AUTOMATED SECURITY ANALYSIS FOR FEDERATED RELATIONSHIP - A computer monitoring system uses a set of parameterized models to gather information about monitored devices. The models include scripts for gathering information, as well as type validation and data validation functions. The parameters within the model are used to generate user interface prompts and to populate discovery scripts as well as data validation scripts. In some cases, the models may include localization settings that may customize the user interface and validation output for different languages. A processing engine may generate a user interface from the parameters defined in the models, customize the scripts from the user input, and cause the scripts to be executed. The data gathered by the scripts may be analyzed using type validation and data validation. | 09-29-2011 |
| 20110239270 | METHOD AND APPARATUS FOR PROVIDING HETEROGENEOUS SECURITY MANAGEMENT - An approach is provided for providing a heterogeneous security management platform to combine or integrate different applications employing different security requirements. An interface acts on a request that references, at least in part, a resource, the resource associated with a network identifier. The interface determines whether the network identifier is listed in a secure phonebook. The secure phonebook associates the network identifier with, at least in part, a security context. The interface provides the security context for one or more applications, scripts, executables, or combination thereof to determine access privileges to the resource based, at least in part, on the determination. | 09-29-2011 |
| 20110239271 | TRUSTED NETWORK CONNECTION IMPLEMENTING METHOD BASED ON TRI-ELEMENT PEER AUTHENTICATION - A trusted network connection implementing method based on Tri-element Peer Authentication is provided in present invention, the method includes: step 1, configuring and initializing; step 2, requesting for network connection, wherein an access requester sends a network connection request to and access controller, and the access controller receives the network connection request; step 3, authenticating user ID; and step 4, authenticating a platform. The invention enhances the safety of the trusted network connection implementing method, widens the application range of the trusted network connection implementing method based on the Tri-element Peer Authentication, satisfies requirements of different network apparatuses and improves the efficiency of the trusted network connection implementing method based on the Tri-element Peer Authentication. The invention is not only applied to the trusted network connection of entities, but also applied to the trusted communication among the peer entities, and is further applied to the trusted management of the entities, thus the applicability of the trusted network connection implementing method based on the Tri-element Peer Authentication is improved. | 09-29-2011 |
| 20110247045 | Disposable browsers and authentication techniques for a secure online user environment - Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for secure use and retention of user credentials, as well as methods for dynamic authentication of users and integrity checking of service providers in online environments. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable browser), insulating the user from the threats associated with being online for the purposes of providing secure, policy-based interaction with online services. | 10-06-2011 |
| 20110247046 | Access control in data processing systems - A policy data structure defines predetermined authorizations, each relating to authorization of at least one user to access at least one resource as well as to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. If the structure does not define an authorization for a request to access a resource, it is determined whether the structure defines a dynamic access requirement determinative for the request, and if so, whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one request, after determining whether to grant the request, a dynamic authorization relating to authorization to access the resource within the request is added to the structure. | 10-06-2011 |
| 20110247047 | METHOD FOR SECURING DATA AND/OR APPLICATIONS IN A CLOUD COMPUTING ARCHITECTURE - A method for securing data and/or applications within a cloud computing architecture is provided. According to the invention, a security module is provided, the security module being administered by the user of said virtual server(s) which is/are dedicated to said user; said security module is provided with one or more security policies to be applied to the data managed by the virtual servers dedicated to said user; said security module is provided with identifiers as well as keys to access the user's dedicated virtual servers; the security module accesses the user's dedicated virtual server; the security module exports the security policies, which have been provided to it, to the dedicated virtual servers; and the dedicated virtual servers apply the security policies, which have been provided to them by the security module, to the data they manage. | 10-06-2011 |
| 20110247048 | TESTING POLICIES IN A NETWORK - A device may include first logic configured to receive a data unit and to receive a network policy. The device may include second logic configured to identify how the data unit will be handled by the network policy and to generate a result that includes information about how the data unit will be handled by the network policy. | 10-06-2011 |
| 20110252456 | PERSONAL INFORMATION EXCHANGING SYSTEM, PERSONAL INFORMATION PROVIDING APPARATUS, DATA PROCESSING METHOD THEREFOR, AND COMPUTER PROGRAM THEREFOR - A personal information providing apparatus | 10-13-2011 |
| 20110258679 | Method and System for Accessing Network Feed Entries - A security mechanism for an application level protocol used to publish and edit web resources is extended to enable enforcement of a security policy on feed entries. The security mechanism ensures that only a certain class of privileged users can perform create, read, update and/or delete (CRUD) actions on feed entries, and it provides a uniform methodology for determining security access controls for resources. The techniques described herein enable selectively display of feed entries while at the same time maintaining a single document source for the privileged users. | 10-20-2011 |
| 20110265142 | INDUSTRY-WIDE BUSINESS TO BUSINESS EXCHANGE - A industry wide computerized business to business exchange permits participants in the industry to satisfy their procurement needs and manage their supply chains from a single log on to the exchange. An exchange architecture provides a particularly convenient platform for implementation of the exchange. Users connect to a portal services subsystem. User systems connect to an integration services platform. A platform services subsystem provides services to the portal services and to the integration services subsystems and to application programs that can be accessed through those subsystems. The application programs may include, for example, electronic procurement, collaborative product development applications and supply chain management. XML serves as the information currency for the exchange. | 10-27-2011 |
| 20110271319 | USING ENDPOINT HOST CHECKING TO CLASSIFY UNMANAGED DEVICES IN A NETWORK AND TO IMPROVE NETWORK LOCATION AWARENESS - A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information. | 11-03-2011 |
| 20110271320 | SYSTEM AND METHOD FOR PROVIDING SELECTIVE BEARER SECURITY IN A NETWORK ENVIRONMENT - An example method includes receiving a message related to a bearer or an Internet Protocol (IP) flow, the message includes an extension indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow. The method further includes mapping a communication flow to the bearer or the IP flow, and applying the IPsec feature to the bearer or the IP flow. In other embodiments, the method can include communicating the extension to a next destination, and updating a security policy to indicate that the bearer or the IP flow is designated for the IPsec feature. In yet other embodiments, an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow. The extension is provided at an IP flow level or at a bearer level such that network traffic is designated for the IPsec feature. | 11-03-2011 |
| 20110271321 | ACCESS CONTROL - Methods and apparatus for updating a policy store associated with a policy decision point of an access control system, the policy decision point being arranged to provide, in response to received decision requests, access control decisions in dependence on one or more policies stored in said policy store, each policy specifying a predetermined access control decision to be provided in response to a particular access request made in respect of a particular attribute or combination of attributes, the policy decision point being associated with at least one policy enforcement point arranged to implement access control in accordance with access control decisions provided by said policy decision point in response to decision requests submitted by said policy enforcement point, said policy enforcement point having associated therewith an attribute store providing data relating to attributes in respect of which access requests have previously been made via said policy enforcement point. | 11-03-2011 |
| 20110271322 | System and Method for Configuring Devices for Secure Operations - Systems and methods for establishing a security-related mode of operation for computing devices. A policy data store contains security mode configuration data related to the computing devices. Security mode configuration data is used in establishing a security-related mode of operation for the computing devices. | 11-03-2011 |
| 20110277012 | SYSTEM FOR AUGMENTING ACCESS TO RESOURCES - The different illustrative embodiments provide a method, data processing system, and computer program product for managing access to resources. A number of access permissions of a first user to a number of resources in a computer system are provided to a second user in response to a presentation of first credentials for the first user to the computer system. A level of presence of the first user relative to the computer system and/or the second user is monitored. The number of access permissions of the first user to the number of resources in the computer system continues to be provided to the second user as long as a preselected level of presence of the first user is present. | 11-10-2011 |
| 20110277013 | Methods and Systems for Forcing an Application to Store Data in a Secure Storage Location - The present application is directed to methods and systems for redirecting write requests issued by trusted applications to a secure storage. Upon redirecting the write requests, the data included in those requests can be stored in the secure storage area of a client computer. In some embodiments, the methods and systems can include determining whether an application issuing the request is a trusted application that requires data to be stored in a secure storage repository. Upon making this determination, a filter driver can identify a secure storage area on a client computer and can redirect the write request to this secure storage. In other embodiments, the filter driver may deny requests of trusted applications to write to unsecure storage areas. | 11-10-2011 |
| 20110283335 | HANDLING PRIVACY PREFERENCES AND POLICIES THROUGH LOGIC LANGUAGE - A logic language model for handling of personal data by specifying users' preferences on how their personal data should be treated by data-collecting services and the services' policies on how they will treat collected data is provided. Preferences and policies are specified in terms of granted rights and required obligations, expressed as declarative assertions and queries. Query evaluation is formalized by a proof system for verifying whether a policy satisfies a preference is defined. | 11-17-2011 |
| 20110283336 | METHOD AND SYSTEM FOR SUPPORTING THE GENERATION OF ACCESS CONTROL PREFERENCES AND/OR PRIVACY PREFERENCES FOR USERS IN A PERVASIVE SERVICE ENVIRONMENT - A method and a system for supporting the generation of access control preferences and/or privacy preferences for users in a pervasive service environment, wherein an automated user information management system stores and/or manages personal information items owned by and/or associated to a user, wherein an access control system is provided for processing requests from a pervasive service and/or application that query a set of the user-specific information items being stored in and/or managed by the user information management system, are characterized in that an entity—feedback collector—is provided, the feedback collector being configured to collect individual access control and/or privacy preferences from a plurality of users, to derive a popular rule set of access control and/or privacy preferences from the collected individual access control and/or privacy preferences, and to provide the popular rule set of access control and/or privacy preferences to users of the pervasive service environment. | 11-17-2011 |
| 20110289546 | Method and apparatus for protecting markup language document against cross-site scripting attack - A method for decomposing a web application into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain. | 11-24-2011 |
| 20110289547 | TAKING CONFIGURATION MANAGEMENT DATA AND CHANGE BUSINESS PROCESS DATA INTO ACCOUNT WITH REGARD TO AUTHORIZATION AND AUTHENTICATION RULES - An approach receives a request from a user, typically a change implementer, on a computer system. The request includes a user identifier and a requested action. A current timestamp corresponding to a computer system clock is retrieved. Scheduled changes are retrieved from a data store accessible by the processor. The current timestamp is compared to the scheduled change periods. The requested action is allowed if the comparison reveals that the current timestamp is within one of the retrieved scheduled changes, and the requested action is denied if the comparison reveals that the current timestamp is outside of the retrieved scheduled change periods. | 11-24-2011 |
| 20110289548 | Guard Computer and a System for Connecting an External Device to a Physical Computer Network - A guard computer and a system including the guard computer for connecting an external device to a physical computer network are provided. The guard computer includes a network interface for connecting to the physical computer network, a device interface for connecting the external device having a data repository containing data, The guard computer also includes a configuration file containing a set of rules for making the data available to the network and a processor making data available to the network based upon the set of rules. | 11-24-2011 |
| 20110289549 | METHOD AND SYSTEM FOR A DOCUMENT-BASED KNOWLEDGE SYSTEM - A document-based storage and knowledge production solution designed for use as a primary information system is disclosed. It uses Authentication, Privacy and Security Standards to ensure the source and reliability of the information in the stored documents. It uses Information and Document Standards to explicitly define the information content held in each document. Electronic documents from separate authors, from the same or separate legal entities, are stored together in the same system and can be used in aggregate for the generation of new knowledge. Variations are used to accelerate response times. Other variations describe the method's use as a Variable Electronic Health Record System in which different parts of the system can be produced by separate manufacturers. This is possible because the underlying document-based knowledge system stores the separate documents from each manufacturer's system in such a manner that they can be understood by systems from other manufacturers. | 11-24-2011 |
| 20110289550 | POLICY MANAGEMENT APPARATUS, POLICY MANAGEMENT SYSTEM, AND METHOD AND PROGRAM USED FOR THE SAME - There are provided a role information storing unit ( | 11-24-2011 |
| 20110289551 | DYNAMICALLY APPLYING A CONTROL POLICY TO A NETWORK - A method of dynamically applying a control policy to a network is described. A network layer of a plurality of network layers associated with user traffic is determined. A portion of a control policy corresponding to the network layer and the user traffic is accessed. Then, the portion is sent to a security device associated with the network layer, the portion being configured to be applied by the security device to the network layer and the user traffic. | 11-24-2011 |
| 20110289552 | INFORMATION MANAGEMENT SYSTEM - An information providing device which provides information, a privilege policy providing device which stores a privilege policy setting whether or not information is allowed to be provided and provides the privilege policy, and an authentication device, are provided. The authentication device includes a privilege information management means for storing privilege information indicating whether or not the privilege policy is allowed be provided by the privilege policy providing device, and a privilege certificate issuance means for issuing a privilege policy certificate including a content of the privilege information. The information providing device includes a privilege policy acquisition means for requesting the privilege policy providing device for the privilege policy based on the privilege policy certificate and acquiring the privilege policy, and an information providing means for providing stored information to another device based on the acquired privilege policy. The privilege policy providing device includes a privilege policy providing means for providing the privilege policy to the information providing device based on the privilege policy certificate. | 11-24-2011 |
| 20110289553 | POLICY AND ATTRIBUTE BASED ACCESS TO A RESOURCE - Techniques are provided for controlling access to a resource based on access policies and attributes. A principal issues a request to a service for purposes of accessing a resource. The principal is authenticated and a service contract for the principal, the service, and the resource is generated. The service contract defines resource access policies and attributes which can be permissibly performed by the service on behalf of the principal during a session. Moreover, the session between the service and the resource is controlled by the service contract. | 11-24-2011 |
| 20110289554 | SYSTEM AND METHOD FOR APPLICATION PROGRAM OPERATION ON A WIRELESS DEVICE - Embodiments described herein address mobile devices with non-secure operating systems that do not provide a sufficient security framework. More particularly, the embodiments described herein provide a set of applications to the device for providing security features to the non-secure operating system. | 11-24-2011 |
| 20110296486 | DYNAMIC SERVICE ACCESS - Apparatus, systems, and methods may operate to authenticate a desktop client to an identity service (IS), to receive a request, from an application, at the IS via the desktop client for a virtual service internet protocol (IP) address associated with a service. The IS may operate to build a routing token that includes an original physical IP address associated with the service when a policy associated with the IS permits access to the service by a user identity associated with the desktop client. After the routing token is validated, the application may be connected to the service via the desktop client. The application may comprise an e-mail application or a remote control application, such as a virtual network computing (VNC) application. Additional apparatus, systems, and methods are disclosed. | 12-01-2011 |
| 20110296487 | SYSTEMS AND METHODS FOR PROVIDING AN FULLY FUNCTIONAL ISOLATED EXECUTION ENVIRONMENT FOR ACCESSING CONTENT - A sandbox tool can cooperate with components of a secure operating system to create an isolated execution environment for accessing content without exposing other processes and resources of the computing system to the untrusted content. The sandbox tool can create the isolated execution environment with an assigned security context of the secure operating system. The security context can define the security policies applied by the operating system to the isolated execution environment, thereby, defining the levels of access the isolated execution environment has to the resources of the computing system. | 12-01-2011 |
| 20110296488 | System and Method for I/O Port Assignment and Security Policy Application in a Client Hosted Virtualization System - A client hosted virtualization system includes a processor and non-volatile memory with BIOS code and virtualization manager code. The virtualization manager initializes the client hosted virtualization system, authenticates a virtual machine image, launches the virtual machine based on the image, and implements a policy manager. The policy manager determines a policy for the virtual machine, receives a request to access a device from the virtual machine, determines if the virtual machine is permitted to access the device based upon the policy, and if so, permits the virtual machine to access the device. If not, the policy manager denies the virtual machine access to the device. The client hosted virtualization system is configurable to execute the BIOS or the virtualization manager. | 12-01-2011 |
| 20110296489 | SELECTION OF SUCCESSIVE AUTHENTICATION METHODS - A method of authenticating a user who is a subscriber of a home network, authenticated in a first network, for accessing a service in a second network. This method includes: authenticating the user in the first network with a first authentication method selected in an authentication server; reserving resources for the service towards a rules enforcement device; requesting control rules for the resources towards a control rules server; submitting towards the control rules server information about the first authentication method; determining at the control rules server whether a further authentication of the user with a further authentication method is required; and instructing from the control rules server towards the authentication server to force the further authentication of the user with the further authentication method. | 12-01-2011 |
| 20110296490 | AUTOMATIC REMOVAL OF GLOBAL USER SECURITY GROUPS - A system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, including a learned access permissions subsystem operative to learn current access permissions of users to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, a learned actual access subsystem operative to learn actual access history of users in the enterprise to the network objects and to provide indications of which users have had actual access to which network objects, and a computer security policy administration subsystem, receiving indications from the learned access permission subsystem and the learned actual access subsystem and being operative to automatically replace pre-selected user-security group-based access permissions with at least partially actual access-based access permissions without disrupting access to network objects. | 12-01-2011 |
| 20110302622 | ENTERPRISE MODEL FOR PROVISIONING FINE-GRAINED ACCESS CONTROL - Access control rules can be defined for target applications of an enterprise system independent of a runtime of the target applications. The access control rules can then normalized into decision tables. These decision tables can then be used to reconcile authorization information with the target applications via user provisioning. This process can enable comprehensive reporting and analysis of enterprise access control rules without requiring direct integration of the target applications at runtime. | 12-08-2011 |
| 20110302623 | APPLICATION AND OPEN SOURCE INFORMATION TECHNOLOGY POLICY FILTER - The present invention is directed to a software distribution architecture in which an enterprise has a filter that screens user requested software, software upgrade(s), software feature(s), and/or software setting option(s) against enterprise rules or policies. Disapproved software, software upgrade(s), software feature(s), and/or software setting option(s) are blocked for download. | 12-08-2011 |
| 20110302624 | METHOD AND SYSTEM FOR SECURE CONTENT DISTRIBUTION BY A BROADBAND GATEWAY - A broadband gateway, which enables communication with a plurality of devices, handles at least one physical layer connection to at least one corresponding network access service provider. Security boundaries such as conditional access (CA) and/or digital right management (DRM) boundaries associated with the broadband gateway are identified based on security profiles associated with the plurality of devices and/or a service from networks. The identified security boundaries are utilized to determine or negotiate CA information for content access for the service. The received content may be distributed according to the determined CA information and the security profiles of the corresponding devices. The broadband gateway may be automatically and dynamically configured based on the identified security boundaries to secure content distribution to the devices. Content distribution security schemes, for example, super encryption, simul-crypt, IPSec and/or watermarking, may be selected by matching the CA information with corresponding device security profiles. | 12-08-2011 |
| 20110302625 | System and Method for Managing and Controlling Data - A system for managing and controlling data. The system includes provisions for easily and rapidly updating and managing a computer system, particularly a complex computer system in which several computers communicate with one another. The system also includes a central database which plays a key role in the management and control of the computer system. Most of the management functions are retained in the central database and remote offices, which generally do not retain data management information, communicate with the central office to retrieve data management information. The system also includes a novel approach to manipulating data. | 12-08-2011 |
| 20110302626 | LATENCY BASED PLATFORM COORDINATION - In some embodiments, an electronic apparatus comprises at least one processor, a plurality of components, and a policy engine comprising logic to receive latency data from one or more components in the electronic device, compute a minimum latency tolerance value from the latency data, and determine a power management policy from the minimum latency tolerance value. | 12-08-2011 |
| 20110307936 | NETWORK ANALYSIS - A method and system are provided for analyzing a network. The method and system convert network specification information into a single intermediate representation of the network. The intermediate representation can then be used to determine security parameters as well as expected data traffic parameters. | 12-15-2011 |
| 20110307937 | SECURITY SYSTEM FOR GENERATING KEYS FROM ACCESS RULES IN A DECENTRALIZED MANNER AND METHODS THEREFOR - Improved system and approaches for decentralized key generation are disclosed. The keys that can be generated include both public keys and private keys. The public keys are arbitrary strings that embed or encode access restrictions. The access restrictions are used to enforce access control policies. The public keys are used to encrypt some or all portions of files. The private keys can be generated to decrypt the portions of the files that have been encrypted with the public keys. By generating keys in a decentralized manner, not only are key distribution burdens substantially eliminated but also off-line access to encrypted files is facilitated. | 12-15-2011 |
| 20110314512 | METHODS FOR SECURITY AND MONITORING WITHIN A WORLDWIDE INTEROPERABILITY FOR MICROWAVE ACCESS (WIMAX) NETWORK - A method for security and monitoring within a worldwide interoperability for microwave access (WiMAX) network includes monitoring, by one or more sensors, communications activity on one or more channels; analyzing, by either one or more sensors directly or a server provided with reports of the monitored communication activity for detection of one or more system incidents; and triggering, in response to detection of one or more incidents, an incident notification. | 12-22-2011 |
| 20110314513 | ROLE POLICY MANAGEMENT - In various embodiments, techniques for role management systems/services are provided. According to an embodiment, a method is provided to allow a role management system to be configured, modified, and restricted. Specific roles assignments may be decorated to be meaningful to an application but which are not generally applicable to an original role specification. A Policy Enforcement Point (PEP) role request response may be modified by an augmentation service, which evaluates a resource association to identify an appropriate resource profile. Resource decorations are identified by the selected profile and are applied to the role request response. | 12-22-2011 |
| 20110321117 | Policy Creation Using Dynamic Access Controls - A method and system for dynamically managing access to assets such as an electronic document or a hardware component, using policies that comprise one or more dynamic access controls, which are linked to data sources such as databases or web services. The access controls are dynamic because, each time the policy is invoked, the policy and its component access controls must be evaluated with respect to the current information in the linked data sources. | 12-29-2011 |
| 20110321118 | METHOD AND APPARATUS FOR PERFORMING A MULTI-ROLE COMMUNICATION USING A MEMORY TAG - An approach is presented for performing a multi-role communication using a Radio Frequency (RF) memory tag. The control manager receives a content request, at a memory tag, from a first device according to a first access policy. Further, the control manager determines one or more sources of content data responsive to the content request. Then, the control manager provides access from the one or more sources to the memory tag according to a second access policy. The access facilitates transmission of the content data to the first device according to a third access policy. | 12-29-2011 |
| 20110321119 | Consigning Authentication Method - A method for sharing content between clients at a common trust level in a trust hierarchy associated with a network implementing policy-based management includes making a first request for delivery of content, receiving the requested electronic content, receiving a second request for delivery of the electronic content, communicating the second request, receiving a decision, and delivering the electronic content if the second request is granted. The first request is made to a policy enforcement point in the network for delivery of content to a first client, and includes a trust level of the first client. The second request is for delivery of the content to a second client at the trust level of the first client and includes integrity information about the second client, and is communicated to the policy enforcement point. If the second request is granted, the content is delivered from the first client to the second client. | 12-29-2011 |
| 20110321120 | METHOD AND SYSTEM FOR PROVIDING MASKING SERVICES - A system and method for presenting on-demand masking of data as a software service in a distributed environment is provided. An application hosted on a computing device receives request for access to application data from a user. Credentials of the user are first validated in order to determine whether the user is authorized to access the requested application data. For an authorized user, a category of the user is determined to ascertain whether the user is privileged to obtain full access. In case the user is a privileged user, unmasked application data is fetched from a database utility and provided to the user. In case the user is not a privileged user, application data access request is transferred to a data masking service. Application data is fetched from database utility, masked based on pre-defined masking rules and provided to the user. | 12-29-2011 |
| 20110321121 | INFORMATION PROCESSING SYSTEM AND OPERATION METHOD OF INFORMATION PROCESSING SYSTEM - An information processing system is equipped with a first information processing device that stores first object group, and a second information processing device that obtains an operation request from a subject, said operation request indicating content of an operation for an object to be operated, and processes the object to be operated on the basis of the operation request. The first information processing device is equipped with a storage means for additional access control policies, wherein for each first object in the first object group, a set of second objects for which the feasibility of an operation is determined using the same control rule as the first object is indicated as a changed object group. In cases when the object to be operated is included in the aforementioned changed object group, the second information processing device references the additional access control policy and acquires the changed object group corresponding to the object to be operated. Thereafter, the determination of whether an operation request can be processed for the object to be operated is made by determining whether the operation request can be processed for the changed object group. | 12-29-2011 |
| 20110321122 | SPECIFYING AN ACCESS CONTROL POLICY - A system for specifying an access control policy comprises: A user interface ( | 12-29-2011 |
| 20110321123 | ACCESS CONTROL LIST CONVERSION SYSTEM, AND METHOD AND PROGRAM THRERFOR - An access control list conversion system includes: a first rule judgment unit | 12-29-2011 |
| 20120005718 | TRUSTED NETWORK CONNECT SYSTEM FOR ENHANCING THE SECURITY - Disclosed is a trusted network connect system for enhancing the security, the system including an access requester of the system network that connects to a policy enforcement point in the manner of authentication protocol, and network-connects to the access authorizer via a network authorization transport protocol interface, an integrity evaluation interface and an integrity measurement interface, a policy enforcement point network-connects to the access authorizer via a policy enforcement interface, an access authorizer network-connects to the policy manager via a user authentication authorization interface, a platform evaluation authorization interface and the integrity measurement interface, and an access requester network-connects to a policy manager via the integrity measurement interface. | 01-05-2012 |
| 20120005719 | Proxy-Based Network Access Protection - In certain embodiments, a method includes receiving, at a proxy, a request for access to a network from an application on an endpoint. The method also includes determining, by the proxy, information about the application on the endpoint by examining one or more headers of the request received at the proxy from the application. The method further includes determining, by the proxy, whether the one or more headers comprise expected information based on the determined information about the application. In response to determining that the one or more headers do not comprise the expected information, the method includes denying, by the proxy, the request for access to the network. In addition, in response to determining that the one or more headers comprise the expected information, the method includes forwarding, by the proxy, the request to the network on behalf of the application. | 01-05-2012 |
| 20120005720 | Categorization Of Privacy Data And Data Flow Detection With Rules Engine To Detect Privacy Breaches - A runtime approach receives a request from a target location. Data elements are received from a data store. Privacy data type categories corresponding to retrieved data elements are identified. Data flow category is identified based on the target location. Privacy actions are performed modifying some data elements based on the identified privacy data type categories and the data flow category so that the modified data elements comply with one or more data privacy rules pertaining to the target location. A design-time approach retrieves data types included in a software application data design. Privacy categories are selected that correspond to the retrieved data types. Flow categorization data is retrieved that correspond to software application processes. Privacy categories and flow categorization data are compared to privacy rules. A user is informed if privacy rules are violated to facilitate software application modification in order to comply with the privacy rules. | 01-05-2012 |
| 20120005721 | PROCESSING UNIT ENCLOSED OPERATING SYSTEM - A processing unit for use in an electronic device includes standard instruction processing and communication interfaces and also includes functional capability in addition to or in place of those found in an operating system. A secure memory within the processing unit may contain a hardware identifier, policy data, and subsystem functions such as a secure clock, policy management, and policy enforcement. Data in functions within the secure memory are not accessible from outside the processing unit. | 01-05-2012 |
| 20120005722 | Application Context Based Access Control - Access control for an application is described. An exemplary method includes receiving a first command of an application to invoke a function of a user interface, identifying a first authorization context based on a first user context and the function of the user interface invoked, retrieving a first access policy providing access criteria associated with the first authorization context, and applying the first access policy to the accessibility of the function. The method includes receiving a second command to invoke the function in a second instance of the application and identifying a second authorization context based on a second user context and the function of the user interface invoked. The second authorization context is different than the first authorization context. The method includes retrieving a second access policy providing second access criteria associated with the second authorization context and applying the second access policy to the accessibility of the function. | 01-05-2012 |
| 20120005723 | SYSTEM AND METHOD FOR CONCURRENT SESSIONS IN A PEER-TO-PEER HYBRID COMMUNICATIONS NETWORK - An improved system and method are disclosed for peer-to-peer communications. In one example, the method provides for concurrent sessions to be maintained by multiple endpoints. | 01-05-2012 |
| 20120005724 | METHOD AND SYSTEM FOR PROTECTING PRIVATE ENTERPRISE RESOURCES IN A CLOUD COMPUTING ENVIRONMENT - A method for protecting private enterprise computing resources in a cloud computing environment includes determining a virtual topology comprising a secure computing zone, which includes a secure virtual vault, associated with an enterprise application of a private enterprise in a cloud computing environment. A traffic control policy associated with the secure computing zone is determined that comprises a plurality of security rules that define data traffic flow into, out of, and within the associated secure computing zone. A plurality of cloud computing nodes is selected and associated with the secure virtual vault. Any of the cloud computing nodes is a virtual computer or a physical computer device. The traffic control policy is automatically implemented in each of the cloud computing nodes associated with the secure virtual vault, where each cloud computing node is configured to enforce the plurality of security rules at an operating system level of the cloud computing node. | 01-05-2012 |
| 20120011559 | METHOD AND APPARATUS FOR SELECTING A SECURITY POLICY - An approach is provided for selecting a security policy. A security policy manager determines, at a device, context information associated with a place. The security policy manager then determines a safety score associated with the place based, at least in part, on the context information and selects a security policy for the device based, at least in part, on the safety score. | 01-12-2012 |
| 20120011560 | Dynamic Policy Trees for Matching Policies - A system and method is provided for evaluating one or more security policies. Security policies may be analyzed to determine one or more policy attributes based on which one or more policy trees should be generated. These policy trees may be utilized for evaluation purposes. | 01-12-2012 |
| 20120011561 | TEMPORARY POLICIES IN A MOBILE COMPUTING DEVICE - A system, method and apparatus for enabling temporary policies in a mobile computing device are provided. Data representative of the temporary policies is received, the data comprising a time period for applying the temporary policies. Settings of the mobile computing device are automatically changing from original settings to temporary settings, the temporary settings based on the data. When the time period has expired, the settings are changed back to the original settings. | 01-12-2012 |
| 20120011562 | PROTECTING FILE ENTITIES - There is described a computer system to provide a filesystem, and to export a consumer directory of the filesystem for access by a consumer application over a network. The system has a protected directory. Protection controls restrict performance of file management activities on file entities of the protected directory by the consumer application. | 01-12-2012 |
| 20120011563 | NETWORK INTELLIGENCE SYSTEM - A network security system takes an active approach to network security. This is accomplished by providing intelligence about other networks. A master network intelligence database is established that uses a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database. A customer network security system is then able to secure the customer network in dependence upon information received from the master network intelligence. Security information includes at least one of hostility level on the Internet, collected from numerous sites; security event history; spam levels; hosted services; public wireless; organization type; organization associations; peer ISPs; bandwidth connection to the Internet; active security measures; number of users on the network; age of the network; inappropriate content served; industry; geographic placement; open proxy servers; and contact information. | 01-12-2012 |
| 20120017258 | COMPUTER SYSTEM, MANAGEMENT SYSTEM AND RECORDING MEDIUM - The present invention prevents the deterioration of security while maintaining usability in a case where a plurality of policies are applied to a client computer. Policies created by respective management servers | 01-19-2012 |
| 20120017259 | Validating Updates to Domain Name System Records - Disclosed are various embodiments for validating updates to domain name system (DNS) records. A request is received to modify at least one DNS record associated with a domain owned by a domain owner. The request to modify the at least one DNS record is compared with at least one policy. The at least one policy is configurable by the domain owner. The requested modification to the at least one DNS record is selectively granted based at least upon the comparison. | 01-19-2012 |
| 20120017260 | VERIFYING ACCESS-CONTROL POLICIES WITH ARITHMETIC QUANTIFIER-FREE FORM CONSTRAINTS - A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving. | 01-19-2012 |
| 20120017261 | Enforcing Universal Access Control in an Information Management System - A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server. | 01-19-2012 |
| 20120017262 | SYSTEMS AND METHODS FOR PROCESSING DATA FLOWS - A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks. | 01-19-2012 |
| 20120017263 | Security Authorization Queries - In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not. | 01-19-2012 |
| 20120023544 | DATA ASSURANCE - Data assurance capabilities are received that are related to at least one individual persistent object type in a plurality of persistent object types linked to persistent objects stored on the service provider server. In addition, data assurance specifications are received from a customer, the data assurance specifications being based on the data assurance capabilities. Computer-readable data assurance policies for the at least one persistent object type are generated based on the received data assurance specification. The computer-readable data assurance policies then are combined with a corresponding template of data assurance capabilities for the at least one individual persistent object type to generate an enforceable customer-specific data policy. | 01-26-2012 |
| 20120023545 | SYSTEM AND METHOD FOR PROVIDING A HIGH PERFORMANCE NETWORK CONNECTION SERVICE FOR DISTRIBUTED COMPUTING APPLICATIONS - A system and method are disclosed for providing a high performance network connection service (HPNCS) for distributed computing applications. The HPNCS provides a network abstraction layer to the distributed applications and provides an interface to the underlying high performance on-demand dynamic circuit network (DCN). The HPNCS may relieve performance bottleneck problems encountered by the distributed applications due to the limited available networking bandwidth. The HPNCS may be used by distributed applications that need to access dedicated high performance network connection resources, such as DCN circuits, on an as-needed basis without over consuming expensive network resources. | 01-26-2012 |
| 20120023546 | DOMAIN-BASED SECURITY POLICIES - An example network system includes a plurality of endpoint computing resources, a business policy graph of a network that includes a set of the plurality of endpoint computing resources configured as a security domain, a set of policy enforcement points (“PEPs”) configured to enforce network policies, and a network management module (“NMM”). The NMM is configured to receive an indication of a set of network policies to apply to the security domain, automatically determine a subset of PEPs of the set of PEPs are required to enforce the set of network policies based on physical network topology information readable by the NMM that includes information about the location of the endpoint computing resources and the set of PEPs within the network, and apply the network policies to the subset of PEPs in order to enforce the network policies against the set of endpoint computing resources of the security domain. | 01-26-2012 |
| 20120023547 | PRIVACY PREFERENCES MANAGEMENT SYSTEM - The disclosed invention resides in a system and method for managing and maintaining an internet user's privacy directives without the necessity to rely on one or more cookies to be retained by a user's browser. | 01-26-2012 |
| 20120030729 | COLLABORATIVE STRUCTURED ANALYSIS SYSTEM AND METHOD - Methods, systems, and apparatus for providing compartmented, collaborative, integrated, automated analytics to analysts are provided. In a first aspect, the present invention provides a computer-implemented method for providing compartmented, collaborative, integrated, automated analytics to analysts including: selecting a computer-encoded project-specific workflow; determining a computer-encoded compartment manager, said computer-encoded compartment manager including computer-encoded information about the context of said project-specific workflow; retrieving said computer-encoded information about the context; selecting a computer-implemented automated analytic using said computer-encoded project-specific workflow; providing under control of said computer-encoded compartment manager said information about the context to said automated analytic; processing said computer-encoded information using said computer-implemented automated analytic, to generate thereby analytical information representing an outcome to said analysts; and processing said analytical information in accordance with said computer-encoded compartment manager and said computer-encoded project-specific workflow. | 02-02-2012 |
| 20120036550 | System and Method to Measure and Track Trust - In some embodiments, a method of determining an overall level of trust of a system comprises receiving a level of trust for each of a plurality of elements of the system. A weight for each of the plurality of elements is received, each weight indicating an influence of each of the plurality of elements on the trust of the system. A contribution for each element to the overall level of trust of the system is determined based on the level of trust for each element and the weight for each element. The overall level of trust of the system is determined based on the determined contribution for each element. | 02-09-2012 |
| 20120036551 | Uniform modular framework for a host computer system - A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session. | 02-09-2012 |
| 20120036552 | SYSTEM FOR MANAGING DEVICES AND METHOD OF OPERATION OF SAME - A managed services platform and method of operation of same are described herein. The platform can include a device management service (DMS) server in which the DMS server can act as a gateway for communications with one or more computing devices, and the computing devices are associated with a first entity. The platform can also include an application service (AS) server in which the AS server is communicatively coupled with the DMS server. When a first computing device contacts the DMS server, the DMS server is operable to provide a bundle to the first computing device. As an example, the bundle contains content that at least includes one or more configuration messages and an application set that contains one or more predefined applications. The content of the bundle can be determined at least in part by the first entity. | 02-09-2012 |
| 20120036553 | METHOD FOR ESTABLISHING TRUSTED NETWORK CONNECT FRAMEWORK OF TRI-ELEMENT PEER AUTHENTICATION - The present invention provides a method for establishing the trusted network connect framework of tri-element peer authentication. The method includes: the implement of trusted network transport interface (IF-TNT); the implement of authentication policy service interface (IF-APS); the implement of trusted network connect (TNC) client-TNC access point interface (IF-TNCCAP); the implement of evaluation policy service interface (IF-EPS); the implement of integrity measurement collector interface (IF-IMC); the implement of integrity measurement verifier interface (IF-IMV); and the implement of integrity measurement (IF-IM). The embodiments of the present invention can establish the trust of the terminals, implement the trusted network connect of the terminals, implement the trusted authentication among the terminals, implement the trusted management of the terminals, and establish the TNC framework based on tri-element peer authentication (TePA) by defining the interfaces. | 02-09-2012 |
| 20120036554 | ACCESS AUTHORIZATION HAVING EMBEDDED POLICIES - A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image's integrity prior to extracting the embedded policy. | 02-09-2012 |
| 20120042353 | ACCESS CONTROL - A process and device are disclosed for depositing sequences of layers comprising a plurality of semiconductor components on a plurality of substrates ( | 02-16-2012 |
| 20120042354 | Entitlement conflict enforcement - Various embodiments are directed to entitlements clearance. For example, an entitlement clearance request may be received from a provisioning application. The entitlement clearance request may comprise an indication of a subject entitlement and an indication of a subject user. An indication of user characteristics describing the subject user and an indication of existing entitlements held by the subject user may be received. A plurality of entitlements conflict rules may be applied to the existing entitlements, the subject entitlement and the user characteristics to determine whether an entitlements conflict exists in view of the subject entitlement. In addition, a completion indication of whether the entitlements conflict exists in view of the subject entitlement may be returned. Provided that the entitlements conflict exists, the completion indication may comprise an indication of at least one entitlements conflict rule selected from the plurality of entitlements conflict rules that would be violated by the subject entitlement. | 02-16-2012 |
| 20120042355 | REPRESENTING EXTENSIBLE MARKUP LANGUAGE (XML) AS AN EXECUTABLE HAVING CONDITIONAL AUTHENTICATION OR POLICY LOGIC - Techniques for representing extensible markup language (XML) in an executable format are presented. An XML document is parsed into its components and content. The components and content are packaged as an executable. Some portions of the executable include authentication logic or policy logic that is subsequently enforced when the executable is processed. The executable is subsequently distributed to recipient machines. The machines process the executable and produce memory loaded versions of the components and content representing the XML document on the machines. The memory loaded versions of the components and content include conditionally added authentication logic of policy logic. | 02-16-2012 |
| 20120047550 | Method and System for Device Integrity Authentication - A networked device performs integrity authentication by determining, using a processor, a measured integrity value of the device. The measured integrity value is compared by the processor to an embedded integrity value of the device. Application of a policy to the device is facilitated by the processor based on the comparison. | 02-23-2012 |
| 20120047551 | Machine-To-Machine Gateway Architecture - Systems, methods, and instrumentalities are disclosed that provide for a gateway outside of a network domain to provide services to a plurality of devices. For example, the gateway may act as a management entity or as a proxy for the network domain. As a management entity, the gateway may perform a security function relating to each of the plurality of devices. The gateway may perform the security function without the network domain participating or having knowledge of the particular devices. As a proxy for the network, the gateway may receive a command from the network domain to perform a security function relating to each of a plurality of devices. The network may know the identity of each of the plurality of devices. The gateway may perform the security function for each of the plurality of devices and aggregate related information before sending the information to the network domain. | 02-23-2012 |
| 20120047552 | DYNAMICALLY UPDATED SECURE HANDLING OF DOCUMENTS CONTAINING RESTRICTED INFORMATION - A method, system and computer program product for processing documents containing restricted information. One aspect concerns updating the relevant information security rules applicable to the documents. | 02-23-2012 |
| 20120047553 | SECURE DISTRIBUTED STORAGE OF DOCUMENTS CONTAINING RESTRICTED INFORMATION, VIA THE USE OF KEYSETS - A method, system and computer program product for processing documents containing restricted information. One aspect concerns storing documents in a distributed but secure manner, for example using keysets. | 02-23-2012 |
| 20120047554 | WEB SERVICE PROVISION SYSTEM, SERVER DEVICE, AND METHOD - A web application server includes a user information management unit that manages user IDs and attributes such that each of the user IDs is associated with corresponding one of the attributes, a security policy management unit that manages security policies such that each of security policies is associated with corresponding one of the attributes, a security policy acquisition unit that acquires one of the security policies based on one of the attributes associated with one of the user IDs, and an HTML file generation unit that generates an HTML file in which a script to acquire personal data of corresponding one of users from an intra-company database server is embedded based on one of the security policies of the corresponding one of the users. | 02-23-2012 |
| 20120047555 | PLATFORM AUTHENTICATION METHOD SUITABLE FOR TRUSTED NETWORK CONNECT ARCHITECTURE BASED ON TRI-ELEMENT PEER AUTHENTICATION - The invention discloses a platform authentication method suitable for trusted network connect (TNC) architecture based on tri-element peer authentication (TePA). The method relates to a platform authentication protocol of tri-element peer authentication, and the protocol improves network security as compared with prior platform authentication protocols; in the platform authentication protocol of the TNC architecture based on TePA, a policy manager plays a role as a trusted third party, which is convenient for concentrated management, thus enhancing manageability; the invention relates to the platform authentication protocol of the TNC architecture based on TePA, has different implementation methods and is beneficial for different dispositions and realizations. | 02-23-2012 |
| 20120047556 | ON-LINE CENTRALIZATION AND LOCAL AUTHORIZATION OF EXECUTABLE FILES - A system and system for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The cryptographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission. | 02-23-2012 |
| 20120060198 | METHOD AND SYSTEM FOR GENERATING METRICS REPRESENTATIVE OF POLICY AND CHARGING CONTROL RULES - The present relates to a method and a system for generating metrics representative of Policy and Charging Control rules. The method and system analyzes, at a PCC rules analyzer, a Policy and Charging Control rule, to define at least one metric representative of the Policy and Charging Control rule. Then, the method and system transmits the at least one metric representative of the Policy and Charging Control rule, from the PCC rules analyzer to an analytic system. The method and system receives, at the analytic system, information representative of an IP data traffic occurring on an IP data network; and processes, at the analytic system, the information representative of the IP data traffic occurring on the IP data network, to calculate a value of the at least one metric representative of the Policy and Charging Control rule. | 03-08-2012 |
| 20120060199 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 03-08-2012 |
| 20120060200 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 03-08-2012 |
| 20120060201 | Web based extranet architecture providing applications to non-related subscribers - An extranet includes a network which couples a plurality of non-related participants and a server coupled to the network. The server stores a plurality of applications including workgroup applicants, transaction applications, security applications and transport circuits and equipment. The server is programmed to load particular ones of the plurality of applications onto the network for use by the plurality of participants in response to a request by one of the participants for a particular application. | 03-08-2012 |
| 20120066736 | COMMUNICATIONS SERVICES MANAGEMENT USING SERVICES PROFILE - A method of managing communications services begins with a communications platform receiving a request for a communications service to be provided to a communications device by a source other than the communications platform. The communications platform determines an authorization of the communications device to receive the communications service. The authorization comprises a permission of the communications device to receive the communications service during a lifetime of a communications session maintained with the communications device. The communications network authorizes delivery of the communications service to the communications device during the lifetime of the communications session, in accordance with the authorization. | 03-15-2012 |
| 20120066737 | METHOD AND APPARATUS FOR SECURITY ALGORITHM SELECTION PROCESSING, NETWORK ENTITY, AND COMMUNICATION SYSTEM - Embodiments of the present invention disclose a method and an apparatus for security algorithm selection processing, a network entity, and a communication system. The method includes: receiving a service request message sent by user equipment; and according to a security protection requirement of the service request message, selecting a security algorithm from a security algorithm list supported by both the user equipment and a network entity, where security algorithm lists supported by the user equipment and/or the network entity are set separately based on different security protection requirements, or security algorithm lists supported by the user equipment and the network entity are used for indicating security capability of the user equipment and the network entity respectively. | 03-15-2012 |
| 20120066738 | System and Method for automatic Data Security Back-up and control for Mobile Devices - Systems and methods for providing security and control of mobile communications device activity including at least one mobile communication device with software operable thereon for receiving rules provided by an authorized user of the device(s) and in accordance with those rules administering actions to provide for controlling and security data stored or generated on the device(s), including logging data and activities related to the mobile communications device, blocking and filtering calls, messages, websites, emails, and combinations thereof, via wireless communication with a remote server computer having a corresponding software module operable thereon for managing and implementing the rules. | 03-15-2012 |
| 20120066739 | SYSTEM AND METHOD FOR CONTROLLING POLICY DISTRIBUTION WITH PARTIAL EVALUATION - The present invention relates to a system ( | 03-15-2012 |
| 20120072968 | ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS IN VIRTUAL MACHINES - Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports. | 03-22-2012 |
| 20120072969 | DETERMINING A SENSITIVITY LABEL OF DOCUMENT INFORMATION IN REAL TIME - A sensitivity label for document information in a document may be determined in real time, according to one embodiment, by flexibly and dynamically determining a sensitivity label for the document based on content included in information within the document. Information within a document varies from day to day, for example, document information may decrease in importance with time, increase in importance due to an event, etc. Therefore, the sensitivity label of the document, according to embodiments described herein, may also change dynamically in accordance with document content, information, etc. | 03-22-2012 |
| 20120072970 | CHAINING INFORMATION CARD SELECTORS - A machine includes card stores to store information cards. For each card store, one or more card selectors can be provided. When performing a transaction involving information cards, a generic card selector, using a selector policy engine, can identify a card selector to use for the transaction. The identified card selector can be used to identify an information card in a card store to use in performing the transaction, which can be used to provide a security token to the relying party. | 03-22-2012 |
| 20120079556 | SEPARATION OF DUTIES CHECKS FROM ENTITLEMENT SETS - A data model in which a set provides an abstraction that isolates the computation of membership from the details of how an enforcement point determines access (e.g., based on claims, based on security group membership etc). Set operations (e.g., intersection, union, inverse) can then be used across the sets. The architecture utilizes workflow on set transitions such that when an object such as a user enters the scope of one of these sets, notification can occur, such that inadvertent changes which lead to separation-of-duties violations can be detected quickly. The sets can also be used to define entitlements for enforcement of claims-based access control in a cross-organization deployment (e.g., to a cloud-hosted application). | 03-29-2012 |
| 20120079557 | DERIVING EXPRESS RIGHTS IN PROTECTED CONTENT - The present invention extends to methods, systems, and computer program products for deriving express rights in protected content. Embodiments of the invention provide mechanisms to convert implicit rights to express rights for entities, including applications, inside and outside of an organizational (e.g., enterprise) boundary. The conversion can occur dynamically, based on the information protection policies defined by a policy administrator, granting entities express access to perform tasks on protected content. | 03-29-2012 |
| 20120079558 | Safety and securely us personal computer working at home or anywhere instead of going and working in the office - Revolutionary safely and securely using computers work at home or on the road is invented. The architecture of Corpnetlk7 built for the platform includes components, utility programs and files majority residing on the host company's servers. They work together with local and corporate machines where configurations are made and certain programs are installed. The user will go through different steps before reaching to the corporate legacy system. Corpnetlk7 consists of Corpnetlk7 Client, Server and Corporate Side Configuration Utility, Corpnetlk7 Connection Agent, Corpnetlk7 Names Server Manager, Corpnetlk7 Enterprise App, Corpnetlk7 User App, Corpnetlk7 Security Enhancement Layers, Corpnetlk7 Programs Repository, Corpnetlk7 Programs Security Storage Lockroom, Corpnetlk7 Multithreaded Server, Corpnetlk7 Host GUI Interface and Corpnetlk7 New User Checksum etc. The user creates connectivity on the local machine and Corpnetlk7 helps the user resolve the names service. | 03-29-2012 |
| 20120079559 | METHODS FOR POLICY MANAGEMENT - Systems, methods, and apparatus are disclosed for coordinating enforcement of policies on a network and/or a wireless transmit/receive unit. The policies may include stakeholder-specific policies of one or more stakeholders that provide services on a user equipment. Enforcement of the stakeholder-specific policies may be securely coordinated using a policy coordination function. Systems, methods, and apparatus are also disclosed that include a network policy coordination function (NPCF) that coordinates service control policies and access control policies. The NPCF may coordinate enforcement of the service control policies for one or more service control entities and the access control policies for one or more access control entities. | 03-29-2012 |
| 20120079560 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 03-29-2012 |
| 20120079561 | ACCESS CONTROL METHOD FOR TRI-ELEMENT PEER AUTHENTICATION CREDIBLE NETWORK CONNECTION STRUCTURE - An access control method for a TePA-based TNC architecture is provided, including: 1) performing encapsulation of user authentication protocol data and platform authentication protocol data in the TePA-based TNC architecture: 1.1) encapsulating the user authentication protocol data in a Data field of TAEP packets, and interacting with the TAEP packets between an access requestor and an access controller, and between the access controller and a policy manager, to perform mutual user authentication between the access requestor and the access controller, and establish a secure channel between the access requestor and the access controller; and 1.2) encapsulating the platform authentication protocol data in a Data field of TAEP packets, and, for platform authentication protocol data between the access requestor and the access controller, encapsulating a TAEP packet of the platform authentication protocol data in a Data field of another TAEP packet to form a nested encapsulation. | 03-29-2012 |
| 20120084830 | NETWORK POLICY CONTROLLER - The invention concerns a network policy controller coupled to a computer network and including a communications interface ( | 04-05-2012 |
| 20120084831 | METHOD AND APPARATUS FOR PROVIDING PRIVACY MANAGEMENT IN MACHINE-TO-MACHINE COMMUNICATIONS - A method, non-transitory computer readable medium and apparatus for processing a request from a server of a machine-to-machine service provider are provided. For example, the method receives the request from the server of the machine-to-machine service provider to communicate with a machine-to-machine device, determines whether to authorize the request based upon a policy in a privacy database, and enables communications between the server of the machine-to-machine service provider and the machine-to-machine device if the request is authorized based upon the policy. | 04-05-2012 |
| 20120090014 | ACCESS CONTROL APPARATUS, INFORMATION MANAGEMENT APPARATUS, AND ACCESS CONTROL METHOD - An access control apparatus that controls access to an information management apparatus that stores configuration elements and relationship elements indicating relationships between the configuration elements, includes a storage unit that stores one or more predetermined configuration elements in association with user information that identifies a user and stores one or more combinations of a type of a configuration element and a type of a relationship element in association with the user information, as an access control rule set for each user, and a determining unit that determines that, when a combination of a type of a configuration element stored in the storage unit in association with user information and a type of a relationship element indicating a relationship between the configuration element and another configuration element is stored in the storage unit in association with the user information, the another configuration element is accessible. | 04-12-2012 |
| 20120096510 | COMPUTER NETWORK SECURITY - A system comprises: a representation of a network; a communications requirements file for an application to be executed by a node of said network; and a security policy file defining a security policy for said node of said network. Said files are processed to determine whether said security policy and said communication requirements are compatible. | 04-19-2012 |
| 20120096511 | ENHANCED BROWSER SECURITY - A machine-executable method implementable in a system operable to execute a browser application having at least one security-context zone and operable to apply at least one security policy to interaction between the system and web sites corresponding to domain identifiers populating the at least one security-context zone includes comparing a first set of domain identifiers populating a first security-context zone of the at least one security-context zone with a second set of domain identifiers. The method further includes populating the first security-context zone with at least one second-set identifier not included in the first set of domain identifiers. | 04-19-2012 |
| 20120096512 | POLICY SELECTOR REPRESENTATION FOR FAST RETRIEVAL - A method and apparatus for representing policies and searching for polices that matches packet are provided. The policies being represented and searched for include policies that overlap and policies that have “don't care” attributes. | 04-19-2012 |
| 20120096513 | Adapting Network Policies Based on Device Service Processor Configuration - Disclosed herein are various embodiments to prevent, detect, or take action in response to the moving a device credential from one device to another, the improper configuration of a service processor, a missing service processor, or the tampering with a service processor in device-assisted services (DAS) systems. | 04-19-2012 |
| 20120096514 | AGE VERIFICATION AND CONTENT FILTERING SYSTEMS AND METHODS - A system and method is provided for age verification and content filtering (AV/CF) on a wireless telecommunications system capable of providing enhanced products such as Internet, WAP, messaging, games, video, music, applications, etc. A profile controls content that is accessible by a user depending upon the user's age or restrictions placed on accessible content in accordance with content categories. Rating information is obtained from content providers and mapped to content categories or content is rated dynamically. User's requests for access may be recorded whether access is provided or denied and used to provide reports including reports to account holders responsible for the user's account. In some instances, attempts to access banned information may be reported to law enforcement officials. | 04-19-2012 |
| 20120096515 | METHOD AND APPLICATION FOR THE PARENTAL CONTROL OF THE USE OF A TERMINAL - The invention pertains to a method for the parental control of a terminal's usage, wherein said terminal's usage rules are configured beforehand, said rules being applied in order to allow or deny access to a service requested by the user by means of said terminal, said method further providing to determine events for which the user may be rewarded, and, if one of said events occurs, to define a usage reward (R) corresponding to said event, said reward being subject to parental approval prior to its being taken into account in the application of the usage rules. The invention also pertains to an application for the parental control of a terminal's usage. | 04-19-2012 |
| 20120102539 | CLOUD SERVICES LAYER - A method including receiving a service registration request to register a service with a multi-tenant, multi-service cloud network from a user; registering object types that pertain to the service, wherein the object types include at least one service object type that is not an object type offered by the cloud network to the user; and registering objects based on the object types, wherein the objects include at least one object associated with the at least one service object type. | 04-26-2012 |
| 20120102540 | Single-Point-Of-Access Cyber System - The system and system components of the present invention provides individuals with both a safe and a secure cyber environment. Within this safe and secure cyber environment each individual and each cyber device will always be properly identified for all cyber interactions with others and for all cyber interactions with the cyber devices of others. The present invention also provides individuals with privacy as required by each individual for the individual's cyber activities and cyber assets. Further, the present invention provides for environment-wide interoperable use of any cyber device, cyber programming, or cyber content. | 04-26-2012 |
| 20120102541 | Method and System for Generating an Enforceable Security Policy Based on Application Sitemap - A system for generating a security policy for protecting an application-layer entity. The system comprises a security sitemap generator for generating a security sitemap of a protected application-layer entity, the security sitemap is stored in a first repository connected to the security sitemap generator; and a policy builder for generating a security policy for the application-layer entity based on the security sitemap, the security policy is stored in a second repository connected to the policy builder, wherein the security policy includes a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity. | 04-26-2012 |
| 20120102542 | SECURITY MONITORING APPARATUS, SECURITY MONITORING METHOD, AND SECURITY MONITORING PROGRAM BASED ON A SECURITY POLICY - A management server monitors even the occurrence of items, which are not targets of security policies, evaluates a change of the monitoring result, and implements specific output when necessary. Particularly, also regarding items which are considered to be non-targets of the security policies in management based on the security policies, the occurrence of such items is also monitored and the monitoring result is appropriately reported to an administrator so that the administrator can recognize a threat and takes necessary countermeasure at appropriate timing. | 04-26-2012 |
| 20120102543 | Audit Management System - A computer implemented method and system for managing an audit of one or more network layer devices is provided. An audit management system accessible by a user via a graphical user interface acquires network layer device information of the network layer devices and a configuration file comprising configuration file commands. The audit management system allows creation and/or selection of one or more audit policies for the network layer devices. The audit policies comprise one or more audit rules that define functioning of the network layer devices for one or more compliance policies. The audit management system executes the audit policies for performing the audit of the network layer devices by comparing the configuration file commands of the configuration file with the audit rules of the audit policies, and generates a report comprising information about security and compliance of the network layer devices with the compliance policies based on the audit. | 04-26-2012 |
| 20120102544 | CONTROLLING, FILTERING, AND MONITORING OF MOBILE DEVICE ACCESS TO THE INTERNET, DATA, VOICE, AND APPLICATIONS - Systems and methods for controlling, filtering, and monitoring mobile device access to the internet are disclosed. According to an embodiment a server is responsible for controlling, filtering and monitoring internet activity. For every request, the server interacts with back-end databases that categorize requests, and based on user/carrier/corporate settings, allow or disallow access to particular content. | 04-26-2012 |
| 20120110632 | METHOD AND APPARATUS FOR PROVIDING DISTRIBUTED POLICY MANAGEMENT - An approach is provided for distributed policy management and enforcement. A policy manager determines one or more domains of an information system. The one or more domains are associated at least in part with respective subsets of one or more resources of the information system. The policy manager also determines one or more respective access policies local to the one or more domains. The one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof. At least one of the one or more respective access policies is configured to operate independently of other ones of the one or more respective schemas. | 05-03-2012 |
| 20120110633 | APPARATUS FOR SHARING SECURITY INFORMATION AMONG NETWORK DOMAINS AND METHOD THEREOF - Provided are a security information sharing apparatus capable of sharing security information among network domains and a method thereof. The security information sharing apparatus includes a primitive security information storage unit configured to store primitive security information to be shared with other network domains, an information sharing policy storage unit configured to store an information sharing policy for information to be shared, an information masking policy storage unit configured to store an information masking policy for information not to be opened to the other network domain, a domain selector configured to select the other network domain to receive the shared security information, a shared security information generator configured to generate shared security information for the selected other network domain by applying the information sharing policy to the primitive security information, an information masking unit configured to mask information not to be opened in the generated security information according to the information masking policy, a protocol message generator configured to generate a protocol message for the shared security information subjected to the information masking, to be transmitted, and a protocol message transmitter configured to transmit the protocol message to the selected other network domain. | 05-03-2012 |
| 20120110634 | AUTOMATIC PIN CREATION USING PASSWORD - A PIN is automatically generated based on at least one rule when the user enters a password through a user device. In one example, the PIN is a truncated version of the password where each character in the truncated version is mapped onto a number. The mapping can be a truncation at the beginning or end of the password, or the mapping can be with any pattern or sequence of characters in the password. This PIN generation may be transparent to the user, such that the user may not even know the PIN was generated when the password was entered. When the user attempts to access restricted content, the user may enter the PIN instead of the password, where the user may be notified of the rule used to generate the PIN so that the user will know the PIN by knowing the password. | 05-03-2012 |
| 20120110635 | METHOD AND SYSTEM FOR DETECTING CHARACTERISTICS OF A WIRELESS NETWORK - Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point. | 05-03-2012 |
| 20120110636 | Defining an Authorizer in a Virtual Computing Infrastructure - An authorizing entity is allowed to grant permission to a subject to perform an action on an object in a cloud computing environment. An authorizer is defined as the entity having granting authority to delegate a predetermined permission. A subject is defined as a group to whom the permission is being delegated. An object is defined upon which an action is authorized within the cloud computing environment. The action being authorized in the cloud computing environment is defined. Members of the subject group are authorized to perform the permitted action on the object. | 05-03-2012 |
| 20120110637 | Systems, Methods, and Apparatuses for Facilitating Authorization of a Roaming Mobile Terminal - Systems, methods, and apparatuses are provided for facilitating authorization of a roaming mobile terminal. A method may include receiving a request for security key related policy information for a user equipment device. The request may be sent by a service providing node on a visited network. The method may further include causing a service authorization information request including a user security settings package to be sent to a policy decisioning server. The method may also include receiving, in response to the service authorization information request, a service authorization information answer including a modified user security settings package including the authorization policy information for the user equipment device. The method may additionally include causing the requested security key related policy information to be sent to the service providing node. Corresponding systems and apparatuses are also provided. | 05-03-2012 |
| 20120110638 | POLICY-BASED CROSS-DOMAIN ACCESS CONTROL FOR SSL VPN - A method may include generating a request that includes a host domain associated with a multiple-domain-to-one domain mapping, capturing the request before transmission of the request, rewriting the host domain, and transmitting the request. | 05-03-2012 |
| 20120117608 | CERTIFICATE POLICY MANAGEMENT TOOL - A certificate policy management tool ( | 05-10-2012 |
| 20120117609 | Pluggable Claim Providers - A server system receives and installs multiple claim provider plug-ins. Each of the claim provider plug-ins implements the same software interface. However, each of the claim provider plug-ins can provide claims that assert different things. Claims provided by the claim provider plug-ins can be used to control access of users to a resource. | 05-10-2012 |
| 20120117610 | RUNTIME ADAPTABLE SECURITY PROCESSOR - A runtime adaptable security processor is disclosed. The processor architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A high performance content search and rules processing security processor is disclosed which may be used for application layer and network layer security. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer. | 05-10-2012 |
| 20120117611 | CONTROLLING INFORMATION DISCLOSURE DURING APPLICATION STREAMING AND PUBLISHING - Various aspects as described herein are directed to systems, method, apparatuses, and software for intercepting requests to copy content, paste content, clip content, cut content, or perform a print screen operation, and either allowing the requested operation to occur or preventing the operation depending upon whether the content is sourced from a streamed application or a non-streamed application, and/or depending upon a streamed application-based policy. This may be performed by, for instance, hooking an appropriate function call to the operating system. | 05-10-2012 |
| 20120117612 | SYSTEM AND/OR METHOD FOR AUTHENTICATION AND/OR AUTHORIZATION - A computing platform constructs an application from source code such that the application detects an attempt to access at least one secured entity of the application. Further, the at least one secured entity is registered with an authorization system by providing metadata that is descriptive of the at least one secured entity to the authorization system so that authorization metadata is generated based upon the metadata and a global unique identifier is assigned to the application and the metadata to identify the application and the metadata. The authorization metadata indicates an access policy to the at least one secured entity. | 05-10-2012 |
| 20120117613 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 05-10-2012 |
| 20120117614 | SYSTEM AND METHOD FOR HIGH PERFORMANCE SECURE ACCESS TO A TRUSTED PLATFORM MODULE ON A HARDWARE VIRTUALIZATION PLATFORM - A system and method for high performance secure access to a trusted platform module on a hardware virtualization platform, which includes Virtual Machine Monitor (VMM) managed components coupled to the VMM and a plurality of Virtual Machines (VMs). One of the VMM managed components is a Trusted Platform Module (TPM) Each virtual machine includes a guest Operating System, a TPM device driver (TDD), and at least one security application. The VMM creates an intra-partition in memory for each TDD such that other code and information at a same or higher privilege level in the VM cannot access the TDD's memory contents. The VMM also maps access only from the TDD to a TPM register space specifically designated for the VM requesting access. Contents of the TPM requested by the TDD are stored in an exclusively VMM-managed protected page table that provides hardware-based memory isolation for the TDD. | 05-10-2012 |
| 20120117615 | System and Method for Providing Access Control - A control device may be configured to monitor a network connection. An application running on a client device may send a first network communication destined for a network communicatively connected to the control device. Depending upon whether the client device is authorized to access the network, different global rules may be applied. The first application or a second application running on the client device may send a second network communication. The control device may process the second network communication according to a plurality of stages. Specifically, the control device may extract information associated with the client device from the second network communication and associate user specific rules at a client discrimination stage. The control device may, at a user specific rule stage, access these rules and apply accordingly to the second network communication as governed by user specific provisioning rules. | 05-10-2012 |
| 20120117616 | WIRELESS/WIRED MOBILE COMMUNICATION DEVICE WITH OPTION TO AUTOMATICALLY BLOCK WIRELESS COMMUNICATION WHEN CONNECTED FOR WIRED COMMUNICATION - A mobile wireless communication device also has at least one wired communication port. Enhanced security is achieved by permitting the device to automatically disable one or more wireless ports when connected to a wired port. Specific combinations/permutations of such automatic control may be effected by use of an IT Policy also resident on the device. | 05-10-2012 |
| 20120117617 | METHOD FOR SELECTNG AN IPSEC POLICY - A method and apparatus for querying an IPsec Security Policy Database comprising a plurality of groups of Security Policies that have been assigned a priority value. When a network node receives an IP packet, it determines a priority value and looks for Security Policies in the Security Policy Database having that priority value. If no Security Policies are found, then it looks for Security Policies having a lower priority value. This process is repeated until a Security Policy is found, in which case it is returned and applied to the IP packet, or it is determined that no suitable Security Policy exists. | 05-10-2012 |
| 20120124637 | SECURE ACCESS TO HEALTHCARE INFORMATION - A system and method for providing or exchanging healthcare information (e.g., medical information) to authorized users in a secure manner. The method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable to: assign identification information to a plurality of users and a plurality of items; associate the identification information of a user of the plurality of users with one or more items of the plurality of items; set-up security policies including predetermined locations, within predetermined stages within a sequence and during predetermined times; and provide the user access to the one or more items when there is a matching between the identification information of the user and the one or more items, and all of the security policies associated with the user and the one or more of the plurality of items are met. | 05-17-2012 |
| 20120124638 | SYNDICATION INCLUDING MELODY RECOGNITION AND OPT OUT - A syndication system facilitates rights management services between media content owners and media hosting services that elect to participate in the syndication system and mutually elect to participate with each other. The syndication system utilizes a content recognition system to identify hosted media content and ownership rights associated with the hosted content. By applying melody recognition, the content recognition system can identify compositions embodied in hosted media content even when these compositions do not precisely match any known sound recording. Thus, the content recognition system is beneficially able to detect, for example, recorded cover performances and recorded live performances embodied in hosted media content. Once identified, ownership information is determined and the syndication system can facilitate rights management policies associated with the content such as monetizing or blocking the protected content. | 05-17-2012 |
| 20120124639 | VALIDATION OF CONSISTENCY AND COMPLETENESS OF ACCESS CONTROL POLICY SETS - Consistency and/or completeness of access control policy sets may be validated and/or verified. An access control policy set may be received. The access control policy set may include access control policies that allow or disallow access to computing resources. Individual ones of the access control policies may include one or more attributes. The one or more attributes of a given access control policy may be ordered into a predetermined order responsive to the one or more attributes of the given access control policy lacking the predetermined order. A decision tree may be generated based on the access control policies. The decision tree may be analyzed to determine one or more of (1) whether one or more of the access control policies are incomplete, or (2) whether one or more of the access control policies are inconsistent with one or more other ones of the access control policies. | 05-17-2012 |
| 20120124640 | DATA SOURCE BASED APPLICATION SANDBOXING - A computing device and a method for a computing device to control access to data stored on a data store of the device. An access component of the device having control over access to the data. The access component being operative to receive a request for data from a requesting component, identify an assigned access domain of the requesting component and an assigned data domain of the requested data and determine whether the requesting component is authorized to access the data by comparing the assigned access domain and the data domain with permissions specified in a security policy. If the assigned access domain is authorized to access the data domain, the access component may provide access to the requested data. | 05-17-2012 |
| 20120124641 | METHODS RELATED TO NETWORK ACCESS REDIRECTION AND CONTROL AND DEVICES AND SYSTEMS UTILIZING SUCH METHODS - In illustrative embodiments, methods in accordance with the present invention utilize a thin kernel module operating in the kernel space of an operating system to redirect all TCP flows to user space for application analysis and processing. Redirected data is presented to the user space application as a data stream, allowing the processing of information contained within the data stream from the user space on a mobile device. This allows the user space application to inspect and take action on incoming data before allowing the data to continue to pass through the device. This enables parental controls, firewalls, real-time anti-virus scanning, tethering/hot-spot, bandwidth optimization, and similar programs to effectively operate across different mobile devices as user downloadable/actuatable applications. | 05-17-2012 |
| 20120124642 | APPARATUS AND METHOD FOR SELECTIVELY DECRYPTING AND TRANSMITTING DRM CONTENTS - Provided are apparatus and method for selectively decrypting and transmitting DRM contents. A policy storing unit stores information on devices allowed for decryption of contents. A policy processing unit determines whether a target device, to which an encrypted content is transmitted, is a device allowed for decryption based on the information stored in the policy storing unit. A decryption unit decrypts the encrypted content. And a control unit controls the decryption unit to decrypt the encrypted content when the target device is the device allowed for decryption. | 05-17-2012 |
| 20120124643 | Systems and Methods for Analyzing Application Security Policies - A system and method for analyzing application security policies is provided. One or more application security policies are retrieved. An optimized policy is then generated utilizing the one or more application security policies. One or more queries related to the one or more application security policies are received. The one or more queries are decomposed. The one or more decomposed queries are then processed utilizing the optimized policy. | 05-17-2012 |
| 20120131634 | METHOD OF EXECUTING AN APPLICATION EMBEDDED IN A PORTABLE ELECTRONIC DEVICE - The invention is a method of executing an application embedded in a portable electronic device. The application comprises one instruction handling an object. The electronic device comprises a firewall which is intended to check the compliance of the object with preset security rules. The portable electronic device comprises a volatile memory area intended to store a data set uniquely associated to the object. The data set comprises an indicator reflecting the result of the checking of the compliance of the object with the preset security rules. The method comprises the following steps before execution of the instruction, checking the presence in the volatile memory area of a data set associated to the object and comprising an indicator reflecting a successful checking of security rules, and if successful in the checking of the data set, authorizing the execution of the instruction without further security rules checking done by the firewall. | 05-24-2012 |
| 20120131635 | METHOD AND SYSTEM FOR SECURING DATA - Disclosed is a method of supporting security policies and security levels associated with processes and applications. A security level is associated with a process independent of a user executing the process. When secure data is to be accessed, the security level of the process is evaluated to determine whether data access is to be granted. Optionally, the security level of a user of the process is also evaluated prior to providing data access. | 05-24-2012 |
| 20120131636 | Security Context Lockdown - A method and system for locking down a local machine zone associated with a network browser is provided. Placing the local machine zone in a lockdown mode provides stricter security settings that are applied to active content attempting to publish within a local page open in the network browser. The stricter setting are provided in a new set of registry keys that correspond to the lockdown mode of the local machine zone. The original security settings remain unchanged so that other systems and applications functionality that depends on the original security settings remains unaffected for the local machine zone. A user may also selectively allow active content to render despite the local machine zone being locked down. | 05-24-2012 |
| 20120131637 | Systems and Methods of Controlling Network Access - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device. | 05-24-2012 |
| 20120137340 | IMPLICIT AUTHENTICATION - Embodiments of the present disclosure provide a method and system for implicitly authenticating a user to access controlled resources. The system first receives a request to access the controlled resource from a user. Then, the system determines whether the user request is inconsistent with regular user behavior by calculating a user behavior measure derived from historical contextual data of past user events. Next, responsive to the determined inconsistency of the user request, the system collects current contextual data of the user from one or more user devices without prompting the user to perform an explicit action for authentication. The system further updates the user behavior measure based on the collected current contextual data, and provides the updated user behavior measure to an access controller of the controlled resource to make an authentication decision based at least on the updated user behavior measure. | 05-31-2012 |
| 20120137341 | SYSTEM AND METHOD FOR DETERMINING A SECURITY ENCODING TO BE APPLIED TO OUTGOING MESSAGES - A system and method for determining a security encoding to be applied to a message being sent by a user of a computing device. In one broad aspect, the device comprises a processor configured to: determine whether a general message encoding configuration setting indicates that when a security encoding is to be applied to a message then the security encoding is to be established by a policy engine; if the general message encoding configuration setting so indicates, query the policy engine for the security encoding to be applied to the message; otherwise, determine the security encoding to be applied to the message in accordance with a user-selected security encoding; and apply the determined security encoding to the message prior to transmission of the message to at least one recipient. | 05-31-2012 |
| 20120137342 | MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS - A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis. | 05-31-2012 |
| 20120137343 | TERMINAL, COMMUNICATION SYSTEM, DATA MANAGEMENT METHOD, SERVER AND STORAGE MEDIUM - [Problem] To make it possible to prevent certainly user's personal information from flowing out without burdening the user, and to manage sensor information and result information which is acquired through processing a service by use the sensor information, on the basis of importance, classification, personal property, utilization form or the like. | 05-31-2012 |
| 20120144448 | Data Store Including a File Location Attribute - A data store including a file location attribute is described. In an embodiment, the location attribute for a data element, such as a file or database record, is stored with the bytes of data and records the geographic location of the data element. Writing to this attribute is limited to a single trusted entity, such as an operating system, to ensure that the location data can be trusted and when a data element is moved or replicated, the attribute is updated to reflect the new location of the data element. This location data is made available to users and applications by a metadata service which tracks the locations of data elements and responds to requests from users. Access control policies can been defined in terms of location and stored at the metadata service and the metadata service can then enforce these policies when responding to requests. | 06-07-2012 |
| 20120144449 | METHOD AND SYSTEM FOR PROTECTING CONFIDENTIAL INFORMATION - A method for computer workstation based information protection is presented, the method comprises: a) monitoring user's actions on the computer workstation, b) analysis of the actions in respect to a pre-defined policy to determine whether the actions prejudice information to which the policy applies, and c) executing the policy in accordance with the results of the analysis to prevent or modify or restrict or monitor or log the actions. | 06-07-2012 |
| 20120151551 | Method and apparatus for associating data loss protection (DLP) policies with endpoints - A method of policy management in a Data Loss Prevention (DLP) system uses a policy model that associates a user with one or more DLP endpoints. When an endpoint is added to the system, a set of policies for that endpoint are determined using an identity of the user that is associated with the endpoint and a list of roles or groups for that user. At policy distribution time, the method determines a set of endpoints to which the policy is to be distributed. | 06-14-2012 |
| 20120151552 | DOMAIN-BASED ISOLATION AND ACCESS CONTROL ON DYNAMIC OBJECTS - A technique for performing domain-based access control for granular isolation on a data processing system includes assigning, using the data processing system, one or more first domain tags to a dynamic object that is created by a first process that is executing on the data processing system. The technique also includes assigning, using the data processing system, one or more second domain tags to a second process that is executing on the data processing system. The first and second domain tags are evaluated, using the data processing system, according to one or more enforced rules to determine whether to grant or deny the second process access to data associated with the dynamic object. | 06-14-2012 |
| 20120151553 | SYSTEM, METHOD, AND APPARATUS FOR DATA COGNITION INCORPORATING AUTONOMOUS SECURITY PROTECTION - A method, apparatus and computer readable medium for data cognition incorporating autonomous security protection including, a data file stored on a storage medium, and having stored instructions for an embedded autonomous executable program which is executed each time there is an attempt to access, control, or manipulate the file, a processor for executing the program, an output device for communicating to a user, where communication is based on the result of executing the program in relation to parameters required for the data file by a data file original creator, and an input device for receiving a response to the communication. The method, apparatus, and computer readable medium autonomously monitors for a state change and analyzes the current user to determine if an instantiation should exist. If affirmed, a cognition engine automatically configures a computational environment in which it resides. If denied, environmental behavior is further analyzed for security problems. | 06-14-2012 |
| 20120151554 | SECURITY ACCESS CONTROL METHOD AND SYSTEM FOR WIRED LOCAL AREA NETWORK - The present invention relates to a security access control method and system for wired local area network, the method includes the following steps: 1) a requester (REQ) negotiates the security policy with an authentication access controller (AAC); 2) the requester (REQ) and the authentication access controller (AAC) authenticate the identity; 3) the requester (REQ) negotiates the key with the authentication access controller (AAC). The direct identity authentication between the user and the network access control device is realized by the present invention; the negotiation and the dynamic update of the session key for the link layer data protection are realized; a variety of network architectures such as the enterprise network, the telecommunication network are supported; the scalability is good, the multiple authentication methods are supported; the authentication protocols with different security levels are supported, the requirements of the various subscribers are satisfied; the sub-modules of the protocol are independent, flexible, and easy to be accepted or rejected. | 06-14-2012 |
| 20120151555 | A SCALABLE FIREWALL POLICY MANAGEMENT PLATFORM - Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set. Other aspects include using more permissive and/or access control rules provided on network equipment to block known bad data, while providing host-based access control focused on application data flow. | 06-14-2012 |
| 20120151556 | METHOD AND APPARATUS FOR DIGITAL RIGHTS MANAGEMENT POLICIES - Method and apparatus are described wherein, in one example embodiment, there is provided one or more policy templates that may define a set of policy permissions or other attributes that may be desirable to specify in a policy. One or more policy templates may be specified in a user interface of a policy creation and maintenance program that may run on the policy server and/or run on a workstation computer. Each policy template specified by a user may include permissions for how a user may access and use a document. The maintenance program may, in one embodiment, associate both templates to a policy used for a specific unit of digital content, or, for example, an electronic document. The permissions for the policy are determined by aggregating the permissions associated with each respective templates chosen by the user. According to another example embodiment, a user selects a policy template and defines one or more additional permissions to form an augmented policy. | 06-14-2012 |
| 20120159564 | APPLYING ACTIVITY ACTIONS TO FREQUENT ACTIVITIES - Activities of users of a service often involve one or more resources, such as uploading or downloading files in a file system of an FTP server. The activities of the users may be tracked and recorded in an activity log in order to identify frequently performed activities involving particular resources, and for such frequently performed activities, one or more activity actions may be performed. For example, malicious users may upload or utilize an equivalent set of assets stored in several accounts. The frequency of these undesirable activities may be identified, and an activity action may be automatically applied to the users (e.g., banning accounts), resources (e.g., deleting assets), and/or activities (e.g., blocking access to the resources). Conversely, desirable activities involving particular resources may be similarly detected, and the activity action applied to such desirable activities may involve reporting the desirable activity to an administrator of the service. | 06-21-2012 |
| 20120159565 | Techniques for Performing Data Loss Prevention - A technique for performing data loss prevention includes creating for a user, using a data processing system, respective permissive policies with a most permissive enforcement action for each content category of a resource. In this case, the content category includes at least two categories. The technique also includes forming, using the data processing system, a policy set based on the respective permissive policies. The technique further includes creating, using the data processing system, an effective policy from the policy set using a least permissive enforcement action. Finally, the technique includes applying, using the data processing system, the effective policy to determine whether a user action is permitted on the resource. | 06-21-2012 |
| 20120159566 | ACCESS CONTROL FRAMEWORK - A system and method for flexible access controls access be setting access permissions at the object element or subject level. An access control framework (ACF) may be implemented to control access to business objects, business object nodes, business object queries, actions, attributes, associations, instances, or other identifiable elements. The access control configurations for a user or object may be set at the system level with static configuration settings. In an embodiment, a user may temporarily reconfigure access permissions for a subject or object for a limited session with dynamic configuration settings. | 06-21-2012 |
| 20120159567 | CONTEXTUAL ROLE AWARENESS - The disclosed subject matter relates to an architecture that can provide contextual role awareness. For example, rather than focusing on features and functionality at the device level, features and functionality can be controlled based upon various roles that can be related to various personas of a user. Thus, in a business or enterprise setting, the enterprise can manage a business role in accordance with that enterprise's security objectives, which might dramatically limit certain features for the user. However, the user can quickly switch roles, away from the business role in order to again access desired features, yet without compromising the security objectives of the enterprise. | 06-21-2012 |
| 20120159568 | Method and Apparatus for Limiting Digital Content Consumption Inside Defined Real-world Geographic Area(s) - A method for limiting digital content consumption inside defined real-world geographic area(s) is disclosed. In one embodiment, the method is realized by adding additional consumption policy for geographic control to digital content's metadata, requesting the digital consumption device to acquire and provide its current location, checking device's current location against the geographic control consumption policy, and displaying the content for consumption if the digital content consumption policy is satisfied. | 06-21-2012 |
| 20120159569 | METHOD OF MANAGING WEB APPLICATION POLICY USING SMART CARD, AND WEB SERVER AND MOBILE TERMINAL FOR IMPLEMENTING THE SAME - A method of managing policy information in a mobile terminal by requesting an external policy management server for information about whether a change has been made to policy information and updating the policy information in a smart card web server of the mobile terminal to control access to resources based on the updated policy information. | 06-21-2012 |
| 20120167157 | SYSTEMS AND METHODS FOR SECURE SOFTWARE DEVELOPMENT ENVIRONMENTS - The mock tool can be configured to create a mock execution environment for supporting software development processes. The mock execution environment is isolated from resources of the computing system supporting the mock execution environment and other mock execution environments. Further, the mock execution environment can be created to simulate disabling on any features of the operating system supporting the mock execution environment that could cause problems in the software development process. | 06-28-2012 |
| 20120167158 | SCOPED RESOURCE AUTHORIZATION POLICIES - Resource authorization policies and resource scopes may be defined separately, thereby decoupling a set of authorization rules from the scope of resources to which those rules apply. In one example, a resource includes anything that can be used in a computing environment (e.g., a file, a device, etc.). A scope describes a set of resources (e.g., all files in folder X, all files labeled “Y”, etc.). Policies describe what can be done with a resource (e.g., “read-only,” “read/write,” “delete, if requestor is a member of the admin group,” etc.). When scopes and policies have been defined, they may be linked, thereby indicating that the policy applies to any resource within the scope. When a request for the resource is made, the request is evaluated against all policies associated with scopes that contain the resource. If the conditions specified in the policies apply, then the request may be granted. | 06-28-2012 |
| 20120167159 | POLICY-BASED ACCESS TO VIRTUALIZED APPLICATIONS - When a request is received to execute a virtualized application, an application virtualization client component evaluates an execution policy to determine if the application may be executed. If the application virtualization client component determines based on the execution policy that the virtualized application may be executed, the application virtualization client component publishes the virtualized application. The application virtualization client component publishes the application by making the virtualized application available for execution if the application is installed, and installing the virtualized application if it is not installed. The application virtualization client component also evaluates the execution policy during execution of the virtualized application. If the application virtualization client component determines that the execution policy is no longer satisfied, the application virtualization client component unpublishes the virtualized application, thereby preventing execution of the virtualized application. | 06-28-2012 |
| 20120167160 | ROUTER POLICY SYSTEM - A router policy server may include a policy engine. The policy engine may receive, from a first router, a request for whether to accept or reject routing information received from a second router and determine whether a policy, associated with the second router, allows the second router to advertise the routing information. The policy engine may further instruct the first router to accept the routing information when the policy allows the second router to advertise the routing information and may instruct the first router to reject the routing information when the policy does not allow the second router to advertise the routing information or when no policy exists for the second router in association with the policy engine. | 06-28-2012 |
| 20120167161 | APPARATUS AND METHOD FOR CONTROLLING SECURITY CONDITION OF GLOBAL NETWORK - An apparatus for controlling a security condition of a global network includes: an information collection and blocking agent configured to detect a suspicious malicious code, generate security condition information from the detected malicious code, and block the malicious code based on security policy information; and a global security information analysis and control server configured to generate the security policy information by analyzing the security condition information generated by the information collection and blocking agent and provide the generated security policy information to the information collection and blocking agent to prevent the malicious code from spreading. | 06-28-2012 |
| 20120167162 | SECURITY, FRAUD DETECTION, AND FRAUD MITIGATION IN DEVICE-ASSISTED SERVICES SYSTEMS - Secure architectures and methods for improving the security of mobile devices are disclosed. Also disclosed are apparatuses and methods to detect and mitigate fraud in device-assisted services implementations. | 06-28-2012 |
| 20120167163 | APPARATUS AND METHOD FOR QUANTITATIVELY EVALUATING SECURITY POLICY - An apparatus for quantitatively evaluating security policy includes: a security policy analyzing unit for analyzing a security policy of a network; an evaluation criterion defining unit for defining an evaluation criterion for categorizing security features and evaluating each of the security features; an evaluation result calculating unit for calculating an evaluation result of each of security components based on the evaluation criterion; an indicator calculating unit for grouping the security components according to a security function and calculating an indicator by considering a security function of each group; and a quantitative evaluating unit for evaluating a security policy of the each group by using the indicator. | 06-28-2012 |
| 20120167164 | SYSTEM, METHOD, AND APPARATUS FOR ENCRYPTION KEY COGNITION INCORPORATING AUTONOMOUS SECURITY PROTECTION - A system, method, and apparatus for securing a cognitive encryption key data file stored in a storage medium or memory device. The encryption key file having stored instructions for an embedded autonomous executable program which is executed each time there is an attempt to access, control, or manipulate the encryption key file includes querying a user of the encryption key file, the user environment of the encryption key file, or both, for information required for analyzing a computational environment in relation to required security parameters for the cognitive encryption key file. The information in relation to the security parameters is received and analyzed. The computational environment of the user is determined and analyzed in relation to the required security parameters. Access to and/or use of the encryption key file is either permitted or denied based on the analysis of the user and computational environment. | 06-28-2012 |
| 20120167165 | LAWFUL INTERCEPTION TARGET APPARATUS, LAWFUL INTERCEPTION APPARATUS, LAWFUL INTERCEPTION SYSTEM AND LAWFUL INTERCEPTION METHOD - A lawful interception apparatus, a lawful interception target apparatus and a lawful interception system are provided. If a lawful interception target apparatus accesses a new communication network which has no lawful interception authority, the lawful interception apparatus receives intercept activation information from the lawful interception target apparatus through a communication network which has a lawful interception authority. The lawful interception apparatus performs seamless lawful interception on the lawful interception target apparatus by use of the received intercept activation information. | 06-28-2012 |
| 20120167166 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR ENABLING COMMUNICATION BETWEEN SECURITY SYSTEMS - A system, method, and computer program product are provided for enabling communication between security systems. In use, a first communication protocol of a first security system and a second communication protocol of a second security system are identified, where the first communication protocol and the second communication protocol are different such that the first security system and the second security system are incapable of communicating therebetween. Further, the first security system is updated with a first security definition and/or the second security system is updated with a second security definition for enabling communication between the first security system and the second security system. | 06-28-2012 |
| 20120167167 | ENABLING GRANULAR DISCRETIONARY ACCESS CONTROL FOR DATA STORED IN A CLOUD COMPUTING ENVIRONMENT - Enabling discretionary data access control in a cloud computing environment can begin with the obtainment of a data request and response message by an access manager service. The response message can be generated by a data storage service in response to the data request. The access manager service can identify owner-specified access rules and/or access exceptions applicable to the data request. An access response can be determined using the applicable owner-specified access rules and/or access exceptions. Both the response message and the access response can indicate the allowance or denial of access to the requested data artifact. The access response can be compared to the response message. If the access response does not match the response message, the response message can be overridden to express the access response. If the access response matches the response message, the response message can be conveyed to the originating entity of the data request. | 06-28-2012 |
| 20120167168 | Method and System for Authentication Event Security Policy Generation - A method and system allows for the deployment of security policies into the higher layers of the OSI model. Specifically, it allows for the establishment of security policies at layer 4 and higher, by monitoring authentication flows and using these flows as the basis for establishing security policies which then can be used as a basis for assessing the operation of the network. | 06-28-2012 |
| 20120174180 | AUTHORIZATIONS FOR ANALYTICAL REPORTS - A system may include reception of a request from a user to start a report associated with a node of a business object object model, where the node of the business object object model is associated with an access control list associating instances of the node with at least one access context restriction, determination of a first access context restriction associated with the user, retrieval of the at least one instance of the node based on the first access context restriction and on the access control list associated with the node, and presentation of an instance of the report to the user, the instance of the report populated with the at least one instance. | 07-05-2012 |
| 20120174181 | Method and Apparatus to Create and Manage a Differentiated Security Framework for Content Oriented Networks - A network component comprising a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item, a storage unit configured to cache the content item and the associated security information, a processor to implement procedures to enforce security policies defined by the security information, and a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item. | 07-05-2012 |
| 20120174182 | NETWORKED PHYSICAL SECURITY ACCESS CONTROL SYSTEM AND METHOD - A distributed networked physical security access control system for controlling a plurality of security access devices includes access server appliances in communication with a primary network. At least one access server appliance includes an appliance management module accessible through a web browser in communication with the primary network. The appliance management module configures the access server appliances to a user specified security configuration. The access server appliances are in peer-to-peer communication on the primary network to bridge the access server appliances for providing consistency in each of the access server appliances. | 07-05-2012 |
| 20120174183 | SYSTEM FOR MANAGING PROPRIETARY DATA | 07-05-2012 |
| 20120174184 | Method and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall - A distributed firewall system is used to implement a network firewall with enhanced control over network traffic to allow policy to be implemented on a per-user basis, a per-application basis, a per-user and application basis, and to allow ports to be dynamically opened and closed as needed by the applications. The distributed firewall system may include application identifiers associated with applications running on a network element, one or more firewall agents instantiated on the network element hosting the applications, and a firewall configured to interface with the firewall agents. Communications between the distributed components are secured to allow the firewall to detect if an agent has been compromised, and to allow the firewall agent to determine if the application has been compromised. The distributed firewall system may work in a VPN environment, such as in connection with a VPN server, to implement firewall policy at the point where VPN traffic enters the protected network. | 07-05-2012 |
| 20120174185 | GENERALIZED IDENTITY MEDIATION AND PROPAGATION - Provided are techniques for providing security in a computing system with identity mediation policies that are enterprise service bus (EBS) independent. A mediator component performs service-level operation such as message brokering, identity mediation, and transformation to enhance interoperability among service consumers and service providers. A mediator component may also delegate identity related operations to a token service of handler. Identity mediation may include such operations as identity determination, or “identification,” authentication, authorization, identity transformation and security audit. | 07-05-2012 |
| 20120174186 | Policy Based Capture with Replay to Virtual Machine - A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data to flag the network data as suspicious, and simulate transmission of the network data to a destination device. | 07-05-2012 |
| 20120180103 | Garage management system - A garage management and monitoring system defines and manages each operational event in a parking facility. Access events, management events, equipment operation events, equipment malfunction events, security events and defined anomaly events are labeled and parsed into a relational database, which is used for generating reports, creating logs, making management decisions, reconstructing accidents, and so on. The equipment includes a computer terminal, a reader, an identifying item or code capable of being read by the reader to control access to the facility, an IP camera, and a garage door or vehicle gate with safety sensors. Each defined event can be codified on the server and/or local controller to create an event library that is downloaded to the controller. | 07-12-2012 |
| 20120180104 | METHOD OF GENERATING SECURITY RULE-SET AND SYSTEM THEREOF - There are provided a method of automated generation of a security rule-set and a system thereof. The method comprises: obtaining a group of log records of communication events resulting from traffic related to the security gateway; generating a preliminary rule-set of permissive rules, said set covering the obtained group of log records; generating, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the group of log records; and generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records. | 07-12-2012 |
| 20120180105 | SYSTEMS, METHODS, AND APPARATUS FOR FACILITATING CLIENT-SIDE DIGITAL RIGHTS COMPLIANCE - According to one aspect there is provided a method and an apparatus for facilitating intellectual property rights compliance that is compliant with a same-origin security policy that prohibits the application from executing application-specific instructions from the first domain that access application-specific instructions from the second domain. The method includes receiving a structured document from a first domain, the structured document having at least one content object, a reference to at least one digital rights compliance (DRC) object located on a second domain and associated with the at least one content object, and application-specific instructions being executable by the application. The at least one DRC object is defined in a non-executable format and contains information indicative of rights associated with the at least one content. | 07-12-2012 |
| 20120180106 | TRUSTED QUERY NETWORK SYSTEMS AND METHODS - Systems and methods are disclosed with which queries can be sent to various clients of a trusted query network in a trusted query network message. In one embodiment, each registered client receives the message and determines whether or not it will participate in the query. If so, the client adds to the message in a first data round a true response to the query and obfuscation data, and then forwards the message on to the next client (or back to the client that initiated the query if each client has added its data to the message). In a second round, the message is again sent to each participating client, which this time removes its obfuscation data. Once each client has removed its obfuscation data, a final result is obtained that can be sent to each of the clients. | 07-12-2012 |
| 20120185910 | METHOD AND APPARATUS FOR ADJUSTING CONTEXT-BASED FACTORS FOR SELECTING A SECURITY POLICY - An approach is provided for selecting a security policy. A security policy manager determines one or more factors for adjusting a safety score associated with a device. The safety score is based, at least in part, on a context associated with the device. The security policy manager then processes and/or facilitates a processing of the one or more factors and the safety score to calculate an adjusted safety score, and determines to select a security policy based, at least in part, on the adjusted safety score. | 07-19-2012 |
| 20120185911 | MLWEB: A MULTILEVEL WEB APPLICATION FRAMEWORK - A method of transferring data from a server via a web application by receiving a request from a user operating in a disparate security domain for data on a data store. Generating a labeled view of the data requested from the data store, wherein the label-data relationship can be trusted at a level commensurate to the trust level of the operating system. Next, determining if the data is authorized by a security policy with a policy design engine; and then transmitting the data to the user if the data is authorized. Data can also be transferred by receiving a data flow from the user for writing to the data store. Next, the data flow can be inspected for disallowed content, and a determination is made if the data flow is authorized. If the data flow is authorized, mediating the data flow between the user and the data store with a trusted monitor. | 07-19-2012 |
| 20120185912 | SYSTEM AND METHOD FOR GRANTING AUTHORIZATION OF APPLICATION IN WIRELESS COMMUNICATION SYSTEM - A system and a method for grant authorization of an application in a wireless communication system. A method for being assigned authorization of an application in a mobile station includes when an application is installed, transmitting permission request information for at least one authorization required by the application, to a server; when receiving a response message from the server, identifying authorization assigned to the application in the response message; and controlling the application using the assigned authorization. | 07-19-2012 |
| 20120185913 | SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITH SECURITY ZONE FACILITIES - In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone. | 07-19-2012 |
| 20120185914 | IMPLEMENTING NETWORK TRAFFIC MANAGEMENT FOR VIRTUAL AND PHYSICAL MACHINES - A virtualization framework provides security between multiple virtual machines with respect to network communications between the virtual machines and between the virtual machines and a physical network coupled to the underlying physical computer platform. The virtualization framework includes a network interface controller driver that provides an interface to the platform network interface controller and supports execution of a plurality of virtual machines. Each virtual machine includes a virtual network interface controller that provides a network communications path between the virtual machines and to the network interface controller driver. Each virtual network interface controller further contains a programmable network packet filter that controls the selective transfer of network packets with respect to a corresponding virtual machine. | 07-19-2012 |
| 20120185915 | SECURE ENTERPRISE NETWORK - A method and system enables transparent authentication and transparent policy enforcement in a fabric of a network. In an exemplary embodiment thereof, a packet stream sent from a network host to a network resource is received at a security system. The security system identifies an authentication exchange packet in the packet stream and determines, using the authentication exchange packet and a directory service, a user identity associated with the packet stream and whether the identified user has authorization to access the network resource. A network policy is created that defines whether the user has access to the network resource. | 07-19-2012 |
| 20120192246 | METHOD AND SYSTEM FOR MAPPING BETWEEN CONNECTIVITY REQUESTS AND A SECURITY RULE SET - A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa. | 07-26-2012 |
| 20120192247 | METHOD AND APPARATUS FOR PROVIDING DATA BASED ON GRANULARITY INFORMATION - An approach is provided for providing data based on granularity information. The policy platform determines to act on a request, from an application or a service, for data associated with a device, a user of the device or a combination thereof. Next, the policy platform determines a granularity level for the data based, at least in part, on at least one privacy policy associated with the data, the application, the service, the device, the user of the device or a combination thereof. Then, the policy platform processes and/or facilitates a processing of the data to generate transformed data based, at least in part, on the granularity level. | 07-26-2012 |
| 20120192248 | PROTECTING SCREEN INFORMATION - A method, computer program product, and system for protection screen information is described. A method may comprise determining, via a computing device, if there is a screen protection rule, the screen protection rule based upon, at least in part, at least one of an application rule for protecting a portion of a screen region, and a process rule for protecting the portion of the screen region. The method may further comprise modifying, via the computing device, the portion of the screen region based upon, at least in part, at least one of the application rule, and the process rule. | 07-26-2012 |
| 20120198511 | WEB SERVICE SECURITY COCKPIT - A first configuration object identifies attributes of a configuration of a first web service. Security setting data is identified defining a security setting rules for the computing system. The failure of the first attribute to satisfy at least one security setting rule is determined. A second configuration object is identified that identifies attributes of a configuration of a second web service. The failure of the second attribute to satisfy at least one security setting rule is determined. A service security cockpit is presented identifying that configurations of at least the first and second web services are unsecure, based at least in part on the determination that the first and second attributes fail to satisfy security setting rules. User input is received, through the cockpit, identifying a resolution action directed to resolve the first attribute failing to satisfy at least one security setting rule. The identified resolution action is then initiated. | 08-02-2012 |
| 20120198512 | SYSTEM AND METHOD FOR COMBINING AN ACCESS CONTROL SYSTEM WITH A TRAFFIC MANAGEMENT SYSTEM - A system and method for handling a request from a client device to access a service from a server. The method comprises receiving a request from a user using a client device to access a service from a server. The request is received by a network traffic management device having a local external access management (EAM) agent. The EAM agent directly communicates with an EAM server that provides authentication policy information of a plurality of users able to at least partially access the server. User credential information is sent from the EAM agent to the EAM server, whereby the EAM agent receives access policy information of the user from the EAM server. The system and method selectively controls access of the user's request to the server in accordance with the received access policy information at the network traffic management device. | 08-02-2012 |
| 20120198513 | SECURE SOCIAL WEB ORCHESTRATION VIA A SECURITY MODEL - A method includes receiving, by a first computer, input from a first user. The method further includes creating, by the first computer, a hierarchical class tree implementing security profiles based on the input from the user. The hierarchical class tree identifies data, actions, and behaviors pertaining to content, and the security profiles restrict access and use of that user's content. The method also includes transmitting, by the first computer, a portion of the hierarchical class tree to a second computer. | 08-02-2012 |
| 20120198514 | Methods and Apparatuses for User-Verifiable Trusted Path in the Presence of Malware - An apparatus and method for establishing a trusted path between a user interface and a trusted executable, wherein the trusted path includes a hypervisor and a driver shim. The method includes measuring an identity of the hypervisor; comparing the measurement of the identity of the hypervisor with a policy for the hypervisor; measuring an identity of the driver shim; comparing the measurement of the identity of the driver shim with a policy for the driver shim; measuring an identity of the user interface; comparing the measurement of the identity of the user interface with a policy for the user interface; and providing a human-perceptible indication of whether the identity of the hypervisor, the identity of the driver shim, and the identity of the user interface correspond with the policy for the hypervisor, the policy for the driver shim, and the policy for the user interface, respectively. | 08-02-2012 |
| 20120198515 | FLEXIBLY ASSIGNING SECURITY CONFIGURATIONS TO APPLICATIONS - A method, system, and computer usable program product for flexibly assigning security configurations to applications are provided in the illustrative embodiments. An embodiment determines, forming a first determination, whether a first identifier identifying the application is mapped to the security configuration. The embodiment determines, forming a second determination, whether the application participates in a group by determining whether a second identifier identifying the group is mapped to the security configuration. The embodiment assigns, forming a first assignment, the security configuration to the application if either of the first and the second determinations is true. The embodiment assigns, forming a second assignment, the security configuration to the application using a determination by a first policy if the first and the second determinations are false. | 08-02-2012 |
| 20120198516 | Inspecting Code and Reducing Code Size Associated to a Target - Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target's profile. A code component may be a policy of an information management system. | 08-02-2012 |
| 20120198517 | RULE-BASED CONTEST HANDLING - An embodiment of a method includes receiving a content request including a first set of attribute values, using at least one of the attribute values from the first set of attribute values to determine a second set of attribute values, traversing a hierarchy of decision nodes, wherein each decision node implements business logic based on one of the attribute values from the first set of attribute values or the second set of attribute values, and generating a decision from a last node in the hierarchy, wherein the decision dictates how to respond to the content request. | 08-02-2012 |
| 20120204219 | METHOD AND SYSTEM FOR PROVIDING NETWORK SECURITY SERVICES IN A MULTI-TENANCY FORMAT - An approach is provided for performing cloud based computer network security services. Security policies are established for each of a number of subscribers. The subscribers are provided access to the security services via a common network cloud managed by the service provider. The security services are administered according to a multi-tenancy format, which enables the subscribers' data communications to be separately processed. The security services include network firewalling and filtering of content originating from or destined to one or more networks associated with the subscribers. | 08-09-2012 |
| 20120204220 | METHOD OF ANALYZING SECURITY RULESET AND SYSTEM THEREOF - There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧1 extrinsic rule-fields. The method comprised: upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, partitioning said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class; mapping said equivalence classes over the rule-set; and generating a logically equivalent security rule-set, wherein respective rules comprise N−1 extrinsic rule-fields. | 08-09-2012 |
| 20120204221 | METHOD FOR MANAGING ACCESS TO PROTECTED RESOURCES IN A COMPUTER NETWORK, PHYSICAL ENTITIES AND COMPUTER PROGRAMS THEREFOR - A method carried out by a controller is disclosed. The method includes receiving (s | 08-09-2012 |
| 20120204222 | PRIVACY POLICY MANAGEMENT METHOD FOR A USER DEVICE - An arrangement for enabling users to set and modify privacy policies is described. User attributes and existing privacy policies are used to determine the similarity between users. On this basis, the nearest-neighbours to a particular user are determined. When a user is required or wishes to provide or modify a policy, the policies of those nearest neighbours are used to recommend a privacy policy to the user. | 08-09-2012 |
| 20120210387 | Airport Security System - A method, apparatus, and system for managing network security at an airport. A threat level for the airport is identified. A number of policies for a network data processing system is identified at the airport based on the threat level identified for the airport in response to identifying the threat level for the airport. Enforcement of the number of policies is initiated in the network data processing system. | 08-16-2012 |
| 20120210388 | SYSTEM AND METHOD FOR DETECTING OR PREVENTING DATA LEAKAGE USING BEHAVIOR PROFILING - Various embodiments provide systems and methods for preventing or detecting data leakage. For example, systems and methods may prevent or detect data leakage by profiling the behavior of computer users, computer programs, or computer systems. Systems and methods may use a behavior model in monitoring or verifying computer activity executed by a particular computer user, group of computer users, computer program, group of computer programs, computer system, or group of computer systems, and detect or prevent the computer activity when such computer activity deviates from standard behavior. Depending on the embodiment, standard behavior may be established on past computer activity executed by the computer user, or past computer activity executed by a group of computer users. | 08-16-2012 |
| 20120210389 | AUTOMATIC SECURITY ACTION INVOCATION FOR MOBILE COMMUNICATIONS DEVICE - In one embodiment, there is provided a mobile communications device comprising: a processor; a communications subsystem operable to exchange signals with a wireless network; a storage element having application modules and data stored thereon, the data comprising at least user application data associated with the application modules and service data including data for establishing communications with the wireless network; and a security module operable to detect policy messages received by the device, and to perform a security action if a first policy message to enforce a first data protection policy is received and a subsequent policy message to enforce a second data protection policy is not received within a predetermined duration from the time at which the first policy message is received; wherein the security action comprises erasing or encrypting at least some of the data on the storage element. | 08-16-2012 |
| 20120210390 | Extensible and Programmable Multi-Tenant Service Architecture - An extensible, multi-tenant software-as-a-service business application platform is provided for hosting multiple organizations. Organization services are provided by virtual or physical servers with dedicated data stores assembled in scalable groups. Distributed interaction between components of the scalable groups may enable extensibility and reliability, while changes in locations of organization services are provided to the client(s) for seamless continuation of the client's access to the services. Customizable and dynamic APIs for accessing each organization's data and applications isolated from the others and pluggable third party authentication services may also be integrated into the platform. | 08-16-2012 |
| 20120210391 | Automated Device Provisioning and Activation - Various embodiments are disclosed for a services policy communication system and method. In some embodiments, a communications device stores a set of device credentials for activating the communications device for a service on a network; and sends an access request to the network, the access request including the set of device credentials. | 08-16-2012 |
| 20120210392 | ACCESS METHOD AND ACCESS DEVICE - An access method and an access device are provided in the invention, and the method includes the step of: an Authentication, Authorization and Accounting (AAA) server sending indication information to a Wireless Local Area Network Access Network (WLAN AN), wherein the indication information is used for indicating that the WLAN AN determines the direct accessing by a user equipment to the Internet without passing through an Evolved Packet Core (EPC) network. The user experience can be improved by the invention. | 08-16-2012 |
| 20120216239 | Integration of network admission control functions in network access devices - In one embodiment, a method includes receiving a communication from an endpoint device at a network access device located within a data path between the endpoint device and a network, identifying a network admission control policy for the endpoint device, enforcing at the network access device, the network admission control policy for traffic received from the endpoint device, and forwarding at the network access device, traffic from the endpoint device to the network in accordance with the network admission control policy. An apparatus is also disclosed. | 08-23-2012 |
| 20120216240 | PROVIDING DATA SECURITY THROUGH DECLARATIVE MODELING OF QUERIES - Data security is implemented through a query based policy constraining a primary table. Nested tables inherit the security policy by implementing the policy queries of the primary table. Operations on nested tables such as join actions execute the security policy queries once due to inheritance from the primary table therefore optimizing query modeling. A security policy may respond to a context or a role by executing queries responsive to the context. | 08-23-2012 |
| 20120216241 | METHODS, CIRCUITS, APPARATUS, SYSTEMS AND ASSOCIATED SOFTWARE APPLICATIONS FOR PROVIDING SECURITY ON ONE OR MORE SERVERS, INCLUDING VIRTUAL SERVERS - Disclosed are methods, circuits, apparatus, systems and associated software applications for providing security on one or more servers, including virtual servers. A server operating system may include or be otherwise functionally associated with a firewall application, which firewall application may regulate IP port access to resources on the server. A port-tending agent or application (PorTender) running on the server, or on a functionally associated computing platform, may monitor and regulate server port status (e.g. opened, closed, and conditionally opened). The PorTender may initiate and engage in communication sessions with a policy server, from which policy server the PorTender may receive port, user and security policies and/or settings. | 08-23-2012 |
| 20120216242 | Systems and Methods for Enhanced Security in Wireless Communication - A communication system having a policy server coupled to a communications network for managing secure communication with and among end instruments (EI). The EI comprises a memory, and a processor coupled to the memory with processor-executable instructions, including instructions for an operating system kernel; and instructions for a protection core that monitors operations of the operating system kernel in accordance with a security policy for the EI. Security policies can intercept calls to an operating system kernel and for each call, determining whether the call is allowed under the security policy(ies). Policies are stored in a policy library and transmitted to an EI over a wireless communication network. | 08-23-2012 |
| 20120216243 | ACTIVE POLICY ENFORCEMENT - A method and apparatus is provided that includes techniques for providing complete solutions for role-based, rules-driven active policy enforcement. An embodiment addresses blended risk assessment and security across logical systems, IT applications, databases, physical systems, and operational systems in the context of threat and fraud detection, risk analysis and remediation, compliance checks and continuous monitoring. Further, an embodiment provides ability to embed and enforce active policy enforcement in particular processes. | 08-23-2012 |
| 20120216244 | SYSTEM AND METHOD FOR APPLICATION ATTESTATION - An instrumented machine or platform having a target application thereon is disclosed. An attestation service may generate an application artifact having associated therewith a name and an application statement having at least one of a plurality of attribute value assertions describing the examined runtime local execution and introspection based derived security context. The application statements may represent the level of contextual trustworthiness, at near real time, of a running application on the instrumented target platform. A runtime process and network monitor may examine the local runtime execution context of the target application, and an identity provider may authenticate a user to the web application based on a web services query for attestation of the target application. A physical or logical authorization service may control access of an authenticated user to the target application, based on a dynamic application statement and multi-factor application attestation issued by the attestation service. | 08-23-2012 |
| 20120216245 | METHOD AND APPARATUS FOR EDITING, FILTERING, RANKING AND APPROVING CONTENT - The system provides a method and apparatus for editing, filtering, ranking and approving content. In one embodiment, the system provides a browsing environment for children that routes all internet requests through a central server. A request to a blocked website is automatically forwarded to one of a plurality of editors who can then access the site and determine on a page or site basis as to whether the request is suitable for the browsing environment. The system includes a workflow management system that determines which of the plurality of editors will be assigned a link to review. Approved content is categorized by the age and gender of the users of the content. The approved content is also categorized as a resource or reference to assist in accomplishing homework assignments. Parents can receive updates and can manage the content remotely. | 08-23-2012 |
| 20120216246 | PARAMETRIC CONTENT CONTROL IN A NETWORK SECURITY SYSTEM - A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, or log file activities. The system can provide and update a security value that causes host computers to change security levels for a number of different policies. The policies are grouped into a master set of policies and options which are propagated to the hosts from a centralized server. The security value is stored on the hosts and the server, and changes of the value on the server are propagated to the hosts. | 08-23-2012 |
| 20120216247 | Access control in data processing system - A policy data structure defines predetermined authorizations, each relating to authorization of at least one user to access at least one resource as well as to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. If the structure does not define an authorization for a request to access a resource, it is determined whether the structure defines a dynamic access requirement determinative for the request, and if so, whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one request, after determining whether to grant the request, a dynamic authorization relating to authorization to access the resource within the request is added to the structure. | 08-23-2012 |
| 20120216248 | ADJUSTING FILTER OR CLASSIFICATION CONTROL SETTINGS - Methods and systems for managing data communications are described. The method includes receiving a data communication; analyzing the data communication to determine a particular type of sender or recipient activity associated with the data communication based at least in part on an application of a plurality of tests to the data communication; assigning a total risk level to the data communication based at least in part on one or more risks associated with the particular type of sender or recipient activity and a tolerance for each of the one or more risks; comparing the total risk level assigned to the data communication with a maximum total acceptable level of risk; and allowing the data communication to be delivered to a recipient in response to the comparison indicating that the total risk level assigned to the data communication does not exceed the maximum total acceptable level of risk. | 08-23-2012 |
| 20120216249 | Enhanced Media Control - An enhanced mechanism for conflict resolution between authorized services in respect of selective authorization criteria, such as service incompatibilities, subscribed bandwidth QoS assigned per subscriber and pre-emption priority value assigned per service. The present invention allows the authorization of a subsequent service as a result of applying a selective authorization criterion for the subscriber at a policy control rules server to determine those previously authorized services to be put on hold, notifying about said previously authorized services to be on hold towards application devices handling such services, and inactivating at a policy enforcement device those control rules applicable to the media associated with said previously authorized services. In addition, the method as well as the policy control rules server, the application devices and the policy enforcement device may be also arranged for re-activating said previously authorized services still on hold when the reason for being on hold has ceased. | 08-23-2012 |
| 20120222083 | METHOD AND APPARATUS FOR ENFORCING DATA PRIVACY - An approach for maintaining user privacy information is described. A privacy management platform determines a request, from one or more applications, for access to local data associated with a device. The platform then determines and processes one or more privacy profile objects associated with the local data to determine one or more privacy policies associated with the local data, the device, or a combination thereof. Enforcement of the one or more privacy policies is then caused for granting access to the local data. | 08-30-2012 |
| 20120222084 | Virtual Securty Zones for Data Processing Environments - A method, apparatus, and computer program product for providing security and network isolation for service instances comprising data processing resources provided as a service by a provider of data processing resources. Individual service instances may be associated as members of one or more security zones. The security zones comprise security policies that define access of each service instance that is a member of a security zone. | 08-30-2012 |
| 20120222085 | METHOD AND SYSTEM FOR TRUSTED CONTEXTUAL COMMUNICATIONS - A method, system and apparatus for allowing media context sensitive SIP signaling exchange and call establishment while denying or challenging any other session description protocol extension dialogs which might not be desired by a user. User client media policy preferences are defined, the user media policy preferences establishing the parameters for evaluating a media session request received by a user client. The user client media policy preferences are provided to a policy enforcement point device, the policy enforcement point device evaluating the media session request received by the user client and applying the user client media policy preferences to the media session request. A user client portal is utilized to gain access to a media policy database, the media policy database providing storage for user client media policy preferences. | 08-30-2012 |
| 20120222086 | SYSTEM AND METHOD FOR DYNAMIC SECURITY PROVISIONING OF COMPUTING RESOURCES - The present invention facilitates the dynamic provisioning of computing and data assets in a commodity computing environment. The invention provides a system and method for dynamically provisioning and de-provisioning computing resources based on multi-dimensional decision criteria. By employing specialized computing components configured to assess an asset and requester of an asset, a provisioning engine is able to transform the input from the computing components into a specific configuration of computing resource provisioning and security controls. According to the rules and policies applying to a security domain, the provisioning engine may dynamically allocate computing resources in a manner that is both safe and efficient for the asset. | 08-30-2012 |
| 20120222087 | APPLICATION BASED INTRUSION DETECTION - Intrusion detection is performed by communicating an initialization request from an intrusion detection system enabled application to an intrusion module to begin intrusion detection. Also, a request is communicated to a policy transfer agent to provide an intrusion detection system policy specifically configured for the application. The application identifies where in the application code the intrusion detection system policy is to be checked against an incoming or outgoing communication. Information obtained by the application program is selectively evaluated against information in the intrusion detection system policy. A conditional response is made based upon information in the intrusion detection system policy if an intrusion associated with the application program is detected. | 08-30-2012 |
| 20120227081 | WEB USER AGENT BASED INSPECTION - Among other things, one or more systems and/or techniques for web user agent based inspection are provided herein. In particular, content provided by a user (e.g., to a server) may be processed using one or more web user agents (e.g., web browsers). The processing may involve opening and/or interpreting content provided by the user with one or more web user agents. Based on the processing, one or more profiles for the website may be created (e.g., for respective web user agents). Respective profiles may be evaluated based on one or more policies (e.g., for respective web user agents), and a determination may be made (e.g., to perform and/or not perform an action) based on the evaluation (e.g., allow a comment to be posted (or not) to a blog). | 09-06-2012 |
| 20120227082 | IDENTITY MEDIATION IN ENTERPRISE SERVICE BUS - A method for identity mediation in an enterprise service bus is provided in the illustrative embodiments. A security information is received at the enterprise service bus from a first application executing in a first data processing system. The security information is a part of a request for service from a second application executing in a second data processing system. A part of the security information is identified to be transformed such that the part upon transformation is usable for handling the request by the second application. A security policy applicable to the identified part is selected and the identified part is transformed according to the security policy. The transforming results in a transformed security information. The transformed security information is sent to the second application. | 09-06-2012 |
| 20120227083 | Dynamically Constructed Capability for Enforcing Object Access Order - Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence. | 09-06-2012 |
| 20120233656 | Methods, Systems and Devices for the Detection and Prevention of Malware Within a Network - Methods, systems and devices examine data flows in a communication system control network for known malware threats and suspicious properties typically associated with malware threats. A policy management system inside the control network accesses a user repository and a charging network, and performs pattern matching and/or observed behavior detection methods to determine if the data flows carry content (e.g., malware) that poses a security risk to network or wireless devices. The policy management system generates policy rules based on user preferences and risk-level. The policy management system sends the generated policy rules to a gateway/PCEF, which blocks the data flows, allows the data flows, or restricts the data flow based on the policy rules. | 09-13-2012 |
| 20120233657 | Method And Apparatus For Network Access Control - A method and apparatus for network access control includes an apparatus for granting a computing device access to a network, the apparatus having a plurality of substantially similar access devices, wherein each access device comprises a status-determination module to determine an access status based at least in part on whether the computing device is compliant with an access policy, an access-grant module configured for receiving an access status corresponding to the computing device from one or more of the access devices, and granting the computing device access to the network according to at least one of the access status determined by the status-determination module or the received access status. | 09-13-2012 |
| 20120240181 | TECHNIQUES FOR SECURING A CHECKED-OUT VIRTUAL MACHINE IN A VIRTUAL DESKTOP INFRASTRUCTURE - Techniques for securing checked-out virtual machines in a virtual desktop infrastructure (VDI) are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for securing a checked-out guest virtual machine including receiving a request for checking-out a guest virtual machine hosted by a server network element, wherein checking-out the guest virtual machine comprises transferring hosting of the guest virtual machine from the server network element to a client network element. The method for securing a checked-out guest virtual machines may also include configuring a security module for the guest virtual machine in order to secure the guest virtual machine and providing the security module to the guest virtual machine when the guest virtual machine is checked-out. | 09-20-2012 |
| 20120240182 | SECURITY ENFORCEMENT IN VIRTUALIZED SYSTEMS - A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information. | 09-20-2012 |
| 20120240183 | CLOUD BASED MOBILE DEVICE SECURITY AND POLICY ENFORCEMENT - The present disclosure relates to cloud based mobile device security and policy systems and methods to use the “cloud” to pervasively enforce security and policy on mobile devices. The cloud based mobile device security and policy systems and methods provide uniformity in securing mobile devices for small to large organizations. The cloud based mobile device security and policy systems and methods may enforce one or more policies for users wherever and whenever the users are connected across a plurality of different devices including mobile devices. This solution ensures protection across different types, brands, operating systems, etc. for smartphones, tablets, netbooks, mobile computers, and the like. | 09-20-2012 |
| 20120240184 | SYSTEM AND METHOD FOR ON THE FLY PROTOCOL CONVERSION IN OBTAINING POLICY ENFORCEMENT INFORMATION - A system, machine readable medium and method for utilizing protocol conversions in policy changing enforcement is disclosed. A message, in a first protocol, is received from a network gateway device including identifying information unique to a client attempting to access a resource from a server. The message is processed using one or more portions of the client identifying information as a unique key identifier. A policy access request is generated, in a second protocol, and includes at least the unique key identifier. The policy access request is sent to a policy server, wherein the policy server is configured to provide policy enforcement information of the client associated with the policy access request. The policy enforcement information is received and one or more policies from the policy enforcement information are enforced to network traffic between the client and the server. | 09-20-2012 |
| 20120240185 | SYSTEMS AND METHODS FOR PROCESSING DATA FLOWS - A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks. | 09-20-2012 |
| 20120240186 | SOC-BASED DEVICE FOR PACKET FILTERING AND PACKET FILTERING METHOD THEREOF - Provided is a device including a chip that includes a first storage unit that stores a rule DB for packet filtering, and a firewall engine that allows or blocks transmission of a packet by applying the rule DB; and a rule converter that receives a rule for packet filtering from a user and converts the rule into a format to store the rule in a rule list, wherein the chip receives a rule list converted by the rule converter and stores the rule list in the first storage unit as a rule DB. | 09-20-2012 |
| 20120240187 | POLICY BASED AUDITING OF WORKFLOWS - An auditing system is disclosed comprising a Policy Validation Mechanism Program (PVMP) that operates in conjunction with a Workflow Engine (WE), and a Policy Validation Server Program (PVSP) that operates on a Policy Validation Server (PVS) connected to the WE by a secure communication link. The PVMP converts a workflow to a workflow representation (WR) and sends the WR to the PVS. The PVSP compares the steps in the WR to a security policy identified for that WR and determines whether the WR is in compliance. In addition, the PVSP validates a checksum for the WR and logs the checksum for subsequent comparisons. The PVSP uses the checksum to determine whether a policy has changed during execution of the workflow. | 09-20-2012 |
| 20120240188 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 09-20-2012 |
| 20120240189 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 09-20-2012 |
| 20120240190 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 09-20-2012 |
| 20120246695 | ACCESS CONTROL OF DISTRIBUTED COMPUTING RESOURCES SYSTEM AND METHOD | 09-27-2012 |
| 20120246696 | SYSTEM AND METHOD FOR DATA MASKING - A system and computer-implemented method for providing security rules to an existing enterprise database system. The disclosed system and computer-implemented method intercepts database connection requests provided by third-party applications and end-users and determines what, if any, security rules to be applied to the request, including masking, scrambling and unmasking the data, as well as whether the requesting user has a need to know the requested data. Accordingly, personally identifiable and other sensitive information is not provided to an unauthorized requesting application and/or end-user. | 09-27-2012 |
| 20120246697 | Method and Node in a Telecommunications Network - During a registration procedure by a User Equipment (UE) via a Proxy Call Session Control Function (P-CSCF) node and a Serving Call Session Control Function (S-CSCF) node, the S-CSCF node provides a policy indicator in a response message to a register request message. The policy indicator enables subsequent operation of the node to be controlled according to whether or not a registered UE has an associated policy. As such, delays (such as delays associated with retrieving an associated policy) are only experienced by UEs that have previously been determined as having such an associated policy, rather than all UEs being affected in the same way. | 09-27-2012 |
| 20120246698 | SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device. | 09-27-2012 |
| 20120254935 | AUTHENTICATION COLLABORATION SYSTEM AND AUTHENTICATION COLLABORATION METHOD - An authentication collaboration server of an authentication collaboration system performs a secrecy calculation process using authentication information as input for an authentication process, generating secret authentication information for each piece of the authentication information. An authentication information verification server obtains and compares sets of the combination of secret authentication information generated by the authentication server, and a user ID identifying a user of a user terminal using the authentication information that is a source of the secret authentication information. The authentication information verification server extracts the plurality of pieces of authentication information that have been applied. The authentication collaboration server approves a service, when a user authentication state is removed as authentication results constituting the user authentication state satisfies the policy for the service, after an authentication result in which application of the authentication information has occurred. A collaboration service is achieved including multiple low cost Web services. | 10-04-2012 |
| 20120254936 | APPARATUS AND METHOD FOR SECURITY AND NETWORK MANAGEMENT BASED ON FLOW - There are provided an apparatus and method for security and network management based on flows. The flow-based security and network management apparatus generates data flows from network packets, and performs network management in connection with security management based on the generated data flows. Accordingly, it is possible to maximally guarantee traffic fairness between users against attack or intrusion traffic. | 10-04-2012 |
| 20120254937 | SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device. | 10-04-2012 |
| 20120254938 | SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device. | 10-04-2012 |
| 20120254939 | SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device. | 10-04-2012 |
| 20120260303 | Mapping Global Policy for Resource Management to Machines - The subject disclosure is directed towards applying global policy to only select resources (e.g., certain file folders) based on property settings associated as metadata with those resources. The resource property settings correspond to a defined property set (e.g., a global taxonomy) that is consistent with the global policy. When global policy is received, the property metadata for each resource determines whether to apply the global policy to that resource. In this way, a central administrator may provide the defined property set, a policy author may provide the policy, and a local administrator may set the resource property settings. | 10-11-2012 |
| 20120260304 | METHODS AND APPARATUS FOR AGENT-BASED MALWARE MANAGEMENT - Methods and apparatus for providing protection against malware are disclosed. An exemplary method includes executing an agent program on a remote computer connected to a network, the agent program being configured to communicate with a base computer via the network, the agent program including a firewall arranged to block communications between the remote computer and entities on the network in accordance with predetermined rules; and configuring the firewall in accordance with rules received from the base computer. | 10-11-2012 |
| 20120260305 | Access Protection Accessory for an Automation Network - An automation network connected to an automation installation configured to perform an automation process executable in at least two states, where the access protection accessory comprises network ports, a digital storage medium configured to store at least first and second rules, and a processor configured to read the at least first and second rules, process the rules and receive and forward data via the network ports, and receive at least one signal comprising advice of a change in the state of the automation process. The first rules, in a first state of the automation process, define which received data are forwarded and which received data are not forwarded, and following reception of the at least one signal the second rules define which received data are forwarded and which received data are not forwarded. | 10-11-2012 |
| 20120260306 | META-EVENT GENERATION BASED ON TIME ATTRIBUTES - First stage meta-events are generated based on analyzing time attributes of base events received from a network component. Second stage meta-events are generated based on a number of the first stage meta-events that have a time attribute falling within a time period. An amount of time that has passed since a most-recent second stage meta-event was generated is determined, and if a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event is determined. | 10-11-2012 |
| 20120260307 | SECURE DISPLAY SYSTEM FOR PREVENTION OF INFORMATION COPYING FROM ANY DISPLAY SCREEN SYSTEM - Devices, methods, and computer programs are presented for displaying information output of a host. One apparatus includes a housing that includes a panel, a scalar, a sensor, an integrated circuit (IC), and a communications device. The panel includes a plurality of light emitting devices arranged to define an area for displaying information output from the host. The scalar is for receiving pixel data from the host computer to be displayed on the panel, and the sensor is for capturing data proximate to the panel. The IC is in communication with the scalar and the panel, the integrated circuit configured to intercept the information output from the host computer, the data of the sensor being analyzed for security control when the information output is to be presented to the scalar. The communications device is for enabling the IC to communicate with a remote computer without communicating through the host computer. | 10-11-2012 |
| 20120260308 | METHOD AND SYSTEM FOR CONDITIONALLY LIMITING COMMUNICATIONS - A server, system, and method configured to limit communications. The server includes a processor for executing a set of instructions and a memory for storing the set of instructions. The set of instructions are executed to receive a list of one or more communicating parties that are authorized to communicate with a user at any time, receive a selection to limit communications, determine whether an identifier associated with a communicating party is in the list in response to processing a communication, and connect the communication to a communications device in response to determining the identifier is in the list. | 10-11-2012 |
| 20120266208 | METHODS AND APPARATUS FOR MALWARE THREAT RESEARCH - Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious. | 10-18-2012 |
| 20120266209 | Method of Secure Electric Power Grid Operations Using Common Cyber Security Services - A system of operating an electric power grid using common cyber security services to ensure secure connections from control systems to devices in the electric transmission, electric distribution, and energy centric devices in electric customers' networks. | 10-18-2012 |
| 20120266210 | METHOD AND APPARATUS FOR CREATING AN INFORMATION SECURITY POLICY BASED ON A PRE-CONFIGURED TEMPLATE - A method and apparatus for creating a policy based on a pre-configured template is described. In one embodiment, source data having a tabular structure is identified. Further, one of multiple policy templates is used to automatically create a policy for detecting information from any one or more rows within the tabular structure of the source data. | 10-18-2012 |
| 20120272287 | LOCATION BASED CONTENT FILTERING AND DYNAMIC POLICY - In one implementation, a social media device receives social interaction data including an identity of neighboring mobile devices that have been within a physical proximity of an object mobile device. The social media device hosts a social network service and provides content to a user associated with the object mobile device according to the identity of more neighboring mobile devices. The user of the object mobile device may opt to receive content only from those users that are identified in the social interaction data. The user of the object mobile device may opt to permit only those users that are identified in the social interaction data to receive content generated by the user of the object mobile device. The user may opt to alter the status policy seen by other users so that only users that are identified in the social interaction data see the user as available or online. | 10-25-2012 |
| 20120272288 | METHODS AND APPARATUSES FOR DETERMINING STRENGTH OF A RHYTHM-BASED PASSWORD - Methods, apparatus, and computer program products are provided for determining the strength of a rhythm-based password to facilitate selection by a user of an appropriately secure rhythm-based password. A method may include receiving input defining a rhythm-based password and determining, by a processor, at least one property of the rhythm-based password. The method may also determine a strength value of the rhythm-based password based at least in part on the at least one property of the rhythm-based password. Corresponding apparatus and computer program products may also be provided. | 10-25-2012 |
| 20120272289 | DEVICES, SYSTEMS, AND METHODS FOR PROVIDING INCREASED SECURITY WHEN MULTIPLEXING ONE OR MORE SERVICES AT A CUSTOMER PREMISES - Systems, devices, and methods are disclosed for providing increased security when multiplexing one or more services at customer premises. Such systems and devices may include one or more virtual machines that support a service, a service operating system, protocol functions, and protocol security functions including system, devices, and methods for, analyzing protocol data and generating protocol security data. In addition, the system, devices, and methods provide an administration function for each virtual machine that allows monitoring the protocol security data and provides a protocol alerting mechanism that reports protocol security trigger events. Moreover, the system, devices, and methods have a common layer providing a common operating system and common security functions. The protocol security functions and common security function utilize conventional and fuzzy logic rules to generate protocol security data and common security data. | 10-25-2012 |
| 20120272290 | System and Method for Reducing Security Risk in Computer Network - Disclosed are systems, methods and computer program products for reducing security risk in a computer network. The system includes an administration server that collect information about one or more computers in the network, including the following information: computer user's external drive usage history, software installation history, and Web browsing history. The server calculates based on the collected information a security rating of the computer user. The server then adjust a security rating of the computer user based on the security rating of at least one other user of another computer connected to the same computer network. The server then selects security policy of the security software based on the adjusted security rating of the computer user. Different security policies provide different network security settings and prohibitions on launching of executable files from external drives. | 10-25-2012 |
| 20120272291 | Methods, Communication Networks, and Computer Program Products for Monitoring, Examining, and/or Blocking Traffic Associated with a Network Element Based on Whether the Network Element can be Trusted - A communication network is operated by determining whether a network element can be trusted and monitoring traffic associated with the network element based on whether the network element can be trusted. At least some of the monitored traffic may be selected for examination based on the degree of trust for the network element. At least some of the monitored and/or examined traffic is selected to be blocked based on the degree of trust for the network element. | 10-25-2012 |
| 20120278851 | AUTOMATED POLICY BUILDER - A system, method and machine readable medium for automated policy building in a policy module of a network traffic management device is disclosed. Parsed network traffic data is received at a policy builder of a network traffic management device. The received network traffic data is analyzed in accordance with one or more threshold conditions specified by a user, via a user interface, for an existing policy. The existing policy is modified by the policy builder if the one or more threshold conditions for the network traffic have been met. | 11-01-2012 |
| 20120278852 | EXECUTABLE CONTENT FILTERING - A executable content message stream filter applies a plurality of executable content filters to a stream of parsed elements of a network message. Each of the plurality of executable content filters targets executable content and is instantiated based on a set of one or more rule sets selected based, at least in part, on a type of the network message. For each of the plurality of executable content filters, it is determined if one or more of the stream of parsed elements includes executable content targeted by the executable content filter. The executable content message stream filter modifies those of the stream of parsed elements that include the executable content targeted by the plurality of executable content filters to disable the executable content. | 11-01-2012 |
| 20120278853 | ENFORCING ALIGNMENT OF APPROVED CHANGES AND DEPLOYED CHANGES IN THE SOFTWARE CHANGE LIFE-CYCLE - On a host, host content change requests are intercepted in real-time. In a tracking mode, the change requests are logged and allowed to take effect on the host. In an enforcement mode, the change requests are logged and additionally compared against authorized change policies and a determination is made whether to allow the change to take effect or to block the changes, thereby enforcing the authorized change policies on the host. Tracking and enforcement can be done in real-time. In either mode and at any time, the logged changes can be reconciled against a set of approved change orders in order to identify classes of changes, including changes that were deployed but not approved and changes that were approved but not deployed. | 11-01-2012 |
| 20120284767 | Method for detecting and applying different security policies to active client requests running within secure user web sessions - A method for detecting and applying security policy to active client requests within a secure user session begins by applying a first heuristic to a plurality of requests for a particular resource to identify a pattern indicating of an active client. In one embodiment, the heuristic evaluates a frequency of requests for the particular resource across one or more secure user sessions. Later, upon receipt of a new request for the particular resource, a determination is then made whether the new request is consistent with the pattern. If so, an action is taken with respect to a secure session policy. In one embodiment, the action bypasses the secure session policy, which policy is associated with an inactivity time-out that might otherwise have been triggered upon receipt of the new request. In addition, a second heuristic may be applied to determine whether a response proposed to be returned (in response to the new request) is expected by the active client. If so, the response is returned unaltered. If, however, applying the second heuristic indicates that the response proposed to be returned is not expected by the active client, the response is modified to create a modified response, which is then returned. | 11-08-2012 |
| 20120284768 | TECHNIQUES FOR SECURE CHANNEL MESSAGING - Techniques for secure channel messaging are provided. Resources communicate with one another over temporary and secure communication channels. The channels come in and out of existence or switch between different channels using a variety of information and based on dynamic policy evaluation. In some situations, the channels are randomly generated using a variety of the information. Authorized resources are informed of the channels to use and when to use them for purposes of delivering and receiving messages to communicate. | 11-08-2012 |
| 20120284769 | Systems and Methods of Intelligent Policy-Based Geo-Fencing - Systems and methods of intelligent policy-based geo-fencing provide the ability to associate a context to a geo-fence using conditions/rules/criteria and attributes retrieved in real-time to offer greater intelligence in determining if an action should be performed. Using policies and attributes uniquely associated with a geo-fence, geo-fence concepts may be enhanced to provide granular and flexible decision-making with regard to spatial awareness. The result of these dynamic decisions may then be mapped to any number of actions to produce alerts, notifications or messages. | 11-08-2012 |
| 20120284770 | SYSTEM, METHOD AND PROGRAM FOR MANAGING FIREWALLS - Computer system, method and program for managing a firewall. First program instructions identify a first rule of the firewall. The first rule specifies a permitted message flow through the firewall to or from an IP address of a computer. The computer resides on a network. Second program instructions identify a second rule of the firewall. The second rule specifies a permitted message flow through the firewall to or from an IP address corresponding to the network. Message flows through the firewall to all computers on the network are permitted pursuant to the second rule. Third program instructions delete the first rule from the firewall based on the identification of the second rule and the computer residing on the network. Other program instructions identify and delete stale rules which are not needed. Other program instructions automatically identify rules for a new server added to a cluster. | 11-08-2012 |
| 20120284771 | PERFORMING NETWORKING TASKS BASED ON DESTINATION NETWORKS - Methods and systems which identify and interact with network interfaces based on the network to which they provide access. A computing device operating in accordance with one or more of the principles described herein may examine available network interfaces and identify the network to which the network interfaces provide access, and perform networking tasks on interfaces based on the network identified. For example, a user may instruct a computing device to connect to a specified network, and the computing device will select a particular network interface by which to connect from the one or more available network interfaces that are able to connect to that network. Alternatively, a user may manage policies (e.g., security, connection, and application policies) based on the network to which a network interface provides access and thereby manage a network regardless of which of multiple network interfaces is used to access the network. | 11-08-2012 |
| 20120291087 | Preventing Inappropriate Data Transfers Based on Reputation Scores - A method and apparatus for detecting violations of data loss prevention (DLP) policies based on reputation scores. | 11-15-2012 |
| 20120291088 | ELASTIC RESOURCE PROVISIONING IN AN ASYMMETRIC CLUSTER ENVIRONMENT - System, method, computer program product embodiments and combinations and sub-combinations thereof for elastic resource provisioning are provided. An embodiment includes grouping physical resources in an asymmetric distributed cluster of data processing nodes logically into one or more provisions. Further included are configuring access to the physical resources with the one or more provisions, and managing adjustment of operations among the data processing nodes in correspondence with adjustment to the physical resources through the one or more provisions and transparently to an application utilizing the physical resources. | 11-15-2012 |
| 20120291089 | METHOD AND SYSTEM FOR CROSS-DOMAIN DATA SECURITY - A data management system includes a microprocessor and a data manager executing on the microprocessor. The data manager is communicatively coupled to a first domain and a second domain and includes a first domain security process associated with a first domain security policy and operable to provide access to first domain data based on the first domain security policy. The data manager further includes a second domain security process associated with a second domain security policy and operable to provide access to first domain data based on the second domain security policy. | 11-15-2012 |
| 20120291090 | ACCESS MANAGEMENT ARCHITECTURE - An access management system architecture is provided. In one embodiment, the architecture comprises modular and decoupled components, which allow composability of heterogeneous solutions. | 11-15-2012 |
| 20120291091 | CONTROLLING LOCKING STATE TRANSITIONS IN A TERMINAL - A method and a control module for controlling locking state transitions in a terminal are described, wherein said terminal is configured for checking said transition in accordance to one or more state transition rules and wherein the method comprises the steps of: providing at least one one-way writable memory location comprising first state information associated with a first locking state of said terminal; receiving a request for a transition to a second locking state, said request comprising second state information associated with said second locking state; on the basis of said first and second state information and said transition rules checking whether said requested transition is allowable or not; and, storing said second state information in said one-way writable memory if said requested transition is allowable according to said state transition rules. | 11-15-2012 |
| 20120291092 | METHOD AND SYSTEM FOR DISTRIBUTING MEDIA CONTENT - A system that incorporates teachings of the present disclosure may include, for example, a set-top box operating from an interactive television (iTV) communication system having a controller to receive from the iTV communication system media content with metadata, record the media content, detect in the metadata a description of the media content correlating with one or more preferences in a preference profile, present at a media presentation device a first prompt requesting an acceptance or rejection of the media content, present at the media presentation device a second prompt requesting a selection of one or more communication devices to direct in whole or in part the media content thereto, detect the selection of at least one of the one or more communication devices, and transmit in whole or in part the media content to the at least one communication device. Other embodiments are disclosed. | 11-15-2012 |
| 20120297441 | METHOD AND APPARATUS FOR PROVIDING END-TO-END PRIVACY FOR DISTRIBUTED COMPUTATIONS - An approach is provided for providing end-to-end privacy in multi-level distributed computations. A distributed computation privacy platform determines one or more privacy policies associated with at least one level of a computational environment. The distributed computation privacy platform also determines one or more computation closures associated with the at least one level of the computational environment. The distributed computation privacy platform further processes and/or facilitates a processing of the one or more privacy policies and the one or more computation closures to cause, at least in part, an enforcement of the one or more privacy policies. | 11-22-2012 |
| 20120297442 | METHOD FOR ACCESSING WIRELESS NETWORK - A wireless network accessing method adaptable to a portable electronic device is provided. The wireless network accessing method includes following steps. A wireless access point (WAP) is connected. An authentication webpage is received from the WAP. A layout of the authentication webpage is analyzed by using a database to find out an account field and a password field of the authentication webpage. An account and a password input by a user are received. The account field filled with the account and the password field filled with the password are sent to the WAP. | 11-22-2012 |
| 20120297443 | SYSTEM AND METHOD FOR APPLICATION PROGRAM OPERATION ON A WIRELESS DEVICE - Embodiments described herein address mobile devices with non-secure operating systems that do not provide a sufficient security framework. More particularly, the embodiments described herein provide a set of applications to the device for providing security features to the non-secure operating system. | 11-22-2012 |
| 20120297444 | SYSTEM AND METHOD FOR ENSURING COMPLIANCE WITH ORGANIZATIONAL POLICIES - A method for ensuring compliance with organizational policies is described herein. The method can include the step of monitoring one or more parameters of a managed computing device for compliance with one or more policies of an organization in which the organizational policies may include limitations on the managed computing device. The method can also include the step of detecting a non-conformance event at the managed computing device with respect to at least one organizational policy. In response to the detection of the non-conformance event, the operation of the managed computing device may be restricted with respect to features or data associated with the organization. | 11-22-2012 |
| 20120297445 | Method of Managing Asset Associated with Work Order or Element Associated with Asset, and System and Computer Program for the Same - A method, system and computer program of managing an access right to at least one asset associated with at least one digital work order, or to at least one element associated with the asset, and provides a system and a computer program for the same. The method includes the steps of: loading a security policy associated with the work order, the asset, or the element; starting to monitor location information of the asset or the element and a moving object, or a elapsed time of the moving object at the location; and issuing an event for managing the asset, the element or the moving object in response to the start of the work order or in response to the fact that the loaded security policy is violated by any of the locations, a change in the location, or the elapsed time at the location obtained by the monitoring. | 11-22-2012 |
| 20120297446 | Authentication System and Method - Aspects of the invention relate to a customer authentication system for authenticating a customer making a request related to a customer account. The customer authentication system may include multiple application level data receiving and processing mechanisms for receiving customer requests and collecting customer data. The customer authentication system may additionally include a central authentication system for receiving the customer requests and customer data from the multiple application level data receiving and processing mechanisms, the central authentication system determining, based on authentication policy, whether the collected customer data is sufficient to authenticate each customer in order to fulfill the customer request. The central authentication system may return its conclusions and instructions to the multiple application level data receiving and processing mechanisms. The customer authentication system may additionally include a fraud policy system for centrally managing authentication policy implemented by the central authentication system. | 11-22-2012 |
| 20120304244 | MALWARE ANALYSIS SYSTEM - In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack. | 11-29-2012 |
| 20120304245 | SYSTEM AND METHOD FOR CONNECTING A COMMUNICATION TO A CLIENT - A method and system for connecting a communication to a client including at a system bridge, establishing a client subscription connection with a client device; receiving an incoming communication request at the system bridge; publishing an incoming communication notification from the system bridge to the client device; receiving a client communication at the system bridge; and merging the incoming communication request into the client communication at the system bridge. | 11-29-2012 |
| 20120304246 | System and Method for Selective Security of Wireless Bearers - A system is provided for use by a wireless cellular base station and core network to inspect and perform security actions on the input and output data stream based on policy driven security settings per application bearer for each subscriber. | 11-29-2012 |
| 20120304247 | SYSTEM AND PROCESS FOR HIERARCHICAL TAGGING WITH PERMISSIONS - The invention provides a file sharing system and process for hierarchical tagging with permissions in computer network-based file storage and sharing systems. The file sharing system includes a hierarchical list of tags, a plurality of files, a hierarchical tag management facility and a tag permissions facility. Each of the plurality of files is tagged by one or more tags in the hierarchical list of tags. The hierarchical tag management facility is used to create and manage the hierarchical list of tags. The tag permissions facility is activated when an administrator selects one or more tag(s). The administrator is a user having rights to facilities to configure the file sharing system. The tags permissions facility is used to change permissions for one or more users or groups of users to access a plurality of files tagged with the selected tag(s). | 11-29-2012 |
| 20120304248 | METHOD AND SYSTEM FOR INFORMATION TECHNOLOGY ASSET MANAGEMENT - As aspects of the present invention provides a manner of software asset management involving inputting data pertaining to software into a database; performing software product mapping for software product data input to the database; performing usage rights rule building for usage rights data input to the database; performing software title mapping for software title data input to the database; and determining software compliance as a function of data input to the database and mappings that are performed on the data. Another aspect of the present invention includes method of inputting or importing data into a database m an IT service management system involving: the system importing the data into temporary storage m the database; the system applying validation rules; the system applying the transformation rules; the user reviewing the processed data; the user modifying the processed data; the user requests that the processed data be committed to the database; the system committing the processed data to records in the database. | 11-29-2012 |
| 20120304249 | METHOD AND APPARATUS FOR SECURITY VALIDATION - A computer-implemented method, apparatus, and article of manufacture for security validation of a user input in a computer network application. The method includes: providing a subset of security rules of a server-side protection means to a pre-validation component deployed at a client side, so as to enable security validation of a user input on the client side by the pre-validation component; validating the user input based on at least one of the security rules; determining, in response to detecting a user input violation and that a violated security rule has not been provided to the pre-validation component, the user as a first class of users; determining, in response to detecting the user input violation and that the violated security rule has been provided to the pre-validation component, the user as a second class of users; and performing different security protection actions to the first and second class of users. | 11-29-2012 |
| 20120304250 | POLICY-BASED PRIVACY PROTECTION IN CONVERGED COMMUNICATION NETWORKS - System(s) and method(s) that employ deep packet inspection (DPI) of data flow relating to a requested service associated with a communication device to facilitate customizing the service or results provided by the service are presented. A service request can be received by a gateway identification of the service is attempted. If the service is identified, a privacy rule(s), which is contained in a user privacy profile of a user associated with the communication device, is analyzed to determine whether the privacy rule(s) applies to the service. If the privacy rule(s) is applicable, a DPI engine performs DPI on the data flow, in accordance with the privacy rule(s), to obtain information that can be used to customize the service or results provided by the service. The user can specify the level of DPI to be applied. A default rule can specify that no DPI is performed on the data flow. | 11-29-2012 |
| 20120304251 | FIREWALL SECURITY BETWEEN NETWORK DEVICES - A security device may be interconnected, via multiple links, between multiple network devices in a network. The firewall device may include multiple input interfaces that receive data units from a first network device destined for a second network device of the multiple network devices, identify a session associated with each of the data units, and process the data units in accordance with the identified sessions and a security policy. | 11-29-2012 |
| 20120304252 | METHOD AND SYSTEM FOR AUTHORIZATION OF PRESENCE INFORMATION - Embodiments of the present invention include a system and method for implementing a presence system. According to an embodiment of the present invention, responsive to receiving a request for presence information associated with a presentity from a watcher, the presence system receives instructions indicating that an authorization instance other than the presentity shall be given an opportunity to change or verify an authorization rule associated with the request for presence information. As a consequence, the presence system notifies the authorization instance of the request for presence information, thereby enabling the authorization instance to change or verify the authorization rule. The presence system also makes a final decision on the authorization rule on the basis of the instructions and a notification indicating a change or verification of the authorization rule. | 11-29-2012 |
| 20120304253 | PAYMENT CARD INDUSTRY (PCI) COMPLIANT ARCHITECTURE AND ASSOCIATED METHODOLOGY OF MANAGING A SERVICE INFRASTRUCTURE - A system to ensure compliance with data security standards. The system including a security appliance to perform multiple security functions, the security appliance in communication with a plurality of network devices, the security appliance identifying each network device from the plurality of network devices as being included in one of a first zone containing confidential data and a second zone not containing confidential data. The system including a display unit to provide information of compliance performance of the system on a secure basis. The system further including a control unit to monitor compliance performance in real-time to ensure that each network device included in the first zone containing the confidential data is compliant with data security standards regardless of the compliance of each network device included in the second zone with the data security standards. | 11-29-2012 |
| 20120311655 | APPARATUS AND METHOD OF MANAGING A LICENSABLE ITEM - An apparatus and method of managing a licensable item includes accessing a licensing policy related to managing a licensable item, and a license agent making a determination to act to enforce the licensing policy or to first communicate with a server before acting to enforce the licensing policy. Further, the apparatus and method include enforcing the licensing policy in accordance with the determination to act to enforce the licensing policy or to first communicate with a server before acting. | 12-06-2012 |
| 20120311656 | APPARATUS AND METHOD OF LAYERED LICENSING - A methodology and apparatus for layered licensing is described. A licensable item is detected on a device. A legacy license associated with the licensable item is accessed, wherein the legacy license corresponds to a legacy licensing policy. A layered license associated with the licensable item is accessed, wherein the layered license corresponds to a layered licensing policy. The legacy licensing policy and the layered licensing policy are integrated into an integrated license, and the integrated license is enforced. | 12-06-2012 |
| 20120311657 | METHOD AND APPARATUS FOR PROVIDING PRIVACY IN COGNITIVE RADIO INFORMATION SHARING - An approach is provided for providing privacy in cognitive radio information sharing. A cognitive radio privacy platform receives a request, from a device, for performing one or more operations on cognitive radio information stored in at least one information space. The cognitive radio privacy platform also determines one or more privacy policies associated with the device, the one or more operations, the cognitive radio information, the at least one information space, or a combination thereof. The cognitive radio privacy platform further processes and/or facilitates a processing of the one or more privacy policies to determine an availability, a restriction, or a combination thereof of the cognitive radio information. The cognitive radio privacy platform also causes, at least in part, the performing of the one or more operations based, at least in part, on the availability, the restriction, or a combination thereof of the cognitive radio information. | 12-06-2012 |
| 20120311658 | Access Control System and Method - A system and method for managing access policies where the result of an intersection performed on policy sets associated with each of two nodes based on the nodes' attributes determines whether the two nodes may interact. | 12-06-2012 |
| 20120311659 | REAL-TIME MOBILE APPLICATION MANAGEMENT - Some embodiments relate to mobile application management. An example embodiment includes a method of mobile device management. The method includes installing a client-side engine of an enforcement engine on a mobile device. The enforcement engine further includes a runtime engine. The method also includes routing communications between the mobile device and a network/cloud or an enterprise network through the enforcement engine. In addition, the method includes generating a policy regarding the mobile applications from a signature database (“SigDB”). The SigDB includes signatures pertaining to mobile applications. Compliance of the mobile device with the policy is enforced in real time. | 12-06-2012 |
| 20120311660 | SYSTEM AND METHOD FOR MANAGING IPv6 ADDRESS AND ACCESS POLICY - A policy server receives an access policy information request message, and authenticates the request. When the authentication is successful, an access policy storage is accessed to obtain access policy information corresponding to the source of the message. The server outputs the corresponding access policy information. The information includes an IPv6 address for use, at the source, as a new source address. The information may also include a terminal address setting function, a rebooting option adding function upon terminal address setting, a default gateway setting function, a domain name service (DNS) server address setting function, a tunnel function on or off function, a neighbor cache clearing function, and/or a privacy extension on or off function. | 12-06-2012 |
| 20120311661 | SERVICE/MOBILITY DOMAIN WITH HANDOVER FOR PRIVATE SHORT-RANGE WIRELESS NETWORKS - A system manages the integration of a private short-range wireless network into a service/mobility domain with handover of a wireless terminal device between access points registered with a domain server. The server maintains information specifying rules for responding to first wireless terminal devices authorized for private network access and to second wireless terminal devices authorized for shared network access, in response to requests for information on resources available from one or more access points registered with the server. | 12-06-2012 |
| 20120311662 | SMART CONTAINERS - Smart containers are disclosed. A system for managing content comprises an interface to receive an operation associated with an instance of a smart container. The smart container comprises a logical structure configure using a definition to manage associated content. The system for managing content comprises a processor configured to determine whether the operation is allowable based at least in part on a policy; and in the event that the operation is allowable, perform the operation. A memory is coupled to the processor and is configured to provide the processor with instructions. | 12-06-2012 |
| 20120311663 | IDENTITY MANAGEMENT - The present invention relates to an improved identity management in which a first authentication request is received from a service provider where the first authentication request requests authentication attributes relating to a user. A second authentication request is transmitted to an identity provider and a first authentication response is received from the identity provider wherein the first authentication response includes at least one authentication attribute relating to said user. At least one predefined policy is applied to the first authentication response to generate a second authentication response and the second authentication response is transmitted to the service provider. | 12-06-2012 |
| 20120311664 | NETWORK THREAT DETECTION AND MITIGATION - A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source. | 12-06-2012 |
| 20120311665 | Analyzing Usage Information of an Information Management System - In an information management system, activity data is collected and analyzed for patterns. The information management system may be policy based. Activity data may be organized as entries including information on user, application, machine, action, object or document, time, and location. When checking for patterns in the activity or historical data, techniques may include inferencing, frequency checking, location and distance checking, and relationship checking, and any combination of these. Analyzing the activity data may include comparing like types or categories of information for two or more entries. | 12-06-2012 |
| 20120311666 | MICRO AND MACRO TRUST IN A DECENTRALIZED ENVIRONMENT - A method and system are disclosed. In one embodiment the method includes calculating a trust level of a first entity. The first entity has a plurality of components. Each component in the first entity has at least the trust level of the first entity. | 12-06-2012 |
| 20120317609 | METHODS AND DEVICES FOR CONTROLLING ACCESS TO A COMPUTING RESOURCE BY APPLICATIONS EXECUTABLE ON A COMPUTING DEVICE - Methods and devices for controlling access to a computing resource by applications executable on a computing device are described herein. In one example embodiment, method comprises: identifying an application category with which one or more applications executable on the computing device is associated; providing one or more rules that specify whether the one or more applications associated with the application category are permitted to access the computing resource on the computing device; and transmitting the security policy to the computing device; wherein when the security policy is enforced at the computing device, access to the computing resource by the one or more applications executable on the computing device that are associated with the application category is controlled by the one or more rules. | 12-13-2012 |
| 20120317610 | DYNAMICALLY DEFINING NETWORK ACCESS RULES - Systems and computer program products are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter. | 12-13-2012 |
| 20120317611 | DYNAMICALLY DEFINING RULES FOR NETWORK ACCESS - Methods are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter. | 12-13-2012 |
| 20120317612 | ELECTRONIC APPARATUS AND METHOD OF CONTROLLING THE SAME - In an electronic apparatus of this invention, after a security function is canceled, it is determined whether the elapsed time from cancellation of the security function to detection of attachment of a device having a security function of security level higher than that of the canceled security function or the elapsed time until the operation of the attached device is enabled has exceeded a predetermined time. Upon determining that the elapsed time has exceeded the predetermined time, the electronic apparatus enables the canceled security function again. | 12-13-2012 |
| 20120317613 | NETWORK APPARATUS BASED ON CONTENT NAME AND METHOD FOR PROTECTING CONTENT - A content protection method includes generating content protection information regarding a content to be protected by a content producer, and generating a content name indicating a location of the content in content name based networks based on the content protection information. The content protection information may include at least one of marking information indicating whether the content is protected and policy information indicating a disclosure range of the content. | 12-13-2012 |
| 20120317614 | INDEPENDENT ROLE BASED AUTHORIZATION IN BOUNDARY INTERFACE ELEMENTS - Boundary interfaces for communications networks are disclosed. An example method includes configuring, with a processor, a first policy for a first network interface of a computing device in response to an input from a first network administrator of a first network; configuring, with the processor, a second policy for a second network interface of the computing device in response to an input from a second network administrator of a second network, the second network administrator being different than the first network administrator; displaying the second policy to the first network administrator; and displaying the first policy to the second network administrator. | 12-13-2012 |
| 20120324526 | SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE - System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer. | 12-20-2012 |
| 20120324527 | TECHNIQUES FOR WORKLOAD SPAWNING - Techniques for spawning workloads are provided. A single repository is read once to obtain an image for a workload or files and resources for the image. The read operation spawns multiple, and in some cases, concurrent write operations, to instantiate the workload over a network as multiple occurrences or instances of the workload in multiple processing environments. | 12-20-2012 |
| 20120324528 | System and method for merging security constraints when using security annotations - A method is described for merging security constraints associated with an application when using security annotations. The application comprises one or more servlets, such as a Java servlet. During application deployment, a list of role names is generated by merging static security constraints, for example, identified in a deployment descriptor, and in a static security annotation that defines a list containing the names of authorized roles for a servlet. Later, during application runtime in an application server, security constraints are retrieved from a plurality of sources, including both dynamic and static security annotations. Using the list of role names and the security constraints retrieved, a set of merged security constraints having a defined and proper order of precedence is generated. In particular, preferably one or more dynamic security annotations are first merged with one or more static security annotations to generate a set of runtime constraints. The security constraints from the deployment descriptor are then merged with the set of runtime constraints and the list of roles to generate the set of merged security constraints. These merged security constraints are then applied to process a request being handled by the application server. | 12-20-2012 |
| 20120324529 | ENFORCING DATA SHARING POLICY THROUGH SHARED DATA MANAGEMENT - Enforcing data sharing policy through shared data management, in one aspect, may include extracting data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification; extracting a data domain from the one or more data policies based on the data purpose and the object set; associating the data access rights and the data domain with data attributes of the shared data; automatically responding to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights. | 12-20-2012 |
| 20120324530 | RULE-BASED APPLICATION ACCESS MANAGEMENT - A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules. | 12-20-2012 |
| 20120324531 | AUTOMATIC DETECTION OF NON-COMPLIANT CONTENT IN USER ACTIONS - Described herein are methods, systems, apparatuses and products for automatic detection of non-compliant content in user actions. An aspect provides a method including, responsive to receiving a user selection to share data via an electronic device, analyzing the data to be shared; and automatically identifying non-compliant content within the data prior to sharing the data. Other embodiments are disclosed. | 12-20-2012 |
| 20120324532 | PACKET ROUTING SYSTEM AND METHOD - Methods and systems for offering network-based managed security services are provided. According to one embodiment, an IP service processing switch includes multiple service blades and one or more packet-passing data rings. The service blades each have multiple processors for providing customized security services to subscribers of a service provider. Upon receipt of a packet by a service blade from the one or more packet-passing data rings, a PEID value within the packet is inspected and when the PEID value corresponds to a PEID assigned to a processor associated with the service blade, the packet is steered to a software entity of a VR on the processor that corresponds to an LQID value within the packet. And, when the PEID value does not correspond to any PEIDs assigned to processors on the service blade, the packet is passed to a next service blade on the one or more packet-passing data rings. | 12-20-2012 |
| 20120324533 | WIRELESS NETWORK HAVING MULTIPLE SECURITY INTERFACES - A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session. | 12-20-2012 |
| 20120331516 | Method for Personalizing Parental Control in a PCC Architecture - A Parental Control Manager “PCM” server of a Policy and Charging Control “PCC” architecture with the Parental Control Manager “PCM” server, a Policy Control Enforcement Function device with Deep Packet Inspection capabilities “PCEF-DPI device”, and a Policy Control Rules Function “PCRF” server. The PCM server includes a user interface unit for receiving a logon from a user, and for receiving from the user monitoring criteria on Internet traffic types to be monitored for the user, and corresponding actions to be carried out when any monitoring criteria fit a given Internet traffic type. The PCM server includes a network interface unit for submitting the monitoring criteria and corresponding actions received from the user to a PCRF server. A PCRF server of a PCC architecture with a PCM server, a PCEF-DPI device, and the PCRF server. A PCEF-DPI device of a PCC architecture with a PCM server, the PCEF-DPI device, and a PCRF server. A method of parental control by a user for access to websites, multimedia contents and Internet services with a PCC architecture having a PCM server, a PCEF-DPI device, and a PCRF server. | 12-27-2012 |
| 20120331517 | METHOD AND SYSTEM FOR FILTERING OBSCENE CONTENT FROM ELECTRONIC BOOKS AND TEXTUALIZED MEDIA - A method and system is disclosed for filtering obscene content from digital media comprising textualized script, such as electronic books commonly read on iPads®, Kindles®, and the like. Obscene content, in some embodiments, is redacted from the textualized media. In other embodiments, the obscene content is substituted with less obscene content. In still further embodiments, obscene content is flagged and a reader or administrator prompted to instruct the system how to handle the obscene content. | 12-27-2012 |
| 20120331518 | FLEXIBLE SECURITY TOKEN FRAMEWORK - A computer-implemented server system includes or supports applications that use security tokens. The server system includes a security token module to create token types for use with the applications, to generate security tokens corresponding to created token types, and to enforce token use policies for generated security tokens. The server system also includes a database to store security tokens for the token module. The token module accommodates creation of different token types having different token formats and different token use policies, based on obtained values of a plurality of token configuration variables. The token module generates security tokens in accordance with the different token formats, and enforces the different token use policies when processing incoming security tokens. | 12-27-2012 |
| 20120331519 | DEVELOP AND DEPLOY SOFTWARE IN MULTIPLE ENVIRONMENTS - Developing, deploying, and operating an application in a plurality of environments is disclosed, including: defining runtime specific configuration information for a plurality of environments, wherein the runtime environment specific configuration includes topology configuration and security configuration, wherein the runtime environment specific configuration information is stored separately from other configuration information and is protected by an identity management system; executing an application in one of the plurality of environments, wherein execution of the application is controlled by a first role; and presenting a credential associated with the first role to the identity management system to obtain a portion of the runtime environment specific configuration information corresponding to the environment associated with the executing application. | 12-27-2012 |
| 20130007835 | METHOD AND APPARATUS FOR SPECIFYING TIME-VARYING INTELLIGENT SERVICE-ORIENTED MODEL - A method and an apparatus for specifying a time-varying, intelligent service-oriented model are provided. A method implemented in a computer infrastructure having computer executable code embodied on a computer readable storage medium having programming instructions, includes defining information of a service which is to be provided to one or more users having access to a system storing the defined information. The method further includes defining policies associated with the defined information to allow and deny access to selected portions of the defined information, and exposing to a user of the one or more users the selected portions of the defined information based on the defined policies allowing access to the selected portions of the defined information. | 01-03-2013 |
| 20130007836 | METHOD AND SYSTEM FOR PROVIDING INFORMATION FROM THIRD PARTY APPLICATIONS TO DEVICES - A method and system of making information from an application accessible to an electronic device, comprising: checking, via a log monitor, a third party log file for a new log entry; sending any new log entries in the third party log file to a rules engine, the rules engine comprising at least one rule; determining if any of the new log entries violate any rules in the rules engine; making accessible any new log entries that violate any rules to the electronic device; creating an alert based on the new log entry that violates at least one rule; and notifying users of the alert using alert criteria to determine who should receive the alerts and when, wherein different users receive different alerts based on the alert criteria. | 01-03-2013 |
| 20130007837 | HOSTED VULNERABILITY MANAGEMENT FOR WIRELESS DEVICES - A method, a multi-tenant security server apparatus and associated system for securing wireless communication of devices. The method includes transferring security policy configuration information from the security server to wireless devices. The method also includes ascertaining compliance of wireless activity of the wireless devices with the security policy configuration using client software modules installed on the wireless devices. | 01-03-2013 |
| 20130007838 | COMMUNICATIONS SECURITY SYSTEMS - A method of establishing secure communications between a first computer, e.g. a client computer, and a second computer, e.g. a web server, whereby the client computer receives one or more security policies relating to the web server. A client application examines the client computer and preferably configures one or more aspects of the client computer in order to make it comply with the security policies. Once the web server receives the results of this examination and/or configuration process, it can determine whether the secure communications are to be established and whether any restrictions need to be placed on this communication and/or the activity conducted via the communication. | 01-03-2013 |
| 20130007839 | ROUTING A PACKET BY A DEVICE - Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols. | 01-03-2013 |
| 20130014206 | METHOD AND SYSTEMS FOR SECURING REMOTE ACCESS TO PRIVATE NETWORKS - A method for securing remote access to private networks includes a receiver intercepting from a data link layer a packet in a first plurality of packets destined for a first system on a private network. A filter intercepts from the data link layer a packet in a second plurality of packets transmitted from a second system on the private network, destined for an system on a second network. A transmitter in communication with the receiver and the filter performing a network address translation on at least one intercepted packet and transmitting the at least one intercepted packet to a destination. | 01-10-2013 |
| 20130014207 | POLICY-BASED AUDITING OF IDENTITY CREDENTIAL DISCLOSURE BY A SECURE TOKEN SERVICE - A user defines an audit policy. The audit policy identifies one or more triggers that, when related information is included in a security token, trigger the performance of the audit. The audit can include notifying the user in some manner that the trigger occurred. The audit can require in-line confirmation of the audit, so that the security token is not transmitted until the user confirms the audit. | 01-10-2013 |
| 20130014208 | CHAINING INFORMATION CARD SELECTORS - A machine includes card stores to store information cards. For each card store, one or more card selectors can be provided. When performing a transaction involving information cards, a generic card selector, using a selector policy engine, can identify a card selector to use for the transaction. The identified card selector can be used to identify an information card in a card store to use in performing the transaction, which can be used to provide a security token to the relying party. | 01-10-2013 |
| 20130014209 | Content Management System - Content rights holders provide digital content to a hosting site to be used as reference content. The content owner specifies a policy for each digital content item, indicating how that content may be used on the site when uploaded by someone other than the content owner. An identification module compares the uploaded content against reference content. If the content matches reference content, the specified policy for that reference content is applied to the uploaded content. Policy options provided by the content owner include tracking the content to see how it is viewed, preventing the content from being distributed on the site, and allowing the content to be displayed in a revenue-sharing environment. In one embodiment, if the identification module matches the uploaded content to a reference item but the match does not have a sufficiently high level of confidence, the suggested match is queued for review by the content owner. | 01-10-2013 |
| 20130014210 | SYSTEM AND METHOD FOR SELECTION OF SECURITY ALGORITHMS - A method of managing security for a connection between a user device and a communications network including a plurality of base stations and a core network, the method including receiving at the core network security capability information for the user device connecting to the communications network via a first base station, retrieving security capability information at the core network for the first base station from a database that stores security capability information for the plurality of base stations, processing in the core network the security capability information for the user device and the security capability information for the first base station to select a security policy for a connection between the user device and the first base station, and transmitting the selected security policy to the first base station. | 01-10-2013 |
| 20130014211 | APPLICATION IDENTITY DESIGN - Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application. | 01-10-2013 |
| 20130014212 | PERMISSION-BASED ADMINISTRATIVE CONTROLS - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing permission-based administrative controls. In one aspect, a method includes receiving an administrator-defined pairing that identifies a permission and one or more applications, and receiving a request from a requesting application to perform one or more operations that are associated with the permission. The method also includes determining whether the requesting application is identified in the pairing, and selectively allowing the requesting application to perform the operations based on determining whether the requesting application is identified in the pairing. | 01-10-2013 |
| 20130019276 | Automatic Generation of User Account Policies Based on Configuration Management Database InformationAANM Biazetti; Ana C.AACI CaryAAST NCAACO USAAGP Biazetti; Ana C. Cary NC USAANM Robke; Jeffrey T.AACI ApexAAST NCAACO USAAGP Robke; Jeffrey T. Apex NC US - Mechanisms are provided for generating user account policies for generating user accounts to access resources of the data processing system. A determination is made that a user account policy for an identified resource in the data processing system is to be generated. Configuration information associated with the identified resource is retrieved from a configuration information database. A predefined user account policy template is retrieved from a user account policy template database system. A user account policy data structure is generated based on the retrieved configuration information and the retrieved predefined user account policy template. | 01-17-2013 |
| 20130019277 | Zone-Based Firewall Policy Model for a Virtualized Data CenterAANM Chang; DavidAACI MilpitasAAST CAAACO USAAGP Chang; David Milpitas CA USAANM Patra; AbhijitAACI SaratogaAAST CAAACO USAAGP Patra; Abhijit Saratoga CA USAANM Bagepalli; NagarajAACI San JoseAAST CAAACO USAAGP Bagepalli; Nagaraj San Jose CA USAANM Sethuraghavan; Rajesh KumarAACI San JoseAAST CAAACO USAAGP Sethuraghavan; Rajesh Kumar San Jose CA US - Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed. | 01-17-2013 |
| 20130024907 | INTEGRATING SUDO RULES WITH ENTITIES REPRESENTED IN AN LDAP DIRECTORY - A method and apparatus for integrating Sudo rules into a Lightweight Directory Access Protocol (LDAP) repository. An LDAP directory server receives a request to add a sudo rule to the LDAP repository. The sudo rule defines at least one sudo command and one or more entities associated with the execution of the sudo command. The LDAP directory server creates an LDAP entry for the sudo rule, and links in the LDAP entry of the sudo rule an LDAP entry of the sudo command and LDAP entries of the entities associated with the execution of the sudo command. | 01-24-2013 |
| 20130024908 | SYSTEM AND METHOD FOR APPLICATION-INTEGRATED INFORMATION CARD SELECTION - A selector daemon can run in the background of a computer. Applications that are capable of processing information cards directly, without requiring the use of a card selector, can request the selector daemon to list information cards that satisfy security policy. Upon receiving such a request, selector daemon can determine the information cards available on the computer that satisfy the security policy, and can identify these information cards to the requesting application. The applications can then use the identified information cards in any manner desired, without having to use a card selector: for example, by requesting a security token based on one of the information cards directly from an identity provider. | 01-24-2013 |
| 20130024909 | ACCESS CONTROL PROGRAM, SYSTEM, AND METHOD - Authority permission grants/denials associated with each of a plurality of roles (R1, R2, . . . , Rm) assigned to one subject are derived by inheritance based on a subject assignment associating a role and a subject, an authority permission assignment associating a role, an authority permission, and a grant/denial, and a role hierarchy indicating an inheritance relation between roles. Among the derived authority permission grants/denials, grants/denials of authority permissions (A1, A2, . . . , An) which are each derived from two or more different roles (R1, R2, . . . , Rm) and which are each granted to one of the plurality of roles R1, R2 . . . Rm but denied to another one of the plurality of roles R1, R2 . . . Rm are determined in accordance with an input. As exceptional authority permission assignment for a virtual exceptional role constituted of a combination of roles (R1, R2, . . . , Rm), authority permission grants/denials associated with each role (R1, R2, . . . , Rm) are derived by inheritance based on the role hierarchy, authority permission assignment, and the exceptional authority permission assignment. | 01-24-2013 |
| 20130031595 | EFFICIENT SECURING OF DATA ON MOBILE DEVICES - A mobile device and associated method and computer-readable medium, wherein the device is configurable for data protection readiness. A preparation module is configured to perform preprocessing to prepare the mobile device for data protection readiness, the preprocessing includes: indicating certain items of data stored in the data storage arrangement which are of personal importance to an owner of the mobile device; indicating criteria that defines a situation for which the items of data of personal importance are to be secured; and indicating a set of actions to be carried out to secure the items of data of personal importance. A protection module is configured to monitor for an occurrence of the situation for which the items of data of personal importance are to be secured based on the criteria indicated by the preparation module, and to execute the set of actions indicated by the preparation module in response to a detection of the occurrence of the situation. | 01-31-2013 |
| 20130031596 | Evaluating Detectability of Information in Authorization Policies - Techniques for evaluating detectablity of confidential information stored in authorization policies are described. In an example, an authorization policy has a confidential property. The confidential property is defined by whether application of a test probe to the authorization policy results in the grant of access to a resource. A processor automatically determines whether at least one witness policy can be generated that is observationally equivalent to the authorization policy from the perspective of a potential attacker, but the application of the test probe to the witness policy generates an access denial result. In the case that such a witness policy can be generated, an indication that the confidential property cannot be detected using the test probe is output. In the case that such a witness policy cannot be generated, an indication that the confidential property can be detected using the test probe is output. | 01-31-2013 |
| 20130031597 | METHOD AND EQUIPMENT FOR SECURITY ISOLATION OF A CLIENT COMPUTER - A method and equipment to protect the client computer against attacks through a device that carries out the security isolation of the client computer. It includes isolating all kinds of media that allow for writings in the computer. It uses security software, such as Firewall and antivirus programs configured according to the company's needs and also software to access the company's server, such as a browser or its own software. | 01-31-2013 |
| 20130031598 | Contextual-Based Virtual Data Boundaries - A system, method, and apparatus for contextual-based virtual data boundaries are disclosed herein. In particular, the present disclosure relates to improvements in access control that work to restrict the accessibility of data based on assigning contextual data thresholds that create a virtual boundary. Specifically, the disclosed method involves assigning at least one threshold to at least one contextual criterion. The method further involves determining whether contextual information from the claimant meets at least one threshold to at least one contextual criterion. Also, the method involves authenticating the claimant, if the contextual information from the claimant meets at least one of the thresholds to at least one contextual criterion. Further, the method involves allowing the claimant access to the data, if the claimant is authenticated. | 01-31-2013 |
| 20130031599 | MONITORING MOBILE APPLICATION ACTIVITIES FOR MALICIOUS TRAFFIC ON A MOBILE DEVICE - Systems and methods for monitoring mobile application activities for malicious traffic on a mobile device are disclosed. One embodiment of a method which can be implemented on a system includes, monitoring application activities of a mobile application on the mobile device, detecting, from the application activities, suspicious activity, and/or blocking traffic from which the suspicious activity is detected. One embodiment includes creating a policy based on the information aggregated from the multiple mobile devices and/or broadcasting the policy to other mobile devices of the suspicious activity detected from the multiple mobile devices. | 01-31-2013 |
| 20130031600 | AUTOMATIC GENERATION AND DISTRIBUTION OF POLICY INFORMATION REGARDING MALICIOUS MOBILE TRAFFIC IN A WIRELESS NETWORK - Systems and methods for automatically generating and distributing policy information for malicious mobile traffic in a wireless network are disclosed. One embodiment of a method which can be implemented on a system includes, aggregating suspicious activity information detected across multiple mobile devices in a wireless network, generating policy information for malicious mobile traffic using the suspicious activity information, and/or distributing the policy information among the multiple mobile devices or other mobile devices in the wireless network. The policy information can, for example, be distributed to wireless operators, mobile network carriers, or application service providers. | 01-31-2013 |
| 20130031601 | PARENTAL CONTROL OF MOBILE CONTENT ON A MOBILE DEVICE - Systems and methods of parental control of content on a mobile device are disclosed. One embodiment includes, proxy server remote from a mobile device which monitors, traffic activities, including inbound or outbound traffic, on the mobile device and detects adult content from the traffic activities. The proxy server communicates identification of the suspicious traffic to a local proxy on the mobile device, such that the suspicious traffic containing the adult content is blocked from access to or from the mobile device. | 01-31-2013 |
| 20130031602 | THIN CLIENT SYSTEM, AND ACCESS CONTROL METHOD AND ACCESS CONTROL PROGRAM FOR THIN CLIENT SYSTEM - To heighten security in a thin client system, the thin client system includes: a communication unit | 01-31-2013 |
| 20130036447 | Attribution points for policy management - Attribution points for policy management for improvement of a determination of an access control decision; identity verification; rights management determination; or permissions inquiry. These attribution points include those between a Policy Enforcement Point and a Policy Decision Point; as well as resources for Policy Decision Point when there is not sufficient information received from the Policy Enforcement Point. Attribution Points facilitates the augmentation of attributes; speed the transmission of attributes between PEP and PDP; reduces the elapsed time for a decision; and maintains security over the attributes. An attribution point also facilitates the retrieval of attributes across zones, such as security and/or networks and/or detached systems. | 02-07-2013 |
| 20130036448 | SANDBOXING TECHNOLOGY FOR WEBRUNTIME SYSTEM - In a first embodiment of the present invention, a method of providing security enforcements of widgets in a computer system having a processor and a memory is provided, comprising: extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system. | 02-07-2013 |
| 20130036449 | TECHNIQUES FOR PROVIDING TENANT BASED STORAGE SECURITY AND SERVICE LEVEL ASSURANCE IN CLOUD STORAGE ENVIRONMENT - Techniques for tenant-bases storage security and service level assurances in a cloud environment are presented. A Tenant Storage Machine (TSM) for each tenant uses a unique identifier. The TSM is dynamically allocated with operating system resources to run processes based on agreed service level assurances. The service level assurances are stored in a Service Level Assurance (SLA) policy store. The TSM communicates with the SLA policy store via a TSM bus to acquire a SLA policy configured for the tenant and based on which resources are dynamically allocated. Processes running under the TSM run with root privileges to provide security. | 02-07-2013 |
| 20130042294 | IDENTIFYING APPLICATION REPUTATION BASED ON RESOURCE ACCESSES - Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g., web content, files, databases, IP addresses, services, and users) accessed by an application. Remote resource accesses may be reported to a reputation service, which may identify reputations of remote resources, and application reputations of applications that utilize such remote resources. These application reputations may be used to adjust the application policies of the applications executed by devices and servers. These techniques thereby achieve rapid detection and mitigation of newly identified malware through application telemetry in a predominantly automated manner. | 02-14-2013 |
| 20130042295 | METHOD AND APPARATUS FOR PROVIDING A SECURE VIRTUAL ENVIRONMENT ON A MOBILE DEVICE - Methods and devices provide a secure virtual environment within a mobile device for processing documents and conducting secure activities. The methods and devices create a secure application environment in which secure data and documents may be segregated from unsecured data using document encryption, allowing the application of security policies to only the secure application environment. The creation of a secure application environment allows users to access and manipulate secure data on any mobile device, not just specifically designated secure devices, without having to secure all data on the mobile device, while providing the corporate entity with necessary document security. The methods and devices provide for securing data on a mobile device at the data level using encryption. | 02-14-2013 |
| 20130042296 | PHYSICAL INTERACTION WITH VIRTUAL OBJECTS FOR DRM - Technology is provided for transferring a right to a digital content item based on one or more physical actions detected in data captured by a see-through, augmented reality display device system. A digital content item may be represented by a three-dimensional ( | 02-14-2013 |
| 20130042297 | METHOD AND APPARATUS FOR PROVIDING SECURE SOFTWARE EXECUTION ENVIRONMENT BASED ON DOMAIN SEPARATION - An apparatus for providing a secure environment of software execution in a terminal device includes a normal service domain and a secure service domain into which a domain of the software is divided based on virtualization. The normal service domain executes a normal service on elements of the software, and the secure service domain executes a security service on elements of the software in response to a request for a security service of the software elements from the normal service domain. | 02-14-2013 |
| 20130042298 | SYSTEM AND METHOD FOR GENERATING TRUST AMONG DATA NETWORK USERS - A system and a method in which a user makes a service request with a service provider through a data network. The service provider receives from trust generating equipment, located in an access provider, an assessment of the security level of the user; said equipment in turn receiving a delivery of information about the trust level provided by said user; and in order for the aforementioned equipment to collect information about the user identity, the network traffic generated by the user, the security status of the user device and the geographical location of the user device, this information being analyzed and summarized in a trust label which is sent to the service provider. | 02-14-2013 |
| 20130042299 | WHITE LISTING DNS TOP-TALKERS - Systems and methods for creating a list of trustworthy resolvers in a domain name system. A computer receives a resolver profile for a resolver sending queries to a domain name server. The resolver profile is based on one or more of a top-talker status of the resolver, a normalcy of distribution of domain names queried, a continuity of distribution of query type, and an IP time-to-live variance of queries from the resolver. Resolver profiles can be compared to a trust policy to determine whether the resolver is trustworthy. Resolvers deemed trustworthy can be added to a list of trustworthy resolvers. Embodiments can detect the occurrence of a network-based attack. Embodiments can mitigate the effect of a network-based attack by responding only to queries from resolvers on the list of trustworthy resolvers. | 02-14-2013 |
| 20130042300 | METHOD FOR CONFIGURING AN APPLICATION FOR AN END DEVICE - A method for configuring an application for an end device having a predefined end-device configuration with a predefined security level. A query about the predefined end-device configuration is directed by means of the application to a central place in which a multiplicity of security levels of end-device configurations have respective application configurations associated therewith. In response to the query, the central place ascertains the predefined security level of the predefined end-device configuration from the multiplicity of security levels, and outputs it to the application together with the associated application configuration. In dependence on the output security level, one or several functions of the application are configured by means of the application on the basis of the output application configuration for the end device. | 02-14-2013 |
| 20130047195 | METHOD AND APPARATUS FOR MAKING TOKEN-BASED ACCESS DECISIONS - According to one embodiment, an apparatus may store a plurality of token-based rules that facilitate access to a resource, and a plurality of tokens indicating a user is using a device to request access to a resource over a network. The apparatus may receive a risk token indicating the risk associated with granting at least one of the user and the device access to the resource. The risk token may be computed from a set of tokens in the plurality of tokens. The apparatus may determine at least one token-based rule based at least in part upon the plurality of tokens and the risk token. The apparatus may then make an access decision based upon the at least one token-based rule, and communicate a decision token representing the access decision. | 02-21-2013 |
| 20130047196 | TRANSITIVE CLOSURE SECURITY - In one implementation, a plurality of records included in a transitive closure of a driving record is identified, and a record from the plurality of records or the driving record is determined to satisfy a security rule. The security rule is then applied to the driving record and the plurality of records. | 02-21-2013 |
| 20130047197 | SEALING SECRET DATA WITH A POLICY THAT INCLUDES A SENSOR-BASED CONSTRAINT - Technologies pertaining to limiting access to secret data through utilization of sensor-based constraints are described herein. A sensor-based constraint is a constraint that can only be satisfied by predefined readings that may be output by at least one sensor on a mobile computing device. If the sensor on the mobile computing device outputs a reading that satisfies the sensor-based constraint, secret data is provided to a requesting application. Otherwise, the requesting application is prevented from accessing the secret data. | 02-21-2013 |
| 20130047198 | Policy Based Application Suspension and Termination - In accordance with one or more aspects, an application that is to be suspended on a computing device is identified based on a policy. The policy indicates that applications that are not being used are to be suspended. The application is automatically suspended, and is allowed to remain in memory but not execute while suspended. Additionally, when memory is to be freed one or more suspended applications to terminate are automatically selected based on the policy, and these one or more selected applications are terminated. | 02-21-2013 |
| 20130047199 | Method and Apparatus for Subject Recognition Session Validation - According to one embodiment, an apparatus may store a plurality of token-based rules. A token-based rule may facilitate access to a resource. The apparatus may further store a plurality of tokens. The plurality of tokens may include a session token associated with access to the resource by a user. The apparatus may receive a first token indicating at least one of the detection of a face other than the user's and the detection of a voice other than the user's. The apparatus may determine, based at least in part upon at least one token-based rule from the plurality of token-based rules, that access to the resource should be terminated in response to receiving the first token and terminate the session token in response to the determination that access to the resource should be terminated. | 02-21-2013 |
| 20130047200 | Apparatus and Method for Performing Data Tokenization - According to one embodiment, an apparatus may receive a first data token indicating a request for data associated with the resource, a subject token indicating that at least one form of authentication has been completed, and a network token indicating that at least one form of encryption has been performed. The apparatus may determine at least one token-based rule based at least in part upon the first data token, the subject token, and the network token. The apparatus may determine, based at least in part upon the at least one token-based rule, that a second data token representing the data should be generated. The apparatus may generate a message indicating the determination that the second data token should be generated and then transmit the message. | 02-21-2013 |
| 20130047201 | Apparatus and Method for Expert Decisioning - According to one embodiment, an apparatus may store at least one subject token associated with a user and a device, at least one resource token associated with the resource, and at least one network token associated with a network. The apparatus may determine various access values associated with these stored tokens. The apparatus may then determine the value of a first access value based on the values of these various access values. The apparatus may determine that the value of the first access value is insufficient to grant access to the resource and determine that access by at least one of the user and the device to the resource over the network should be denied. | 02-21-2013 |
| 20130047202 | Apparatus and Method for Handling Transaction Tokens - According to one embodiment, an apparatus may store a plurality of token-based rules. A token-based rule may facilitate the processing of transactions. The apparatus may receive a transaction token indicating that a transaction associated with an entity has been requested. The apparatus may determine at least one token-based rule based at least in part upon the transaction token. The at least one token-based rule may indicate that there is a risk that the transaction is fraudulent. The apparatus may determine that the transaction should be denied based at least in part upon the risk that the transaction is fraudulent. | 02-21-2013 |
| 20130047203 | Method and Apparatus for Third Party Session Validation - According to one embodiment, an apparatus may store a plurality of tokens. The apparatus may receive a first token indicating that access to a resource has been requested by a device. The apparatus may determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule may condition access to the resource upon a second token. The apparatus may determine the geographic location of the device based on a token in the plurality of tokens. The apparatus may determine, based on the geographic location of the device, that the second token should be requested from an entity and transmit a request to the entity for the second token. The apparatus may receive the second token from the entity and generate a session token based at least in part upon the first token and the second token. | 02-21-2013 |
| 20130047204 | Apparatus and Method for Determining Resource Trust Levels - According to one embodiment, an apparatus may receive a first resource token indicating that access to a resource has been requested. The apparatus may determine the value of an access value associated with at least one resource token in response to the determination that the plurality of resource tokens comprises the at least one resource token. The apparatus may determine that the value of the access value is insufficient to grant access to the resource. The apparatus may determine, in response to the determination that the value of the access value is insufficient to grant access to the resource, that access to the resource should be denied. | 02-21-2013 |
| 20130047205 | Apparatus and Method for Making Access Decision Using Exceptions - According to one embodiment, an apparatus may store a plurality of token-based exceptions The apparatus may receive a resource token indicating that access to the resource has been requested. The apparatus may determine, based at least in part upon the resource token, at least one token-based exception. The token-based exception further may condition the grant of access to the resource upon the apparatus determining that the plurality of tokens comprises the at least one token. The apparatus may determine that the plurality of tokens does not comprise the at least one token and determine, in response to the determination that the plurality of tokens does not comprise the at least one token, that access to the resource should be denied. | 02-21-2013 |
| 20130047206 | Method and Apparatus for Session Validation to Access from Uncontrolled Devices - According to one embodiment, an apparatus may store a plurality of token-based rules. A token-based rule may facilitate access to a resource. The apparatus may further store a plurality of tokens. The apparatus may receive a first token indicating that an unsecured device has requested access to the resource and determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule indicates a timeout associated with the unsecured device. The apparatus may determine, based on the at least one token-based rule, that the timeout associated with the unsecured device has not been exceeded and generate a session token based at least in part upon the first token in response to the determination that the timeout has not been exceeded. | 02-21-2013 |
| 20130047207 | METHOD AND APPARATUS FOR SESSION VALIDATION TO ACCESS MAINFRAME RESOURCES - According to one embodiment, an apparatus may store a plurality of token-based rules. The apparatus may further store a plurality of tokens. The apparatus may receive a first token indicating that access to a mainframe resource has been requested. The apparatus may determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule may condition access to the resource upon a second token. The second token may be associated with a device. The second token may indicate a password. The second token may further indicate a geographic location associated with the device. The apparatus may determine that the plurality of tokens includes the second token generate a session token based at least in part upon the first token and the second. | 02-21-2013 |
| 20130047208 | SYSTEMS AND METHODS OF ASSESSING PERMISSIONS IN VIRTUAL WORLDS - Systems and methods of virtual world interaction, operation, implementation, instantiation, creation, and other functions related to virtual worlds (note that where the term “virtual world” is used herein, it is to be understood as referring to virtual world systems, virtual environments reflecting real, simulated, fantasy, or other structures, and includes information systems that utilize interaction within a 3D environment). Various embodiments facilitate interoperation between and within virtual worlds, and may provide consistent structures for operating virtual worlds. The disclosed embodiments may further enable individuals to build new virtual worlds within a framework, and allow third party users to better interact with those worlds. | 02-21-2013 |
| 20130055335 | SECURITY ENHANCEMENT METHODS AND SYSTEMS - In accordance with at least some embodiments of the present disclosure, a security enhancement method is provided for operating a computer system having a trusted environment and an untrusted environment. The method may include acquiring an identification data associated with an application installed in the untrusted environment, authenticating the identification data according to a predetermined rule in the trusted environment to acquire a corresponding authentication result, and executing the application in the untrusted environment or uninstalling the application from the computer system according to the authentication result. | 02-28-2013 |
| 20130055336 | SECURITY POLICY ENFORCEMENT FOR MOBILE DEVICES CONNECTING TO A VIRTUAL PRIVATE NETWORK GATEWAY - A method, apparatus and computer program product for providing secure policy enforcement for mobile devices is presented. A mobile device is connected to a computer system, the computer system having an active Virtual Private Network (VPN) tunnel with a VPN gateway. The computer system runs a security policy check on the mobile device. A determination is made whether the mobile device passed the security policy check and when the mobile device does pass the security policy check, a certificate is issued to the mobile device. The mobile device then uses the certificate to connect to a VPN. | 02-28-2013 |
| 20130055337 | Risk-based model for security policy management - A security policy management solution (such as a Data Loss Prevention (DLP) system) is augmented to enable a user to model and visualize how changes in a security policy may impact (positively or negatively) the effectiveness of a policy configuration as well as the risk associated with its deployment. This technique enables a user (e.g., a security policy administrator) to evolve enterprise information technology (IT) security policies and, in particular, to generate and display “what-if” scenarios by which the user can determine trade-offs between, on the one hand, the effectiveness of a proposed change to a policy, and on the other hand, the risk associated with the proposed change. | 02-28-2013 |
| 20130055338 | Detecting Addition of a File to a Computer System and Initiating Remote Analysis of the File for Malware - In certain embodiments, a computer system includes a memory unit and a processing unit. The processing unit executes a monitoring module stored on the computer system. The monitoring module monitors the computer system for addition of a file to the computer system and detects an addition of a file to the computer system. The monitoring module accesses policies to determine whether to communicate information associated with the detected addition of the file over a communication network to a remote malware analysis system to initiate a possible malware analysis of the file by the remote malware analysis system. The monitoring module initiates, in response to determining to communicate information associated with the detected addition of the file, communication over the communication network of information associated with the detected addition of the file to the remote malware analysis system, the remote malware analysis system operable to analyze the file for malware. | 02-28-2013 |
| 20130055339 | SECURITY EVENT MANAGEMENT APPARATUS, SYSTEMS, AND METHODS - Apparatus, systems, and methods may operate to include transforming subsequent unmarked contexts into additional tainted contexts in response to identifying a tainted event as a link between a prior tainted context and the subsequent unmarked contexts. Further operations may include publishing an event horizon to a display. The event horizon may include the tainted event and all other events associated with a linked chain of contexts that include the prior tainted context and the additional tainted contexts, where the tainted event and the other events share the taint in common. In this way, a taint associated with malicious behavior can be propagated and tracked as it moves between contexts. Additional apparatus, systems, and methods are disclosed. | 02-28-2013 |
| 20130055340 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND COMPUTER PROGRAM PRODUCT - According to an aspect of the embodiment, an information processing unit includes a browser unit that receives page files and execute a web application; an application range management unit that receives application range information at the start of execution of the web application, and stores that information in a memory unit; a termination detecting unit that, when the page file being processed by the browser unit changes, determines whether or not the web application being executed has terminated depending on whether or not the new page file is included in the application range information; a usability determining unit that determines whether or not an add-on for which a call request is issued is allowed to be used in the web application being executed; and an add-on calling unit that calls an add-on when determined that the add-on is allowed to be used in the web application being executed. | 02-28-2013 |
| 20130055341 | RESTRICTION OF PROGRAM PROCESS CAPABILITIES - This document describes systems and methods for restricting program process capabilities. In some implementations, the capabilities are restricted by limiting the rights or privileges granted to an application. A plurality of rules may be established for a program, or for a group of programs, denying that program the right to take actions which are outside of the actions needed to implement its intended functionality. A security policy is implemented to test actions initiated in response to an application against the rules to enable decisions restricting the possible actions of the program. Embodiments are disclosed which process the majority of decisions regarding actions against a security profile through use of a virtual machine. In some embodiments, the majority of decisions are resolved within the kernel space of an operating system. | 02-28-2013 |
| 20130055342 | Risk-based model for security policy management - A security policy management solution (such as a Data Loss Prevention (DLP) system) is augmented to enable a user to model and visualize how changes in a security policy may impact (positively or negatively) the effectiveness of a policy configuration as well as the risk associated with its deployment. This technique enables a user (e.g., a security policy administrator) to evolve enterprise information technology (IT) security policies and, in particular, to generate and display “what-if” scenarios by which the user can determine trade-offs between, on the one hand, the effectiveness of a proposed change to a policy, and on the other hand, the risk associated with the proposed change. | 02-28-2013 |
| 20130055343 | Methods, Devices, Systems, and Computer Program Products for Edge Driven Communications Network Security Monitoring - An edge monitoring approach can be utilized to detect an attack which includes a plurality of relatively low bandwidth attacks, which are aggregated at a victim sub-network. The aggregated low bandwidth attacks can generate a relatively high bandwidth attack including un-solicited data traffic directed to the victim' so that the aggregated attack becomes more detectable at an edge monitor circuit located proximate to the victim. Related systems, devices, and computer program products are also disclosed. | 02-28-2013 |
| 20130055344 | SYSTEM AND METHOD FOR EVALUATING A REVERSE QUERY - Disclosed are real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method comprises: (i) receiving a reverse query and a set of admissible access requests, each of which comprises one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision. | 02-28-2013 |
| 20130061281 | System and Web Security Agent Method for Certificate Authority Reputation Enforcement - Network security administrators are enabled with their customizable certificate authority reputation policy store which is informed by an independent certificate authority reputation server. The custom policy store overrides trusted root certificate stores accessible to an operating system web networking layer or to a third party browser. Importing revocation lists or updating browsers or operating system is made redundant. Proactive remediation is enabled to delete or disable root certificates in trusted operating system root certificate stores or in trusted browser root certificate stores by a web security agent installed at distributed endpoints. This removes the need for additional hardware or synchronous remote access over the protected endpoints. | 03-07-2013 |
| 20130061282 | Content Handling for Applications - Techniques for content handling for applications are described. In one or more implementations, a first set of content handling policies is enforced for a first portion of an application that is permitted to invoke code elements of the computing device and a second set of content handling policies is enforced for a second portion of the application that is not permitted to invoke the code elements. Further, a determination is made whether to apply the first set of content handling policies or the second set of content handling policies to content based on which portion of the application is requesting the content. | 03-07-2013 |
| 20130061283 | Ultra-Low Power Single-Chip Firewall Security Device, System and Method - A firewall security device, system and corresponding method are provided that includes an operating system of an entirely new architecture. The operating system is based fundamentally around a protocol stack (e.g., TCP/IP stack), rather than including a transport/network layer in a conventional core operating system. The firewall security device may include a processor and an operating system (OS) embedded in the processor. The OS may include a kernel. The operating system kernel is a state machine and may include a protocol stack for communicating with one or more devices via a network interface. The OS may be configured to receive and transmit data packets and block unauthorized data packets within one or more layers of the protocol stack based on predetermined firewall policies. | 03-07-2013 |
| 20130061284 | SYSTEM AND METHOD FOR EFFICIENT INSPECTION OF CONTENT - A system and method of efficiently inspecting content is provided. Embodiments of the invention may inspect files accessed by an application prior to an activation of the application. Selective inspection of files accessed by an application may be based on a previous inspection. Inspection of files accessed by an application may be postponed or performed concurrently with the access. A prioritized queue may include references to files, a priority may be related to a risk level and an inspection order may be according to a risk level. | 03-07-2013 |
| 20130067530 | DNS-Based Content Routing - DNS-based content routing techniques are described. In one or more implementations, data is examined that describes interactions via a network with content via a domain name. Responsive to the examination, a policy is adjusted to change how one or more network addresses are resolved for the domain name for access to the content. A communication is formed that includes the adjusted policy to be communicated to one or more domain name system (DNS) servers, the adjusted policy configured to specify which network address are resolved for the domain name by the one or more DNS servers for access to the content. | 03-14-2013 |
| 20130067531 | Access Brokering Based on Declarations and Consent - Embodiments include processes, systems, and devices for brokering application access to capabilities, such as device capabilities. An access broker receives requests from applications to access capabilities. The access broker determines whether to grant access based at least in part on whether the application manifest declares the capability. The access broker also may cause a user interface element to be displayed requesting user consent to the access request. Also, an in-application user interface element is provided that displays capability access settings for a particular application. The in-application user interface element includes selectable options for changing those settings. Changes in those settings via the user interface update the settings in the access broker. | 03-14-2013 |
| 20130067532 | GENERATING SECURITY PERMISSIONS - Embodiments of the invention relate to generating security permissions for applications. A static analysis on an application is carried out to determine security exceptions and to determine the application components responsible for the security exceptions. The determined security exceptions are analysed to calculate permissions required for each component. A security policy file that includes a hierarchy of the required permissions suitable for the type of application is formatted and applied to the application to provide a security enabled application. | 03-14-2013 |
| 20130074142 | SECURING DATA USAGE IN COMPUTING DEVICES - Policies are applied to specific data rather than to an entire computing device that contains the specific data. Access to the specific data is controlled by the policies utilizing various password or other authentication credential requirements, selective data caching, data transmission, temporary data storage, and/or pre-defined conditions under which the specific data is to be erased or rendered inaccessible. Policies may be defined by an administrator and pushed to a mobile computing device, whereat the policies are enforced. | 03-21-2013 |
| 20130074143 | SYSTEM AND METHOD FOR REAL-TIME CUSTOMIZED THREAT PROTECTION - A method is provided in one example embodiment that includes receiving event information associated with reports from sensors distributed throughout a network environment and correlating the event information to identify a threat. A customized security policy based on the threat may be sent to the sensors. | 03-21-2013 |
| 20130074144 | APPLICATION IDENTIFICATION - A method may include receiving a communication from a client device and identifying a port number, a protocol and a destination associated with the communication. The method may also include identifying a first application being executed by the first client device based on the port number, the protocol and the destination associated with the first communication. | 03-21-2013 |
| 20130074145 | SECURE KEY SELF-GENERATION - Techniques are disclosed for providing secure critical security parameter (CSP) generation in an integrated circuit (IC). Embodiments generally include determining that an ability to read the CSP externally (e.g., through a debug interface) has been disabled before the CSP is generated. Depending on the functionality of the device, embodiments can include other steps, such as determining whether software for executing a method for providing a secure CSP is being run for a first time. Among other things, the techniques provided herein for providing secure CSP generation can increase the security of the CSP and reduce manufacturing costs of the IC. | 03-21-2013 |
| 20130074146 | DATA SECURITY FOR A DATABASE IN A MULTI-NODAL ENVIRONMENT - A security mechanism in a database management system enforces processing restrictions stored as metadata to control how different pieces of a multi-nodal application are allowed to access database data to provide data security. The security mechanism preferably checks the data security restrictions for security violations when an execution unit attempts to access the data to insure the nodal conditions are appropriate for access. When the security mechanism determines there is a security violation by a query from an execution unit based on the security restrictions, the security mechanism may send, delay or retry to maintain data security. Nodal conditions herein include time restrictions and relationships with other columns, rows or pieces of information. For example, multiple processing units may execute together, but the security mechanism would prohibit these processing units to access specific pieces of information at the same time through the use of metadata in the database. | 03-21-2013 |
| 20130074147 | PACKET PROCESSING - Network devices and methods are provided for packet processing. One method includes using logic embedded in an application specific integrated circuit on a network device to dynamically adjust an access control list. According to the method, the access control list is adjusted in response to information received from a checking functionality related to packets received by the network device from a particular port. The method also includes handling packets later received from the particular port according to the adjusted access control list. | 03-21-2013 |
| 20130081099 | METHOD AND APPARATUS FOR PROVIDING ABSTRACTED USER MODELS - An approach is provided for providing abstracted user models in accordance with one or more access policies. A model platform determines an ontology for specifying a hierarchy of one or more abstraction levels for items data used in latent factorization models. The model platform further causes, at least in part, a generation of one or more user models for the one or more abstraction levels. The model platform also causes, at least in part, a selection of at least one of the one or more user models for generating one or more recommendations for one or more applications, one or more services, or a combination thereof based, at least in part, on one or more privacy policies, one or more security policies, or a combination thereof. | 03-28-2013 |
| 20130081100 | SYSTEM AND METHOD OF REAL-TIME CHANGE PROPAGATION AND ACTIVATION USING A DISTRIBUTED OBJECT CACHE - Embodiments of the invention provide systems and methods for using a distributed object cache to propagate and activate changes to security information across nodes of a cluster. Embodiments of the present invention can be implemented, for example, in a security product that enforces security policies, i.e., access control, etc., on resources such as web content provided by a set of servers of nodes of a computing grid and provide ways to handle data synchronization between the servers or nodes of the grid. This synchronization can be performed using a distributed object cache that provides replicated and distributed object caching services. For example, Oracle Coherence is one such distributed object cache that is built on top of a reliable, highly scalable peer-to-peer clustering protocol. However, embodiment of the present invention are not limited to use with Coherence but rather are equally applicable to other distributed object caches. | 03-28-2013 |
| 20130081101 | POLICY COMPLIANCE-BASED SECURE DATA ACCESS - Access control techniques relate to verifying compliance with security policies before enabling access to the computing resources. An application is provided on a client that generates verification codes using an authentication seed. Prior to granting the client the authentication seed necessary to generate a verification code, a server may perform a policy check on the client. Some embodiments ensure that the client complies with security policies imposed by an authenticating party by retrieving a number of parameter values from the client and then determining whether those parameter values comply with the security policies. Upon determining that the client complies, the authentication seed is issued to the client. In some embodiments, the authentication seed is provided such that a policy check is performed upon the generation of a verification code. The client is given access to secure information when the client is determined to comply with the security policies. | 03-28-2013 |
| 20130081102 | CREATING AND MAINTAINING A SECURITY POLICY - An approach for managing a security policy is provided. First, second, and third specification sets are received after being independently generated by different practitioners. The first specification set maps service-to-service communications. The second specification set maps the services to devices on which the services are placed. The third specification set maps the devices to one or more network addresses. The received specification sets are algorithmically combined to create packet filtering rule statements. The security policy is generated as packet filtering rules based on the combined specification sets and the packet filtering rule statements. An application deployment modification includes independently editing specification set(s) that are affected by the modification, without knowledge of specification set(s) that are unaffected by the modification. An updated security policy may be generated by an incremental update to an existing security policy without requiring replacement of the entire security policy. | 03-28-2013 |
| 20130081103 | Enhanced Security SCADA Systems and Methods - A system and method for a secure supervisory control and data acquisition (SCADA) system. Secure SCADA elements (SSEs) have individual system security monitoring and enforcement of policies throughout the SCADA system. And isolation core ensures that a system security monitor monitors and takes appropriate action with respect to untrusted applications that may impact an SSE. The system security server provides policy enforcement on all of the SSEs that exist on the system. New security policies are created that are populated to individual SSEs in the system. Biomorphing algorithms allow for system uniqueness to be derived over time further enhancing security of SSEs | 03-28-2013 |
| 20130081104 | MOBILE DEVICE MANAGEMENT APPARATUS AND METHOD BASED ON SECURITY POLICIES AND MANAGEMENT SERVER FOR MOBILE DEVICE MANAGEMENT - A mobile device management apparatus has a policy storage unit that receives a plurality of security policies, which are classified into a plurality of profiles assigned priorities of activation and in which operating states of functions of a mobile device are defined. A management server supplies the profiles and the security policies to the mobile device. A policy implementation unit selectively activates the profiles so that control of the mobile device functions can be carried out with minimal communication, and also in response to changing events. | 03-28-2013 |
| 20130081105 | PROVISIONING USER PERMISSIONS USING ATTRIBUTE-BASED ACCESS-CONTROL POLICIES - An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy. | 03-28-2013 |
| 20130086623 | SYSTEMS AND METHODS FOR ESTABLISHING ISOLATION BETWEEN CONTENT HOSTING SERVICES EXECUTING ON COMMON SUPPORT SERVER - Embodiments relate to systems and methods for establishing isolation between content hosting services executing on a common support server. In aspects, a server virtualization platform can operate on a common physical support server to instantiate, configure, and operate a set of virtual servers. The set of virtual servers can, for instance, be used to run independent Web sites or other locations or services. The data available to each process on each virtual server can be encoded using an SELinux™ label including an MCS (multi-category security) category or categories uniquely identifying that process. Isolation of the potentially sensitive data for multiple Web sites and/or their content hosted on a common physical server can therefore be enforced, since each process operating on each virtual server is restricted to only access and manipulate data objects or other entities having matching MCS category information identified on that baremetal support server. | 04-04-2013 |
| 20130086624 | FLEXIBLE DOCUMENT SECURITY FOR PROCUREMENT AGENTS - A method, system, and computer program product for providing document security for procurement agents. The method commences by establishing user authentication credentials for at least two procurement agents. Then, initially granting limited access to a first set of documents where the first set of documents is initially under control of the first procurement agent (and initially inaccessible by the second procurement agent), and initially granting limited access to a second set of documents, where the second set of documents is initially under control of the second procurement agent. A procurement application receives an access request from the first user to access a document from among the second set of documents, causing the procurement application to confirm the first user authentication credentials, retrieve the document access rule for the first procurement agent, and allow/deny access by the first user to the document from among the second set of documents. | 04-04-2013 |
| 20130086625 | ENFORCING SECURITY RULES AT RUNTIME - Various arrangements for implementing a security policy at runtime are presented. A plurality of calls in a syntax tree may be identified. Each call of the plurality of calls may be substituted with a corresponding security-modified call to create a plurality of security-modified methods calls. Each security-modified call may be linked with a security class. Following modification of each call of the plurality of calls, the plurality of security-modified calls may be compiled into bytecode. | 04-04-2013 |
| 20130086626 | CONSTRAINT DEFINITION FOR CONDITIONAL POLICY ATTACHMENTS - Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context. | 04-04-2013 |
| 20130086627 | CONFLICT RESOLUTION WHEN IDENTICAL POLICIES ARE ATTACHED TO A SINGLE POLICY SUBJECT - Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a single policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a determination can be made whether two conflicting policies that are attached to a single policy subject are identical. This determination can be based on, e.g., a Uniform Resource Identifier (URI) that is used to identify the policies in their respective policy attachment metadata files, as well as any policy configuration properties. If the two conflicting policies are determined to be identical, the policy attachment metadata for one of the policies can be considered valid, while the policy attachment metadata for the other, duplicate policy can be ignored. In this manner, validation errors arising from duplicate policy attachments can be avoided. | 04-04-2013 |
| 20130086628 | PRIVILEGED ACCOUNT MANAGER, APPLICATION ACCOUNT MANAGEMENT - Techniques for managing accounts are provided. An access management system may check out credentials for accessing target systems. For example a user may receive a password for a period of time or until checked back in. Access to the target system may be logged during this time. Upon the password being checked in, a security account may modify the password so that the user may not log back in without checking out a new password. Additionally, in some examples, password policies for the security account may be managed. As such, when a password policy changes, the security account password may be dynamically updated. Additionally, in some examples, hierarchical viewing perspectives may be determined and/or selected for visualizing one or more managed accounts. Further, accounts may be organized into groups based on roles, and grants for the accounts may be dynamically updated as changes occur or new accounts are managed. | 04-04-2013 |
| 20130086629 | DYNAMIC IDENTITY CONTEXT PROPAGATION - Techniques are provided for dynamically propagating identity context for a user in a Service-Oriented Architecture. Methods and apparatus are provided that include receiving a request to invoke a web service, retrieving first security claims from application identity context information pertaining to a user, generating second security claims at runtime, packaging the first and second security claims into an authentication token, and transmitting the authentication token to a second computer system in a service request. The second computer system can be configured to extract the first and second security claims from the authentication token, validate the extracted first and second security claims, generate identity context information based upon the extracted first and second security claims, and publish and propagate the identity content information in an identity context object. The second computer system can verify that the security claims conform to corresponding security claim schemas stored in a claims dictionary. | 04-04-2013 |
| 20130086630 | DYNAMIC IDENTITY SWITCHING - Techniques are disclosed for dynamically switching user identity when generating a web service request by receiving, at a client application, an invocation of a web service, the invocation associated with a first authenticated user identity of a first user, identifying a second user identity, verifying that a switch from the first user identity to the second user identity is permitted by switching rules, including the second user identity in a service request when the switch is permitted, and communicating the service request to the web service. The switching rules can include associations between initial user identities and permitted user identities. Verifying that a switch is permitted can include searching the associations for an entry having an initial user identity that matches the first authenticated user identity and a new user identity that matches the second user identity, wherein the switch is permitted when the entry is found. | 04-04-2013 |
| 20130086631 | SYSTEMS AND METHODS FOR CONTROLLING ACCESS TO A MEDIA STREAM - Systems and methods of controlling access to a multimedia stream in a media streaming session from a multimedia server to a requesting device via a network. The systems and methods facilitate receiving a primary request for the multimedia stream from the requesting device; determining whether to allow access to the primary request from the requesting device in accordance with at least one media session policy; and if access is permitted, then generating a secondary request corresponding to the primary request; providing the secondary request to the multimedia server; receiving a first multimedia stream from the multimedia server in response to the secondary request; determining whether to transmit the first multimedia stream or a second multimedia stream based on the at least one media session policy; and transmitting either the first multimedia stream or the second multimedia stream to the requesting device as indicated by the at least one media session policy. | 04-04-2013 |
| 20130086632 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR APPLYING A RULE TO ASSOCIATED EVENTS - A system, method, and computer program product are provided for applying a rule to associated events. In use, a plurality of events is associated based on at least one identifier. Additionally, at least one rule is applied to the associated events. Further, a reaction is performed based on the application of the at least one rule. | 04-04-2013 |
| 20130091534 | NETWORK APPLIANCE FOR CUSTOMIZABLE QUARANTINING OF A NODE ON A NETWORK - A system, method, and apparatus are directed to managing access to a network. An agent may intercept a network packet transmitted by an enforcement point in response to a request from a device to join the network. The agent identifies, based on the network packet, a port number on the enforcement point at which the request is received. The agent may transmit the port number to a NACA to enable security enforcement operations to be performed on the device. Another device may reside outside the quarantined network and be enabled by the NACA to direct a remediation measure to be performed on the device using at least the port number. The NACA may spoof an ARP response with an address of the NACA to restrict access to resources. The NACA may also place the device into one of a plurality of quarantined networks. | 04-11-2013 |
| 20130091535 | EFFECTIVE TESTING OF AUTHORIZATION LOGIC OF WEB COMPONENTS WHICH UTILIZE CLAIMS-BASED AUTHORIZATION - An authorization algorithm of a software component can be selected. A static code analysis can be performed to determine a conditional statement within an algorithm of the software component. The outcome of the conditional statement can be established based on an input and a criteria using dynamic code analysis. The input can be a value associated with a claim set of a claims-based authentication policy. The criteria can be an authentication criteria specified within the algorithm. Responsive to the outcome, an execution path associated with the outcome can be determined and a code coverage criterion can be met for the conditional statement. | 04-11-2013 |
| 20130091536 | SYSTEM AND METHOD FOR POLICY CONFORMANCE IN A WEB APPLICATION - A method and system may analyze a script file of a web application, the script file representing actions of a task performed in conjunction with a web service, to determine whether the actions conform to policy criteria. The method and system may determine as restricted any of the actions which do not conform to the policy criteria. The method and system may execute the script file without the restricted actions to reproduce the task in response to a request by a user. | 04-11-2013 |
| 20130091537 | RESTRICTING NETWORK AND DEVICE ACCESS BASED ON PRESENCE DETECTION - In an example embodiment, a technique that applies a network policy responsive to specified events, or triggers, to a networked device. If a specified event occurs, the network policy may restrict the device's access to the network. For example, if a user walks away from their networked device, such as a laptop, the device's network access changes. For example, depending upon the policy, network traffic may be blocked or otherwise restricted. | 04-11-2013 |
| 20130091538 | SECURE FIREWALL RULE FORMULATION - A kernel extension is configured to intercept a call to associate a socket with a port of a node in a network. The call originates from a kernel of the node. The kernel extension is configured to determine the port from the call. The kernel extension is configured to determine that the port is one of a plurality of ports for which the node has authority to modify firewall rules of a firewall of the network. The kernel extension is configured to modify firewall rules maintained by the firewall to allow communications for the port to the node through the firewall. | 04-11-2013 |
| 20130091539 | SYSTEM AND METHOD FOR INSIDER THREAT DETECTION - A system and method include obtaining data related to accessing cyber assets and accessing physical assets from a combined cyber access and physical access control system that protects cyber and physical assets of an organization from both authorized and unauthorized access with malicious intent. The system and method compare the data to known patterns of expected behavior, and identify patterns of suspicious behavior as a function of comparing the data to the patterns of expected behavior. The comparison is utilized to identify potentially malicious insider behavior toward the cyber and physical assets. | 04-11-2013 |
| 20130091540 | SOCIAL DEVICE SECURITY IN A SOCIAL NETWORK - A social network (SNET) is divided into one or more circles employing separate security secrets, e.g. keys, for communication between members. A device can be a member of more than one circle, and store different keys for each of those circles in separate, restricted portions of memory. When a member leaves a circle, new keys can be generated and distributed to the remaining members. Before and after joining a circle, a level of trust associated with the device or human member can be determined based on third party trust verification and a trust history. A requirement for multiple current circle members to vouch for the prospective member can be imposed as a condition of membership. Each circle can be assigned different trust and access levels, and authorization to receive information can be checked before transmitting information between circles. | 04-11-2013 |
| 20130091541 | EFFECTIVE TESTING OF AUTHORIZATION LOGIC OF WEB COMPONENTS WHICH UTILIZE CLAIMS-BASED AUTHORIZATION - An authorization algorithm of a software component can be selected. A static code analysis can be performed to determine a conditional statement within an algorithm of the software component. The outcome of the conditional statement can be established based on an input and a criteria using dynamic code analysis. The input can be a value associated with a claim set of a claims-based authentication policy. The criteria can be an authentication criteria specified within the algorithm. Responsive to the outcome, an execution path associated with the outcome can be determined and a code coverage criterion can be met for the conditional statement. | 04-11-2013 |
| 20130091542 | APPLICATION MARKETPLACE ADMINISTRATIVE CONTROLS - The subject matter of this specification can be embodied in, among other things, a method that includes receiving, by one or more servers associated with an application marketplace, a policy that includes data that identifies one or more users, and a restricted permission. A request is received, by the servers associated with the application marketplace, to access one or more applications that are distributed through the application marketplace, wherein the request includes data that identifies a particular one of the users. One or more of the applications that are associated with the restricted permission are identified by the servers associated with the application marketplace, and access by the particular user to the applications that are associated with the restricted permission is restricted by the servers associated with the application marketplace. | 04-11-2013 |
| 20130091543 | SYSTEM AND METHOD FOR CREATING SECURE APPLICATIONS - A method for generating a secure application is described herein. The method can include the steps of obtaining a target application and decomposing the target application into original files that contain predictable instructions. One or more predictable instructions in the original files may be identified. In addition, the target application may be modified to create the secure application by binding one or more intercepts to the target application. These intercepts can enable the modification of the predictable instructions in accordance with one or more policies such that the behavior of the secure application is different from the original behavior of the target application. Modification of the target application may be conducted without access to the source code of the target application. | 04-11-2013 |
| 20130091544 | SYSTEM AND METHOD FOR ENFORCING A POLICY FOR AN AUTHENTICATOR DEVICE - A system and method including defining at least one device authentication policy; at a policy engine, initializing authentication policy processing for an authenticator device; collecting device status assessment; evaluating policy compliance of the device status assessment to an associated defined device authentication policy; and enforcing use of the authenticator device according to the policy compliance. | 04-11-2013 |
| 20130097651 | CAPTURING DATA PARAMETERS IN TEMPLATES IN A NETWORKED COMPUTING ENVIRONMENT - Embodiments of the present invention provide an approach for allowing a user to capture a set of values for a set of input parameters in a template that may be used for present and/or future provisioning of virtual resources. Under this approach, the template may be managed within a networked computing environment (e.g., cloud computing environment) for future use by the creating user or other authorized users. The next time the user is interacting with the environment, the set of templates available may be accessed, and the user can select/utilize a previously stored template. Once a template is chosen, the user may initiate a provisioning request from the environment's interface(s), which may include graphical user interfaces (GUIs), command lines, application programming interfaces (APIs), etc. In any event, the user may also have the opportunity to update any saved data and/or provide additional data. | 04-18-2013 |
| 20130097652 | SYSTEM AND METHOD FOR PROFILE BASED FILTERING OF OUTGOING INFORMATION IN A MOBILE ENVIRONMENT - A system and method in one embodiment includes modules for detecting an access request by an application to access information in a mobile device, determining that the application is a potential threat according to at least one policy filter, and blocking a send request by the application to send the information from the mobile device without a user's consent. More specific embodiments include user selecting the information through a selection menu on a graphical user interface that includes information categories pre-populated by an operating system of the mobile device, and keywords that can be input by the user. Other embodiments include queuing the send request in a queue with other requests, and presenting an outbox comprising the queue to the user to choose to consent to the requests. The outbox includes graphical elements configured to permit the user to selectively consent to any requests in the queue. | 04-18-2013 |
| 20130097653 | MANAGING POLICIES - Aspects of the subject matter described herein relate to managing policies. In aspects, a staging store is used to store policies that are not applied to a computer system unless and until they are copied to or otherwise imported into a production store. A configuration entity is allowed read/write access to the staging store, but is not allowed write access to the production store. A policy manager is granted read access to the staging store and write access to the production store. The policy manager may approve or deny staging policies. If the policy manger approves a staging policy, the policy manager may derive a production policy from the staging policy and store the production policy in the production store. Once a policy is in the production store, the policy may be applied to one or more entities as appropriate. | 04-18-2013 |
| 20130097654 | METHOD AND APPARATUS FOR SECURE WEB WIDGET RUNTIME SYSTEM - The security of web widgets is improved by transferring a set of access control decisions conventionally handled by the Web Runtime system (WRT) to a more secure portion of the computing system, such as a kernel in the operating system. Access control rules are extracted and provided to the more secure portion. This may be performed during widget installation or at invocation of a widget. During runtime, the more secure portion performs security checking functions for the widget instead of the WRT. | 04-18-2013 |
| 20130097655 | METHODS AND APPARATUS FOR A SAFE AND SECURE SOFTWARE UPDATE SOLUTION AGAINST ATTACKS FROM MALICIOUS OR UNAUTHORIZED PROGRAMS TO UPDATE PROTECTED SECONDARY STORAGE - Described herein are articles, systems, and methods for using a storage controller to protect secure data blocks through the enforcement of a read only policy. In some embodiments, the articles use a combination of hardware protections and software protections (e.g., virtualization) to protect a system against attack from malware while such secure data is updated. Also described are systems and methods for securely updating data blocks secured in this fashion, and detecting and preventing the corruption of data stored on secondary storage media using a disk eventing mechanism. | 04-18-2013 |
| 20130097656 | METHODS AND SYSTEMS FOR PROVIDING TRUSTED SIGNALING OF DOMAIN-SPECIFIC SECURITY POLICIES - Methods and systems for providing trusted signaling of domain-specific security policies. One method includes intercepting a connection request to a remote server from a client device on a domain and returning a security certificate with policy information for regulating the communications with the target server. | 04-18-2013 |
| 20130097657 | Dynamically Generating Perimeters - Systems and techniques relating to securely managing electronic resources are described. A described technique includes receiving a request to add to a mobile device an account setting for a server resource account. Detecting a trigger event for a new perimeter based on the account setting. In response to a parameter or a pattern associated with the account setting, retrieving a security policy from a resource server for the server resource account, and generating, by the mobile device, a new perimeter including the server resource account based on the security policy. The new perimeter is configured to prevent transferring data associated with the server resource account being transferred to mobile-device resources external to the new perimeter. | 04-18-2013 |
| 20130097658 | SYSTEM AND METHOD FOR REDIRECTED FIREWALL DISCOVERY IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow. | 04-18-2013 |
| 20130097659 | SYSTEM AND METHOD FOR WHITELISTING APPLICATIONS IN A MOBILE NETWORK ENVIRONMENT - One or more attributes of an application in a plurality of applications is identified. A reputation score of the application is determined based at least in part on the identified attributes to determining whether the application should be included in a whitelist. The whitelist can be applied against a request to download the application on a mobile device. In some aspects, the whitelist can be generated through automated collection and analysis of applications available for download by one or more different types of mobile devices in one or more networks. In some aspects, the whitelist can be applied by blocking attempts to download applications determined not to be included in the whitelist. | 04-18-2013 |
| 20130097660 | SYSTEM AND METHOD FOR WHITELISTING APPLICATIONS IN A MOBILE NETWORK ENVIRONMENT - An application is identified as installed on a particular mobile device. An action involving the application is identified, the action to be performed using the particular mobile device. It is determined whether the action is an approved action based on at least one policy associated with the particular mobile device. A determination that the action is unapproved can results in an attempt to prevent the action. Further, in certain instances, a whitelist or blacklist can be generated based on determinations of whether identified application actions conform to one or more policies associated with the particular mobile device. | 04-18-2013 |
| 20130097661 | SYSTEM AND METHOD FOR DETECTING A FILE EMBEDDED IN AN ARBITRARY LOCATION AND DETERMINING THE REPUTATION OF THE FILE - A method is provided in one example embodiment that includes identifying a file format identifier associated with a beginning of a file, parsing the file based on the file format identifier until an end of the file is identified, and calculating a hash from the beginning of the file to the end of the file. The method may also include sending the hash to a reputation system and taking a policy action based on the hash's reputation received from the reputation system. | 04-18-2013 |
| 20130097662 | INTEGRATING SECURITY POLICY AND EVENT MANAGEMENT - A plurality of security events is detected in a computing system, each security event based on at least one policy in a plurality of security policies. Respective interactive graphical representations are presented in a graphical user interface (GUI) of either or both of the security events or security policies. The representations include interactive graphical elements representing the respective security events or security policies. User selection of a particular event element via the interactive GUI causes a subset of the security policies to be identified, each security policy in the subset serving as a basis for at least one particular security event represented by the particular event element. User selection of a particular policy element via the interactive GUI causes a subset of the security policies to be identified, each security event in the subset based at least in part on a particular security policy represented by the particular policy element. | 04-18-2013 |
| 20130097663 | Integrated Circuit For Cyber Security Processing - In one aspect, an integrated circuit (IC) includes a secure router configured as a trust anchor, a non-volatile random access memory (RAM) direct memory access (DMA) channel coupled to the secure router, a first DMA coupled to the secure router and configured to receive data with a first classification and a second DMA coupled to the secure router and configured to receive data with a second classification. The IC also includes a secure boot/key controller coupled to the secure router and configured as a trust anchor to boot the IC securely and a processor coupled to the secure router and configured to encrypt data, to store protocols, to store instructions to detect malicious intrusions on the IC and to provide key management. | 04-18-2013 |
| 20130097664 | SECURE DATA INTERCHANGE - A secure data interchange system enables information about bilateral and multilateral interactions between multiple persistent parties to be exchanged and leveraged within an environment that uses a combination of techniques to control access to information, release of information, and matching of information back to parties. Access to data records can be controlled using an associated price rule. A data owner can specify a price for different types and amounts of information access. | 04-18-2013 |
| 20130097665 | ACCESS CONTROL APPARATUS AND STORAGE MEDIUM - According to one embodiment, an access control apparatus suspends the resource access event prior to access of the resource access device when the resource access event is started. The access control apparatus acquires attribute information from the attribute management device by using the deny-type policy in the access control policy and decides the permission or the denial of the access based on this attribute information and the deny-type policy. The access control apparatus releases the suspension when a result of decision in the supplied access decision result is indicative of the permission and no obligation-type policy is present in the access decision response. | 04-18-2013 |
| 20130097666 | PROXY GATEWAY ANTI-VIRUS METHOD, PRE-CLASSIFIER, AND PROXY GATEWAY - The present invention discloses a proxy gateway anti-virus method, a pre-classifier, and a proxy gateway. The method includes: receiving a resource obtaining request for obtaining a to-be-transmitted resource; sending a pre-detection request to a network element that stores the to-be-transmitted resource, to obtain attribute information of the to-be-transmitted resource; judging, based on an anti-virus policy and according to the attribute information, whether the to-be-transmitted resource needs anti-virus scanning; if yes, performing anti-virus scanning on the to-be-transmitted resource that is subsequently obtained; and if no, transparently transmitting the to-be-transmitted resource that is subsequently obtained. The present invention provides a technical solution to pre-detecting whether a to-be-transmitted resource needs anti-virus scanning according to attribute information, and a resource that needs no anti-virus scanning can be transmitted transparently and directly before the resource is sent to a proxy layer, thereby implementing an anti-virus function, improving transmission efficiency, and reducing the waste of resources. | 04-18-2013 |
| 20130097667 | METHOD AND SYSTEM FOR AUTOMATED SECURITY ACCESS POLICY FOR A DOCUMENT MANAGEMENT SYSTEM - A method and system for providing an automated security access policy in a document management system are described. The security policies are applied based on metadata rules. Once a document is added to the document managements system, the metadata rules are evaluated using the metadata of the document. Based on the results of the evaluation security access policies are applied to the document. | 04-18-2013 |
| 20130104184 | SYSTEM AND METHOD FOR ENABLEMENT OF DESKTOP SOFTWARE FUNCTIONALITY BASED ON IT POLICY - A method, device and system for enablement of desktop software functionality based on IT policy comprising determining if IT policy settings are associated with a mobile device connected to the desktop software and restricting functionality of the desktop software based on the IT policy settings for the connected mobile device. | 04-25-2013 |
| 20130104185 | Policy Enforcement in a Secure Data File Delivery System - A server interacts with a sender to form a package which can include one or more attached data files to be sent to one or more recipients, and the server applies a policy established by a policy authority of the sender to the package. Since the server both forms the package through interaction with the sender and applies the policy, violations of the policy by the package can be brought to the sender's attention during an interactive session with the sender and before encryption of all or part of the package. As a result, the sender is educated regarding the policy of the sender's policy authority, and the sender can modify the package immediately to comport with the policy. The server delivers the package to intended recipients by sending notification to each recipient and including package identification data, e.g., a URL by which the package can be retrieved. | 04-25-2013 |
| 20130104186 | SYSTEM AND METHOD FOR PREVENTING AN ATTACK ON A NETWORKED VEHICLE - A system for preventing an attack on a networked vehicle via a wireless communication device including a wireless data traffic network, a security status determination unit for controlling access to the wireless network depending on a security status based on evaluation of a configuration and/or on log data of the vehicle and/or on time that has passed since a software update, and a communication device and an access control device. A method for preventing an attack on a networked vehicle via a wireless communication device, where a security status is determined based on an evaluation of a current configuration of the vehicle and/or on log data of the vehicle and/or on time that has passed since an update of relevant software a network access rule set is determined and actuated for the access to the data traffic network based on the determined security status. | 04-25-2013 |
| 20130104187 | CONTEXT-DEPENDENT AUTHENTICATION - An electronic device is secured by determining, by a processor, that an electronic device is in a first secured state associated with a first security level. Based on the first security level, a first context-dependent authentication policy is assigned to the electronic device. A transition rule is determined to have been satisfied, and responsively the electronic device transitions into a second secured state, wherein the second secured state comprises a different security level than the first secured state. The first context-dependent authentication policy is modified to yield a second context-dependent authentication policy, and the device is changed from the second secured state upon the device receiving an authentication that satisfies the second context-dependent authentication policy. | 04-25-2013 |
| 20130104188 | SECURE OPTION ROM CONTROL - A mechanism for controlling the execution of Option ROM code on a Unified Extensible Firmware Interface (UEFI)-compliant computing device is discussed. A security policy enforced by the firmware may be configured by the computing platform designer/IT administrator to take different actions for different types of detected expansion cards or other devices due to the security characteristics of Option ROM drivers associated with the expansion card or device. The security policy may specify whether authorized signed UEFI Option ROM drivers, unauthorized but signed UEFI Option ROM drivers, unsigned UEFI Option ROM drivers and legacy Option ROM drivers are allowed to execute on the UEFI-compliant computing device. | 04-25-2013 |
| 20130104189 | Controlling Transmission of Unauthorized Unobservable Content in Email Using Policy - A system, method, and apparatus is disclosed to control mail server in handling encrypted messages according to a policy. | 04-25-2013 |
| 20130104190 | SYSTEM AND METHOD FOR DOCUMENT POLICY ENFORCEMENT - A system and method is disclosed for document policy enforcement. The method discloses: scanning document parts for a set of policy-eliciting terms | 04-25-2013 |
| 20130104191 | METHOD AND SYSTEM FOR MANAGING CONFIDENTIAL INFORMATION - A method and a system for information management and control is presented, based on modular and abstract description of the information. Identifiers are used to identify features of interest in the information and information use policies are assigned directly or indirectly on the basis of the identifiers, allowing for flexible and efficient policy management and enforcement, in that a policy can be defined with a direct relationship to the actual information content of digital data items. The information content can be of various kinds: e.g., textual documents, numerical spreadsheets, audio and video files, pictures and images, drawings etc. The system can provide protection against information policy breaches such as information misuse, unauthorized distribution and leakage, and for information tracking. | 04-25-2013 |
| 20130104192 | SYSTEM AND METHOD FOR INTELLIGENCE BASED SECURITY - Included in the present disclosure are a system, method and program of instructions operable to protect vital information by combining information about a user and what they are allowed to see with information about essential files that need to be protected on an information handling system. Using intelligent security rules, essential information may be encrypted without encrypting the entire operating system or application files. According to aspects of the present disclosure, shared data, user data, temporary files, paging files, the password hash that is stored in the registry, and data stored on removable media may be protected. | 04-25-2013 |
| 20130104193 | DYNAMIC CONFIGURATION OF A GAMING SYSTEM - A method to enable dynamic configuration of gaming terminals installed in one or a plurality of gaming premises whereby certified games, certified data files and certified support software components are activated in accordance with a predetermined schedule or automatically in response to the observed gaming activity. The method may include allocating an individual PKI certificate to each executable software component and each of its versions, binding the PKI certificate to the executable software, associating a distinctive policy for each certificate and then enforcing the software execution policies in accordance with the desired authorized game configuration and schedule. The PKI certificate's “Subject Name” (or “Issued to” field or “CommonName” field) may be a concatenation of the software component identification, its version number and optionally other identification characters. The method applies equally to other network connected gaming subsystems. The method enables a fine-grained and secure control of the authorized software components and thus the flexibility to securely configure the gaming system in accordance with a schedule or in a close-loop fashion in order to meet business objectives. In addition, a method to enable the certification authority to bind the certificates to the tested code is described. | 04-25-2013 |
| 20130111540 | CLOUD PROTECTION TECHNIQUES | 05-02-2013 |
| 20130111541 | POLICY ENFORCEMENT OF CLIENT DEVICES | 05-02-2013 |
| 20130111542 | SECURITY POLICY TOKENIZATION | 05-02-2013 |
| 20130111543 | TECHNIQUES FOR CONTROLLING AUTHENTICATION | 05-02-2013 |
| 20130111544 | MANAGEMENT OF CONTEXT-AWARE POLICIES | 05-02-2013 |
| 20130111545 | Privacy Management for Subscriber Data | 05-02-2013 |
| 20130111546 | SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR MANAGING SECURE ELEMENTS | 05-02-2013 |
| 20130111547 | Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware | 05-02-2013 |
| 20130111548 | METHOD FOR ADAPTING SECURITY POLICIES OF AN INFORMATION SYSTEM INFRASTRUCTURE | 05-02-2013 |
| 20130117801 | VIRTUAL SECURITY BOUNDARY FOR PHYSICAL OR VIRTUAL NETWORK DEVICES - A method and apparatus is disclosed herein for using a virtual security boundary. In one embodiment, the method comprises receiving information from a virtual machine after the virtual machine has been moved from a first physical location in a network to a second physical location in the network, where the information identifies the virtual machine as one previously assigned to a security boundary; determining that access to the virtual machine at the first physical location was permitted by the security gateway; assigning the virtual machine at the second physical location to the security boundary, and applying a security policy associated with the security boundary to communications between the network and the virtual machine at the second physical location. | 05-09-2013 |
| 20130117802 | AUTHORIZATION-BASED REDACTION OF DATA - Tasks for providing a post-redaction document to a requestor are distributed among several distinct components. The decision about whether a particular requestor is permitted to obtain a requested content item is made by an authorization service. When obtaining requested content item is permitted, the authorization service returns (a) portion identification information, and (b) redaction technique information that indicates the manner by which that portion should be redacted. Redaction is then performed by a redaction component. Techniques are described in which the portion identification information identifies portions to be redacted using XPath expressions, and the redaction component has logic to identify the portions, within the pre-redaction version of the content item, that are targeted by the XPath expressions. | 05-09-2013 |
| 20130117803 | SECURITY AND SAFETY MANAGER IMPLEMENTATION IN A MULTI-CORE PROCESSOR - A system includes a multi-core computer processor. One or more cores of the multi-core computer processor are configured as a security co-processor for the system and for other cores of the multi-core processor, and one or more cores of the multi-core computer processor are configured as a safety manager co-processor for the system and for other cores of the multi-core processor. An operating system of the security co-processor and an operating system of the safety manager co-processor are independent of operating systems of the other cores of the multi-core processor. The security co-processor and the safety manager co-processor are configured to boot before the other cores and to enforce security policy and/or safety policy on the other cores. | 05-09-2013 |
| 20130117804 | BROWSER-BASED SECURE DESKTOP APPLICATIONS FOR OPEN COMPUTING PLATFORMS - Example browser-based secure desktop applications for open computing platforms are disclosed. An example method disclosed herein to provide secure desktop functionality to a computing platform comprises providing, in response to a first request, a secure desktop application to the computing platform, the secure desktop application for execution by a browser on the computing platform, and establishing a secure communication connection between a service node and the secure desktop application, the secure communication connection to provide the secure desktop application with access to a trusted entity, the secure communication connection being accessible to a trusted application downloaded to the computing platform for execution by the browser in association with the secure desktop application, the secure communication connection being inaccessible to an untrusted application not executed in association with the secure desktop application. | 05-09-2013 |
| 20130117805 | TECHNIQUES TO APPLY AND SHARE REMOTE POLICIES ON MOBILE DEVICES - Techniques to apply and share remote policies on personal devices are described. In an embodiment, a technique includes contacting an enterprise server from an enterprise application operating on a personal device. The enterprise application may receive policies from the enterprise server. The policies may be applied to the enterprise application. When a second enterprise application on the personal device is launched, the policies may also be applied to the second enterprise application. When a policy is changed on the enterprise server, notification is pushed to the personal device and all related enterprise applications on the personal device may be updated to enforce the policy change. Other embodiments are described and claimed. | 05-09-2013 |
| 20130117806 | NETWORK BASED PROVISIONING - The subject disclosure generally relates to provisioning devices via a network service, such as a cloud service. A profile component can authenticate a user of a device with a cloud service, and determine services maintained by the network service that are associated with the user. A reception component can receive a request for a set of services from the device, and a services component can obtain the set of services from the network service, and provision the device based on the set of services. Provisioning the device can include downloading the services to the device, or including the services in a virtual machine executing in the network service. | 05-09-2013 |
| 20130117807 | SETTING DEFAULT SECURITY FEATURES FOR USE WITH WEB APPLICATIONS AND EXTENSIONS - According to one general aspect, a computer-implemented method for implementing default security features for web applications and browser extensions includes receiving a request to include a web application or a web browser extension in a digital marketplace. A determination is made if the web application or the web browser extension conforms to default security features, wherein the default security features include a prohibition against running in-line script on web pages. The web application or the browser extension is included in the digital marketplace if the web application or the browser extension conforms to the default security features. | 05-09-2013 |
| 20130117808 | APPARATUS AND METHOD FOR ENHANCING SECURITY IN HETEROGENEOUS COMPUTING ENVIRONMENT - An apparatus and method for enhancing security and stability in a heterogeneous computing environment that supports an open standard parallel program are provided. A method of enhancing security in a heterogeneous computing environment may include loading a source code kernel corresponding to an application program to be installed in a host system, determining whether the source code kernel is targeted for integrity check, based on a security policy of the host system, prior to cross-compiling the source code kernel, requesting a security engine of a computing device to check an integrity of the source code kernel, when the source code kernel is determined to be targeted for the integrity check, and controlling an operation of a runtime compiler based on a check result received from the security engine. | 05-09-2013 |
| 20130117809 | INTRUSION PREVENTION SYSTEM (IPS) MODE FOR A MALWARE DETECTION SYSTEM - Intrusion prevention system (IPS) mode is provided for a malware detection system. At least one staging server is provided for intercepting an incoming electronic message, making a copy of the intercepted incoming electronic message, and holding the intercepted incoming electronic message until an analysis of the copy of the intercepted incoming electronic message has been completed or until a timeout threshold has been exceeded. A malware detection system is coupled to the at least one staging server. The at least one malware detection system includes at least one decomposition server for receiving the copy of the intercepted incoming electronic message and processing the copy of the intercepted incoming electronic message to detect malware. Multiple mail queues, e.g., incoming, timeout, jail, decomposition, and outgoing, are used to manage message flows and delay messages while malware analysis is performed. | 05-09-2013 |
| 20130117810 | METHOD AND SYSTEM FOR PROVIDING A CLIENT ACCESS TO AN EXTERNAL SERVICE VIA AN APPLICATION SERVICES PLATFORM - In accordance with embodiments, there are provided mechanisms and methods for providing a client access to an external service via an application services platform. These mechanisms and methods for providing a client access to an external service via an application services platform can enable embodiments to provide effective access to such external service without necessarily forcing the client to access the external service separately with respect to the application services platform. The ability of embodiments to provide such technique can enable the integration of an external service with an application services platform, thus allowing the client to access the external service in a more effective manner. | 05-09-2013 |
| 20130117811 | METHOD AND SYSTEM FOR ENCRYPTED FILE ACCESS - A method and system for encrypted file access are provided. The method includes the steps of: receiving ( | 05-09-2013 |
| 20130117812 | SUPERVISION OF THE SECURITY IN A COMPUTER SYSTEM - For supervising the security of a computer system (SY) comprising several elementary computer items (BI), such as machines and applications, and several gathering items (BIg), such as networks, services or sites, gathering elementary items, a supervision device (DS) collects base measurements (MB) representative of states of the elementary items. A unit (UDI) determines several security indicators (I) of different types for each elementary item according to respective functions of the base measurements and several security indicators of different types for each gathering item. Each security indicator of a given type of a gathering item is determined according to a respective function of the security indicators of the given type of the elementary items gathered in the gathering item. The indicators of one item relate to the availability, the intrusion, the vulnerability and the compliance to a security policy. | 05-09-2013 |
| 20130125196 | Method and apparatus for combining encryption and steganography in a file control system - One embodiment of the present invention provides a system that improves security of a file control system. During operation the system receives a request from a user to decrypt a file. The system then decrypts the file. Next, the system adds a watermark to the decrypted file which allows the decrypted file to be subsequently traced back to the origin of the decrypted file, thereby improving security of the file control system. Note that the watermark can include a user identifier, an Internet Protocol (IP) address associated with the user, a hardware address or identifier associated with the user, a timestamp, or any other information that can be used to identify the origin of the decrypted file. | 05-16-2013 |
| 20130125197 | Relying Party Specifiable Format for Assertion Provider Token - A security component may be associated with a network-enabled application. The network-enabled application may request access to restricted content from a relying party (e.g., web site). The security component associated with the network-enabled application may receive authentication policy information from the relying party and send a user's authentication credentials to an assertion provider to authenticate the credentials. The relying party may trust the assertion provider to authenticate user credentials. Upon successful authentication, the assertion provider may return an assertion token to the security component and the security component may sign the assertion token as specified in the authentication policy information. Subsequently, the security token may forward the signed assertion token to the relying party and the relying party may grant access to the restricted content. | 05-16-2013 |
| 20130125198 | MANAGING CROSS PERIMETER ACCESS - In some implementations, a method of managing access to resources in a single device including receiving, from a first resource assigned to a first perimeter, a request to access a second resource assigned to a second perimeter different from the first perimeter. The single device includes the first perimeter and the second perimeter. Whether access to the second resource is prohibited is determined based on a management policy for the first perimeter. The management policy defining one or more rules for accessing resources assigned to the second perimeter including the second resource. | 05-16-2013 |
| 20130125199 | TESTING ACCESS POLICIES - A policy that governs access to a resource may be tested against real-world access requests before being used to control access to the resource. In one example, access to a resource is governed by a policy, referred to as an effective policy. When the policy is to be modified or replaced, the modification or replacement may become a test policy. When a request is made to access the resource, the request may be evaluated under both the effective policy and the test policy. Whether access is granted is determined under the effective policy, but the decision that would be made under the test policy is noted, and may be logged. If the test policy is determined to behave acceptably when confronted with real-world access requests, then the current effective policy may be replaced with the test policy. | 05-16-2013 |
| 20130125200 | Method of securing data in 2D bar codes using SSL - Methods and apparatus authenticate a printed document associated with a source entity. The printed document includes a two-dimensional code (2-D code) that includes data encoded therein. The encoded data includes a resource locator to an intent. An image of the 2-D code is decoded to obtain the resource locator to an intent, and it is detected whether the resource locator to an intent includes a protocol identifier designating a secure 2-D code. If so, the protocol identifier is replaced with a protocol identifier used to access a secure server of the source entity located at a host portion of the resource locator. The secure server is accessed to obtain the intent. A certificate of the secure server is accessed and an electronic device displays an indicator of whether the certificate is valid and also displays the intent. The indicator may be used to decide whether the intent can be trusted. | 05-16-2013 |
| 20130125201 | Security Systems and Methods for Social Networking - Data may be masked on public networks, such as social networking sites. At a publishing node, the system may monitor data input fields in a webpage that are processed by an internet browser. The system may intercept data, such as text, images, and video input at the data input fields, prior to the data being posted online. The publishing node may control which users are permitted access to the posted data by defining a policy associated with the data input field. The posted data may be transformed or tokenized to ensure that it is inaccessible to a user (or group of users) unless that user/group has access to the decoding key under the policy. In this way, data security and data control may be provided to a publishing user node. Data that has already been posted may be destroyed, for example, by deleting the decryption key or a token. | 05-16-2013 |
| 20130125202 | Security Systems And Methods For Encoding And Decoding Digital Content - Systems and methods may be provided for masking data on public networks. At a publishing node, the system may monitor data input fields in a webpage, and intercept and encode content, such as text, images, and video input at the data input fields, prior to the content being posted online on a public service provider's website. A policy may be defined to control which users are permitted access to a key to decode the encoded content. The policy may defer to a third party policy node in determining key access. An account for a controlling entity, such as a guardian or employer, may be configured to control the encoding status of posts made by another. The controlling entity may control who has key access to decode posts made by the other account. The guardian account may be configured to have preemptive rights over posting decisions made by the minor. | 05-16-2013 |
| 20130125203 | SYSTEMS AND METHODS FOR SECURING EXTRANET TRANSACTIONS - The systems and methods described herein relate to secure extranets which utilize certificate authentication to mediate access, transactions, and user tracking. Such extranets may be employed to provide an interface accessible over a network, such as the Internet, capable of authenticating and recording transactions for business, medical, or other purposes. | 05-16-2013 |
| 20130133023 | DYNAMICALLY MAPPING NETWORK TRUST RELATIONSHIPS - In an embodiment, the method is comprising, receiving an access request, from an authenticator device, to grant a supplicant device access to a data network; transmitting the access request to an authentication server; after sending a response that the access request was granted, updating a trust topology map by including in the trust topology map information that has been obtained from the response and that indicates a secure link between the authenticator device and the supplicant device, and causing displaying the updated trust topology map as a logical map depicting one or more network devices and roles assigned to the one or more network devices; wherein the method is performed by one or more computing device. | 05-23-2013 |
| 20130133024 | Auto-Approval of Recovery Actions Based on an Extensible Set of Conditions and Policies - Recovery action approval may be provided. A request to perform an action may be received from a user. If the user is not always authorized to request the action, then the action may be performed if a policy rule permits the user to request the action. | 05-23-2013 |
| 20130133025 | Security Deployment System - To address security that can arise in information systems, the present invention uses novel methods and/or systems to enhance security in information systems, using a new way to deploy selected security policies. Instead of trying to modify a whole binary file all at once to add in code to implement additional security policies, the current invention modifies the code in memory in a piecemeal, as-needed fashion. | 05-23-2013 |
| 20130133026 | SYSTEM, METHOD, AND APPARATUS FOR DATA, DATA STRUCTURE, OR ENCRYPTION COGNITION INCORPORATING AUTONOMOUS SECURITY PROTECTION - Aspects of the inventive subject matter relate in general to systems, methods, and apparatus for data cognition that incorporates autonomous security protection and embedded intelligence. More particularly, the inventive subject matter relates to systems, methods, and apparatus utilizing cognitive data, cognitive encryption key(s), and cognitive data structures or protocols that can perform analyses and assessments, self-manage and/or self-organize, secure its environment, evaluate behavior, detect security problems, adapt, work in conjunction with network communication and protocols, alert the data creator of an urgent situation (Situation Awareness), and provide traceability, electronic forensics, and possess self-knowledge so it can be discovered, searched, and support data management, dynamic endpoint security, and be influenced by user behavior. | 05-23-2013 |
| 20130133027 | COMBINING NETWORK ENDPOINT POLICY RESULTS - An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result. | 05-23-2013 |
| 20130133028 | AUTOMATED DEVICE PROVISIONING AND ACTIVATION - A non-transitory computer-readable storage medium storing program code for causing one or more processors of a wireless device to execute a method comprising: assisting in obtaining a user input through a user interface of the wireless device; determining at least an aspect of a control policy based on the user input, the control policy associated with a first application on the wireless device, the at least an aspect of the control policy for at least assisting in controlling a first access to the first wireless network by the first application on the wireless device and enabling a first control of the first access to the first wireless network by the first application on the wireless device that differs from a second control of a second access to the first wireless network by a second application; and applying the control policy. | 05-23-2013 |
| 20130133029 | WIRELESS LAN COMMUNICATION TERMINAL AND COMMUNICATION CONTROL METHOD THEREOF IN WIRELESS LAN SYSTEM FOR THE SAME - A wireless LAN communication terminal and its communication control method are provided that make it possible to configure desired security between the terminal and an other-end terminal, without increasing power consumption of the terminals. The wireless LAN communication terminal ( | 05-23-2013 |
| 20130133030 | PLATFORM AUTHENTICATION STRATEGY MANAGEMENT METHOD AND DEVICE FOR TRUSTED CONNECTION ARCHITECTURE - Provided are a platform authentication strategy management method for trusted connection architecture (TCA), and the trusted network connection (TNC) client, TNC access point and evaluation strategy service provider for implementing the method in the TCA. In the embodiments of the present invention, the platform authentication strategy for the access requester can be configured in the TNC access point or the evaluation strategy service provider, and the platform authentication strategy for the access requester configured in the evaluation strategy service provider can be delivered to the TNC access point. Moreover, a component-type-level convergence platform evaluation strategy can be executed in the TNC access point or the evaluation strategy service provider, to ensure that the realization of the TCA platform authentication has good application extensibility. | 05-23-2013 |
| 20130139213 | MONITORING AND CONTROLLING ELECTRONIC ACTIVITY USING THIRD PARTY RULE SUBMISSION AND VALIDATION - Concepts and technologies are disclosed herein for monitoring and controlling electronic activity. A policy service can be called for policies for controlling electronic activity occurring at one or more managed devices. The policies can include a number of rules, each of which can include a number of variables. The rules can be defined by a manager device and/or received from third parties. Third party rule submissions can be validated. If electronic activity at the managed device deviates from a rule, the manager device can be notified and the electronic activity can be blocked. The manager device can update the policy and/or issue exceptions, if desired. | 05-30-2013 |
| 20130139214 | MULTI DIMENSIONAL ATTACK DECISION SYSTEM AND METHOD THEREOF - A method and system for protecting a protected entity using a multi-dimensional protection surface. The method comprises detecting at least one potential attack against the protected entity in incoming data traffic directed to the protected entity; detecting a type of each attack tool committing the at least one potential attack; generating a multi-dimensional protection surface by correlating a plurality of inputs related to the at least one detected attack, wherein the plurality of inputs include at least a first input identifying the at least one detected attack and a second input identifying each attack tool that performs the at least one detected attack, wherein the protection multi-dimensional surface includes at least one protection point that defines at least one attack mitigation action to mitigate the at least one detected attack; and executing the at least one attack mitigation action defined in the multi-dimensional protection surface. | 05-30-2013 |
| 20130139215 | METHOD AND APPARATUS FOR MASTER PRIVACY POLICY MECHANISM IN A COMMUNICATIONS NETWORK - A method, non-transitory computer readable medium and apparatus for providing a master privacy policy in a communications network are disclosed. For example, the method receives a privacy control parameter to configure a master privacy policy, stores the master privacy policy in the communications network, and applies the master privacy policy to configure a third party service provider privacy policy for a third party service provider based upon the master privacy policy. | 05-30-2013 |
| 20130139216 | Method and Computer Device to Control Software File Downloads - A computer device includes a download unit which downloads one or more files into a storage device. A file logging unit records a resource locator identifying a source network location of the file, when the file is downloaded, and associates the resource locator with a first fingerprint of the file. A system policy unit stores the resource locator associated with a process control policy relevant to the file. A process control unit is arranged to obtain a second fingerprint of the file upon launching a process in a runtime execution environment, retrieve the resource locator from the file logging unit by matching the second fingerprint with the first fingerprint, retrieve the process control policy from the system policy unit according to the retrieved resource locator, and selectively apply process execution privileges which determine execution of the process in the runtime execution environment according to the retrieved process control policy. | 05-30-2013 |
| 20130139217 | METHOD AND APPARATUS FOR EXECUTING SECURITY POLICY SCRIPT, SECURITY POLICY SYSTEM - Embodiments of the present invention provide a method and an apparatus for executing a security policy script as well as a security policy system. The method includes: verifying a signature of a security policy script to be executed, where the security policy script to be executed corresponds to a unique signature, and the signature is used to verify validity of the security policy script; and invoking a script engine to execute the security policy script to be executed after verifying that the signature of the security policy script to be executed is correct, so as to improve security of the security policy script effectively. | 05-30-2013 |
| 20130145418 | UPDATING SYSTEM BEHAVIOR DYNAMICALLY USING FEATURE EXPRESSIONS AND FEATURE LOOPS - Behavior of an online system is modified dynamically using feature expressions and feature loops. A feature expression can be expressed as a combination of other features or feature expressions, thereby allowing specification of complex features. The sets of feature expressions and policies of an online system can be modified while the online system is running. Feature loops aggregate values of a feature expression across a plurality of actions, for example, number of occurrences of an event over a time interval. The online system evaluates a set of feature expressions in response to actions performed by users. Feature expressions are used to specify policies that determine how the online system reacts to certain types of user actions. The ability to dynamically modify the feature expressions and policies of the online system allows the online system to adapt to attacks by malicious users in a timely manner. | 06-06-2013 |
| 20130145419 | Systems and Methods for Generating Trust Federation Data from BPMN Choreography - In practice, collaborative processes using web services present complex information security requirements, as a domain security model needs to conditionally control access to data and services by both internal and external collaboration participants. One embodiment presents an automated process for defining required trust relationships between collaboration participants that can be used for materializing domain IT policies. A BPMN choreography process model of a business process is parsed to extract participant and task lists. An initiating participant is identified for each task in the task list. A trust graph (can be represented in a matrix format) is generated to represent trust relationships implicit in the business process model by indicating in the trust graph that all other participants in a given task are to trust the initiating participant of that task. A registry can be used to gather data used to materialize security policies based on the trust relationships. | 06-06-2013 |
| 20130145420 | SECURE AUTHENTICATION USING MOBILE DEVICE - Representative embodiments of secure authentication include receiving, by a server, information from a mobile device identifying (i) the mobile device and (ii) an identifying tag read by the mobile device; accessing, by the server, a database to identify (i) a user associated with the mobile device, (ii) a secure device associated with the identifying tag, and (iii) a security policy associated with the secure device; and if the policy permits access by the identified user to the identified secure device, causing access to the secure device to be accorded to the user. | 06-06-2013 |
| 20130145421 | POLICY EVALUATION IN CONTROLLED ENVIRONMENT - A module may include interface logic to receive information identifying a state related to a client device via logic related to a controlled environment, and to send a valid policy result to a host device, where the valid policy result is related to the state. The module may include processing logic to process policy content according to a resource policy, where the processing is based on the information, and to produce the valid policy result based on the processing using the resource policy, where the valid policy result is adapted for use by the host device when implementing the network policy with respect to a destination device when the client device attempts to communicate with the destination device. | 06-06-2013 |
| 20130145422 | Security Techniques For Device Assisted Services - Methods and systems for receiving a report from an end-user device, the report comprising information about a device service state; determining, based on the report, that a particular service policy setting of the end-user device needs to be modified, the particular service policy setting associated with a service profile that provides for access to a network data service over a wireless access network and configured to assist in controlling one or more communications between the end-user device and the wireless access network, the particular service policy setting stored in a protected partition configured to deter or prevent unauthorized modifications to the particular service policy setting; and, in response to determining that the particular service policy setting needs to be modified, sending configuration information to the end-user device, the configuration information configured to assist in modifying or allowing modifications to the particular service policy setting. | 06-06-2013 |
| 20130145423 | METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR TAGGING CONTENT ON UNCONTROLLED WEB APPLICATION - Communications by a device in a private network to a site operating outside of the network can be programmatically inspected. Unstructured data, including messages and application content, originating from outside of the network may be dynamically converted to structured data that can be tagged. Interactions and activities can be monitored and processed differently according to internal policies and/or business rules. For example, at least a portion of the structured data can be modified prior to forwarding to the device, access by the device to at least a portion of the structured data can be blocked or limited, access by the device to one or more features associated with the structured data can be blocked or limited, etc. | 06-06-2013 |
| 20130152153 | SYSTEMS AND METHODS FOR PROVIDING SECURITY FOR SIP AND PBX COMMUNICATIONS - The present application is directed to systems and methods for providing security for session initiation protocol (SIP) services via a single device providing an SIP proxy and video conference bridge. A device deployed as a proxy between a first client and a second client receives an SIP request of the first client to establish a real-time communication with the second client. The device determines, based on application of a policy to the first SIP request, to deny the SIP request. The device receives a real-time communication protocol request, originated by the first client, to establish a real-time communication channel with the second client. The device identifies that the first client originating the real-time communication protocol request corresponds to the first client of the denied SIP request, and discards the real-time communication protocol request, at a transport layer of a network stack of the device, responsive to the identification. | 06-13-2013 |
| 20130152154 | Controlling the Release of Private Information Using Static Flow Analysis - A privacy control system is described herein for controlling dissemination of private information by a program. The privacy control system operates by performing static analysis to determine at least one flow within the program of private information, from a source to a sink The static analysis is particularly configured to identify two types of flow, including: (a) an unvetted flow of untampered private information from the source to the sink; and (b) a flow of tampered private information from the source to the sink, whether vetted or unvetted. The privacy control system then prompts the user to provide a privacy control decision regarding the flow. The privacy control decision governs whether actual data or anonymized data is provided to the sink, or whether the program is terminated. A runtime system then runs the program in accordance with the privacy control decision. | 06-13-2013 |
| 20130152155 | PROVIDING USER ATTRIBUTES TO COMPLETE AN ONLINE TRANSACTION - A first server device receives a request for attributes, of a user, from a second server device associated with a receiving entity. The first server device determines whether the receiving entity is entitled to receive the attributes, and authenticates an identity of the user. The first server device also identifies the attributes based on the identity when the receiving entity is entitled to receive the attributes, and transmits the identified attributes to the second server device. | 06-13-2013 |
| 20130152156 | VPN SUPPORT IN A LARGE FIREWALL CLUSTER - A firewall cluster comprises three or more firewall processing nodes, at least one of which is operable to establish a Virtual Private Network (VPN) network connection. A node is further operable to share VPN state information with two or more receiving nodes by sending broadcast message to the two or more nodes. | 06-13-2013 |
| 20130152157 | AUTOMATIC FILTERING IN SOCIAL NETWORKS - Embodiments of the present invention provide a method, system and computer program product for automated filtering of content viewing rights in a social network. In an embodiment of the invention, a method for automated filtering of content viewing rights in a social network includes selecting content directed for publication to different members of a social network executing in memory of a host server and computing a context for the content. The method additionally includes applying a rule to the context and to at least one member profile corresponding to one of the members of the social network in order to determine whether or not the content is to be blocked from viewing by the one of the members based upon a relationship between the member profile and the computed context. Thereafter, access to the content by the one of the members is permitted when permitted by the rule. | 06-13-2013 |
| 20130152158 | CONFIDENTIAL INFORMATION IDENTIFYING METHOD, INFORMATION PROCESSING APPARATUS, AND PROGRAM - An information processing apparatus includes a clustering unit configured to read messages from a log and to classify the read messages into clusters according to similarities of the messages; a variable portion finding unit configured to find a portion variable between messages; an attribute determination unit configured to estimate and determine a confidential attribute of the variable portion by using predefined rule; and an attribute estimation unit configured to, in a case where there is a portion whose confidential attribute is undeterminable by using the rules, estimate the confidential attribute of the portion having the undeterminable confidential attribute with use of either a correspondence between appearance locations in the messages, or a co-appearance relation of a portion having a determined confidential attribute and the portion having the undeterminable confidential attribute. | 06-13-2013 |
| 20130152159 | ENHANCED LIFECYCLE MANAGEMENT OF SECURITY MODULE - A method, computer program, apparatus and a secure module are described. By example, in the method there are steps of receiving a request from a first entity for a secure module to enter an unlock lifecycle state; requesting confirmation to enter the unlock lifecycle state; and if the request is confirmed, transitioning the secure module from a current lifecycle state to the unlock lifecycle state. | 06-13-2013 |
| 20130152160 | SYSTEMS AND METHODS FOR USING CIPHER OBJECTS TO PROTECT DATA - Systems, methods, and devices configured to provide an intelligent cipher transfer object are provided. The intelligent cipher transfer object includes a set of participants protected by cloaking patterns. A portable dynamic rule set, which includes executable code for managing access to the protected set of participants, is included within the intelligent cipher transfer object. For a given user, the intelligent cipher transfer object may provide access to some of the participants while preventing access to other participants, based on the portable dynamic rule set. | 06-13-2013 |
| 20130152161 | METHOD AND DEVICE FOR CONTROLLING ACCESS TO OUT-OF-BAND CONTENTS FOR COMBINATION WITH TRUSTED CONTENTS, AND ASSOCIATED EQUIPMENTS - A method is intended for controlling access to out-of-band contents, provided by an out-of-band source, by at least one communication equipment connected to a managed source, providing trusted contents, and coupled to this out-of-band source. This method includes the steps of:
| 06-13-2013 |
| 20130152162 | METHOD AND SYSTEM FOR AUTHORIZING A LEVEL OF ACCESS OF A CLIENT TO A VIRTUAL PRIVATE NETWORK CONNECTION, BASED ON A CLIENT-SIDE ATTRIBUTE - An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause. | 06-13-2013 |
| 20130152163 | SECURITY SYSTEM FOR PROTECTING NETWORKS FROM VULNERABILITY EXPLOITS - A system for protecting networks from vulnerability exploits comprises a security engine operable to receive a packet destined for a user's network and forward the packet to at least one host virtual machine for processing. The security engine is further operable to forward the stored packet to the user's internal network based upon a result of the processed packet. A method of securing a network from vulnerability exploits is described. The method comprises receiving a packet destined for a user's internal network; forwarding the packet to at least one virtual machine based upon a virtual machine configuration table; processing the forwarded packet on the at least one virtual machine; and releasing the packet to the user's internal network based upon results of the processing. | 06-13-2013 |
| 20130152164 | Taking Configuration Management Data and Change Business Process Data Into Account With Regard to Authorization and Authentication Rules - An approach receives a request from a user, typically a change implementer, on a computer system. The request includes a user identifier and a requested action. A current timestamp corresponding to a computer system clock is retrieved. Scheduled changes are retrieved from a data store accessible by the processor. The current timestamp is compared to the scheduled change periods. The requested action is allowed if the comparison reveals that the current timestamp is within one of the retrieved scheduled changes, and the requested action is denied if the comparison reveals that the current timestamp is outside of the retrieved scheduled change periods. | 06-13-2013 |
| 20130152165 | END USER LICENSE AGREEMENTS ASSOCIATED WITH MESSAGES - A server computing device generates a first message that, when executed by a client computing device, will initiate a transaction between the server computing device and the client computing device. The server computing device attaches an end user license agreement to the first message, wherein the end user license agreement dictates terms to be accepted by the client computing device before the transaction is initiated. The server computing device transmits the first message to the client. Responsive to the client computing device accepting the end user license agreement, the server computing device receives an accept response message from the client computing device and transmits a second message to the client computing device. | 06-13-2013 |
| 20130160072 | PERSONAL SPACE (DATA) V. CORPORATE SPACE (DATA) - Data management techniques are provided for handling information resources. A data management process can account for attributes of information resources by analyzing or interpreting the workspace location, source, channel and device associated with an information resource, and effectuating policies, based on the attributes. Rules govern the attribute determination and policies for access restriction to the information resource. The attributes and policies determined are tagged to the information resource and is dynamically updated based on the attributes related to the information resource within different workspaces, such as a corporate workspace and a personal workspace. | 06-20-2013 |
| 20130160073 | Method and system for resource and admission control of home network - The disclosure provides a method for resource and admission control of a home network, the RACF of an NGN retail service provider formulates an initial policy rule according to a resource request after receiving the resource request sent by an SCF; a CPN performs authorization check on one or more resource requests after receiving them, each of which includes the initial policy rule and is sent by an RACF of a respective NGN retail service provider, formulates a final policy rule after the authorization check is passed, and executes the final policy rule. The disclosure further provides a system for resource and admission control of a home network correspondingly, since a CGPE-FE executes corresponding operation according to the decision result of an HPD-FE, the disclosure can avoid resource control errors such as resource desynchrony or resource inconsistence, and can improve system stability. | 06-20-2013 |
| 20130160074 | APPARATUS AND METHOD FOR ANALYZING RULE-BASED SECURITY EVENT ASSOCIATION - An apparatus for analyzing rule-based security event association includes a rule management unit to check whether an security event is a candidate security event requiring association analysis, and an event management unit to analyze the candidate security event and check whether the analyzed security event is the candidate security event requiring association analysis. An association processing unit analyzes whether an association event of a rule DB corresponding to a user ID of the candidate security event is matched with a user event list to generate an association analysis result. | 06-20-2013 |
| 20130160075 | ENTITLEMENT SECURITY AND CONTROL - A system, apparatus, and method are provided for entitlement security and control. A method of embodiments of the invention includes granting an entitlement permission upon satisfaction of entitlement rules by an entitlement request. | 06-20-2013 |
| 20130160076 | ACCESS AUTHORITY GENERATION DEVICE - A precedence constraint solving means generates a set of authorities without a precedence constraint into a temporary storing means from a set of authorities having a precedence constraint extracted for a role. At this moment, the precedence constraint solving means derives an authority in accordance with an order satisfying the precedence constraint from the set of authorities having the precedence constraint and, when an object of the derived authority includes an object of an authority having the same action already generated in the temporary storing means and permission/denial identifiers of both the authorities are different from each other, divides the derived authority into a plurality of authorities having objects of the same granularity as that of the included object, and stores only an authority having a different object from the included object into the temporary storing means. | 06-20-2013 |
| 20130167190 | MOBILE COMMUNICATION DEVICE SURVEILLANCE SYSTEM - A mobile communication device surveillance system is described. The system includes a gateway, a web server, a wireless mobile communication device, and a client device. The web server introduces the wireless mobile communication device to a gateway. The gateway authenticates the wireless mobile communication device. The gateway receives media data from the wireless mobile communication device and monitoring data from a security device connected to the gateway. The gateway aggregates the media data and the monitoring data, and communicates the aggregated data to the client device authenticated with the gateway. | 06-27-2013 |
| 20130167191 | SECURITY POLICY FLOW DOWN SYSTEM - A system and method are provided that distill an organization's information security plan into a detailed and unambiguous security object model. The developed security object model provides a visualization of complex relationships between individual elements and levels that is usable to carry into effect the organization's information security plan. Configuration control and a verifiable level of security compliance are provided through implementation of the organization's information security plan by the developed security object model. The developed security object model is hosted on a computing platform in communication with at least the organization's network to provide information security plan compliance, configuration control and gap analysis in a usable form to the organization. | 06-27-2013 |
| 20130167192 | METHOD AND SYSTEM FOR DATA PATTERN MATCHING, MASKING AND REMOVAL OF SENSITIVE DATA - Systems, methods and computer-readable media for applying policy enforcement rules to sensitive data. An unstructured data repository for storing unstructured data is maintained. A structured data repository for storing structured data is maintained. Request for information is received. The request is analyzed to determine its context. Based on the context, a policy enforcement action associated with generating a response to the request is identified. The policy enforcement action may be to remove sensitive data in generating the response to the request and/or mask sensitive data in generating a response to the request. An initial response to the request is generated by retrieving unstructured data from the unstructured data repository. Using the structured data maintained in the structured data repository, sensitive data included within the initial response is identified. The policy enforcement action is applied to the sensitive data included within the initial response to generate the response to the request. | 06-27-2013 |
| 20130167193 | Security policy editor - A shared computing infrastructure has associated therewith a portal application through which users access the infrastructure and provision one or more services, such as content storage and delivery. The portal comprises a security policy editor, a web-based configuration tool that is intended for use by customers to generate and apply security policies to their media content. The security policy editor provides the user the ability to create and manage security policies, to assign policies so created to desired media content and/or player components, and to view information regarding all of the customer's current policy assignments. The editor provides a unified interface to configure all media security services that are available to the CDN customer from a single interface, and to enable the configured security features to be promptly propagated and enforced throughout the overlay network infrastructure. The editor advantageously enables security features to be configured independently of a delivery configuration. | 06-27-2013 |
| 20130167194 | SYSTEM AND METHOD FOR DETERMINING A SECURITY ENCODING TO BE APPLIED TO OUTGOING MESSAGES - A device comprising a processor is disclosed herein. In one broad aspect, the processor is configured to: determine whether a general message encoding configuration setting at the device is set to a first setting indicating that when a security encoding is to be applied to a message, the security encoding is to be established by a policy engine, wherein the established security encoding cannot be overridden by a security encoding selection algorithm at the device; and if the general message encoding configuration setting is set to the first setting, transmit the message to at least one message recipient via the policy engine such that the policy engine applies the security encoding to the message prior to the policy engine transmitting the message. | 06-27-2013 |
| 20130174210 | SYSTEM FOR DATA FLOW PROTECTION AND USE CONTROL OF APPLICATIONS AND PORTABLE DEVICES CONFIGURED BY LOCATION - The present invention relates to a system for implementing a firewall service on portable devices such as mobile phones, tablets or notebooks, which has changed their security settings depending on the location where they are. More specifically, the invention relates to a method of protecting data flow and control of use of devices and functional applications present in a portable device and configured from their location. | 07-04-2013 |
| 20130174211 | Method And Apparatus Providing Privacy Setting And Monitoring User Interface - A method and an apparatus provide for operating a user interface of a device to receive from a user, for individual ones of a plurality of user privacy categories, a user privacy setting; to map each user privacy setting to one or more device sensors to form a sensor policy for the user privacy category; and to monitor application program accesses to device sensors to detect a violation of a sensor policy. An aspect of the exemplary embodiments of this invention is the user interface that can represent privacy levels of each application program to the user in a “user-friendly” format. Another aspect of the exemplary embodiments is to provide the user device with an ability to detect and act on or at least report privacy violations by the application programs. | 07-04-2013 |
| 20130174212 | Indication of Authorized and Unauthorized PCC Rules - Various exemplary embodiments relate to a method and related network node including one or more of the following: receiving the set of PCC rules at the network device from a partner device; determining that the set of PCC rules includes an unauthorized PCC rule, wherein the unauthorized PCC rule fails an authorization; determining that the set of PCC rules includes an authorized PCC rule, wherein the authorized PCC rule passes the authorization; generating an unauthorized rules list including an indication of the unauthorized PCC rule; generating an authorized rules list including an indication of the authorized PCC rule; transmitting the unauthorized rules list and the authorized rules list to the partner device. | 07-04-2013 |
| 20130174213 | IMPLICIT SHARING AND PRIVACY CONTROL THROUGH PHYSICAL BEHAVIORS USING SENSOR-RICH DEVICES - A system for automatically sharing virtual objects between different mixed reality environments is described. In some embodiments, a see-through head-mounted display device (HMD) automatically determines a privacy setting associated with another HMD by inferring a particular social relationship with a person associated with the other HMD (e.g., inferring that the person is a friend or acquaintance). The particular social relationship may be inferred by considering the distance to the person associated with the other HMD, the type of environment (e.g., at home or work), and particular physical interactions involving the person (e.g., handshakes or hugs). The HMD may subsequently transmit one or more virtual objects associated with the privacy setting to the other HMD. The HMD may also receive and display one or more other virtual objects from the other HMD based on the privacy setting. | 07-04-2013 |
| 20130174214 | Management Tracking Agent for Removable Media - A management agent stored on removable storage media is operable, when the storage media is coupled with a host device, to, via the host device, track data events and report the data events to a remote management console. | 07-04-2013 |
| 20130174215 | Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy. | 07-04-2013 |
| 20130174216 | Application of Differential Policies to at Least One Digital Document - In a method ( | 07-04-2013 |
| 20130174217 | ACCESS CONTROL INFORMATION GENERATING SYSTEM | 07-04-2013 |
| 20130174218 | SECURITY POLICY ENFORCEMENT SYSTEM AND SECURITY POLICY ENFORCEMENT METHOD - An object of the present invention is to distribute a processing load of security measures and enforce a security policy to be applicable to a large system. Policy information indicating a security measure to be executed on user information transmitted from a client to a server is stored in a policy storing section. Measure arrangement information indicating the security measure executable in each of a plurality of policy enforcement sections is stored in a measure-arrangement storing section. Among the plurality of policy enforcement sections, one or more of the policy enforcement sections that execute the security measure on the user information are selected on the basis of the policy information and the measure arrangement information. Each of the one or more policy enforcement sections executes the security measure on the user information and outputs, on the basis of a selection result, the user information to the other policy enforcement sections among the one or more policy enforcement sections or to the server. | 07-04-2013 |
| 20130179936 | Security policy management using incident analysis - A security analytics system receives incident data (from an incident management system) and security policy information (from a security policy management system). The security analytics system evaluates these data sets against one another, preferably using a rules-based analysis engine. As a result, the security analytics system determines whether a particular security policy configuration (as established by the security policy management system) needs to be (or should be) changed, e.g., to reduce the number of incidents caused by a misconfiguration, to increase its effectiveness in some manner, or the like. As a result of the evaluation, the security analytics system may cause a policy to be updated automatically, notify an administrator of the need for the change (and the recommendation), or take some other action to evolve one or more security policies being enforced by the security policy management system. | 07-11-2013 |
| 20130179937 | SECURITY MODEL ANALYSIS - A customized security model template is created that is customized for a specific organization's security related procedures. The customized security model template is instantiated with parameters associated with the organization to create an instantiated security model, and a report is produced based on simulations of the instantiated security model that specifies metrics of the organization's security implementation. | 07-11-2013 |
| 20130179938 | Security policy management using incident analysis - A security analytics system receives incident data (from an incident management system) and security policy information (from a security policy management system). The security analytics system evaluates these data sets against one another, preferably using a rules-based analysis engine. As a result, the security analytics system determines whether a particular security policy configuration (as established by the security policy management system) needs to be (or should be) changed, e.g., to reduce the number of incidents caused by a misconfiguration, to increase its effectiveness in some manner, or the like. As a result of the evaluation, the security analytics system may cause a policy to be updated automatically, notify an administrator of the need for the change (and the recommendation), or take some other action to evolve one or more security policies being enforced by the security policy management system. | 07-11-2013 |
| 20130179939 | METHOD AND APPARATUS FOR PROVIDING EXTENDED AVAILABILITY OF REPRESENTATIVES FOR REMOTE SUPPORT AND MANAGEMENT - A network appliance is configured to determine a security policy controlled by a system of an organization. The network appliance creates an association between the security policy and support agent access to the system. The network appliance creates portals where the access is based on the security policy and access includes connectivity for providing remote support service to the system from a remote support service disconnected from the system. | 07-11-2013 |
| 20130185762 | METHOD, APPARATUS, SIGNALS AND MEDIUM FOR ENFORCING COMPLIANCE WITH A POLICY ON A CLIENT COMPUTER - A method and system for enforcing compliance with a policy on a client computer in communication with a network is disclosed. The method involves receiving a data transmission from the client computer on the network. The data transmission includes status information associated with the client computer. The data transmission is permitted to continue when the status information meets a criterion. | 07-18-2013 |
| 20130185763 | DISTRIBUTED PROCESSING SYSTEM, DISTRIBUTED PROCESSING METHOD AND COMPUTER-READABLE RECORDING MEDIUM - A distributed processing system | 07-18-2013 |
| 20130191878 | ACCESSING ENTERPRISE RESOURCE PLANNING DATA FROM A HANDHELD MOBILE DEVICE - A user can access data from an ERP system, through a handheld mobile device, using claims-based authentication information. An authentication service authenticates the user, using an appropriate authenticator, given the claims-based authentication information. New users can register, and once registered, they can receive business data from ERP mobile data accessing system and push service. | 07-25-2013 |
| 20130191879 | METHODS AND SYSTEMS FOR INFORMATION ASSURANCE AND SUPPLY CHAIN SECURITY - In accordance with additional embodiments of the present disclosure, a method may include storing information regarding one or more components of the information handling system to a database, the database stored on a basic input/output system (BIOS) of the information handling system prior to shipment of an information handling system. The method may also include, between the time of shipment of the information handling system to receipt of the information handling system by an intended customer of the information handling system: logging events associated with one or more components of the information handling system, and storing information associated with the events in the database. The method may further include interfacing with an authorized user of the information associated with the events to allow the authorized user to access the information associated with the events. | 07-25-2013 |
| 20130191880 | DOCUMENT COMMUNICATION RUNTIME INTERFACES - A set of protocols support a common script object model for document interaction that crosses document types and runtime environments. A cross frame browser-based protocol may provide a secure, scalable, and asynchronous mechanism for transmitting script object model requests to document hosts and managing responses to developer code in standards-compliant browsers. A hostable runtime Application Programming Interface (API) may provide a secure, scalable, and asynchronous protocol to transmit script object model requests across process boundaries to document hosts back to developer code with minimum performance impact on the document host. | 07-25-2013 |
| 20130198797 | REMOTE TRUST ATTESTATION AND GEO-LOCATION OF SERVERS AND CLIENTS IN CLOUD COMPUTING ENVIRONMENTS - Methods and systems may provide for selecting a hypervisor protocol from a plurality of hypervisor protocols based on a communication associated with a remote agent. The selected hypervisor protocol may be used to conduct a trust analysis of one or more digitally signed values in the communication, wherein a cloud attestation request may be processed based on the trust analysis. Processing the cloud attestation request may involve generating a trustworthiness verification output, a geo-location verification output, etc., for a cloud computing node corresponding to the remote agent. | 08-01-2013 |
| 20130198798 | E-MAIL FIREWALL WITH POLICY-BASED CRYPTOSECURITY - An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses. | 08-01-2013 |
| 20130198799 | ROLE-BASED ACCESS CONTROL PERMISSIONS - Devices, systems, and methods for role-based access control permissions are disclosed. One method includes a policy decision point that receives up-to-date security context information from one or more outside sources to determine whether to grant access for a data client to a portion of the system and creates an access vector including the determination; receiving, via a policy agent, a request by the data client for access to the portion of the computing system by the data client, wherein the policy agent checks to ensure there is a session established with communications and user/application enforcement points; receiving, via communications policy enforcement point, the request from the policy agent, wherein the communications policy enforcement point determines whether the data client is an authorized node, based upon the access vector received from the policy decision point; and receiving, via the user/application policy enforcement point, the request from the communications policy enforcement point. | 08-01-2013 |
| 20130198800 | POLICY-BASED SELECTION OF REMEDIATION - Methods and systems for automatically determining one or more remediations for a remotely monitored host asset are provided. According to one embodiment, a policy database, having stored therein policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation of the host asset, is maintained by a remote server. The remote server receives via a network, a value of a parameter of the host asset. The parameter value is one of multiple parameter values that collectively characterize an operational state of the host asset. A determination is made whether there is a policy violation based on the parameter value by retrieving and evaluating one or more policies with reference to the parameter value. When a policy violation is confirmed, a remediation is retrieved from a remediation database associated with the remote server and the remediation is deployed to the host asset. | 08-01-2013 |
| 20130198801 | AUTHENTICATION COLLABORATION SYSTEM AND ID PROVIDER DEVICE - An ID provider device according to an embodiment includes a policy information storage unit that stores policy information representing a user of a target to whom transmission of service data is permitted, an authentication collaboration request preliminary processing unit that performs a policy evaluation process and an account collaboration process at a timing according to a log-in status of a user terminal when an authentication collaboration request is received, and an authentication collaboration request transfer unit that transfers the authentication collaboration request to the authentication collaboration request preliminary processing unit when the authentication collaboration request is received from the service provider device. | 08-01-2013 |
| 20130198802 | ON BOARD VEHICLE MEDIA CONTROLLER - The present disclosure describes a microprocessor executable media controller operable to receive a media stream from a remote node, the received media stream being for an occupant associated with an on board vehicle input/output system, identify which on board vehicle input/output systems are restricted due to operator command and/or as a result of a governing law, and provide the media stream, in compliance with any restriction, to a selected input/output system associated with the occupant. | 08-01-2013 |
| 20130198803 | WHITE LISTING DNS TOP-TALKERS - Systems and methods for creating a list of trustworthy resolvers in a domain name system. A computer receives a resolver profile for a resolver sending queries to a domain name server. The resolver profile is based on any, or a combination, of a top-talker status of the resolver, a normalcy of distribution of domain names queried, a continuity of distribution of query type, and a RD bit status, and information related to query traffic based on the topology of the domain name server. Resolver profiles can be compared to a trust policy to determine whether the resolver is trustworthy. Resolvers deemed trustworthy can be added to a list of trustworthy resolvers. Embodiments can detect the occurrence of a network-based attack. Embodiments can mitigate the effect of a network-based attack by responding only to queries from resolvers on the list of trustworthy resolvers. | 08-01-2013 |
| 20130205359 | Policy and compliance management for user provisioning systems - A user provisioning system is extended to enable account reconciliation to occur in conjunction with a provisioning request. In response to a user provisioning request, a determination is made whether the user provisioning request is to be extended by including a reconciliation request. If so, the reconciliation request is piggy-backed on top of the provisioning request. This approach enables the reconciliation operation to be scoped to just the particular user account that is the subject to the provisioning operation, and it enables reconciliation to be carried out much more frequently as compared to the periodic, batch-oriented approach of prior techniques. | 08-08-2013 |
| 20130205360 | PROTECTING USER CREDENTIALS FROM A COMPUTING DEVICE - Protecting user credentials from a computing device includes establishing a secure session between a computing device and an identity provider (e.g., a Web service). Parameters of the secure session are communicated to a credential service, which renegotiates or resumes the secure session to establish a new secure session between the credential service and the identity provider. User credentials are passed from the credential service to the identity provider via the new secure session, but the computing device does not have the parameters of the new secure session and thus does not have access to the passed user credentials. The credential service then renegotiates or resumes the secure session again to establish an additional secure session between the credential service and the identity provider. Parameters of the additional secure session are communicated to the computing device to allow the computing device to continue communicating securely with the identity provider. | 08-08-2013 |
| 20130205361 | DYNAMIC THREAT PROTECTION IN MOBILE NETWORKS - In general, techniques are described for dynamic threat protection in mobile networks. A network system comprising a network security device and a management system may implement the techniques. The management system includes a network server having a shared database. A mobile device manager (MDM) of the management system receives a report message from a mobile device, specifying a threat to a mobile network. The MDM publishes the threat to the shared database. A network management system (NMS) of the management system receives data from the shared database identifying the threat and generates a security policy that specifies actions to address the threat. The NMS then installs the security policy in the network security device so that the network security device performs the actions of the security policy to address the threat. | 08-08-2013 |
| 20130205362 | CENTRALIZED OPERATION MANAGEMENT - A novel security framework that is part of an operating system of a device is provided. The framework includes a security assessor that performs security policy assessments for different operations that need to be performed with respect to an application executing on the device. Examples of such operations include the installation of the application, execution of the application, and the opening of content files (e.g., opening of documents) by the application. | 08-08-2013 |
| 20130205363 | CENTRALIZED OPERATION MANAGEMENT - A novel security framework that is part of an operating system of a device is provided. The framework includes a security assessor that performs security policy assessments for different operations that need to be performed with respect to an application executing on the device. Examples of such operations include the installation of the application, execution of the application, and the opening of content files (e.g., opening of documents) by the application. | 08-08-2013 |
| 20130205364 | CENTRALIZED OPERATION MANAGEMENT - A novel security framework that is part of an operating system of a device is provided. The framework includes a security assessor that performs security policy assessments for different operations that need to be performed with respect to an application executing on the device. Examples of such operations include the installation of the application, execution of the application, and the opening of content files (e.g., opening of documents) by the application. | 08-08-2013 |
| 20130205365 | Policy and compliance management for user provisioning systems - A user provisioning system is extended to enable account reconciliation to occur in conjunction with a provisioning request. In response to a user provisioning request, a determination is made whether the user provisioning request is to be extended by including a reconciliation request. If so, the reconciliation request is piggy-backed on top of the provisioning request. This approach enables the reconciliation operation to be scoped to just the particular user account that is the subject to the provisioning operation, and it enables reconciliation to be carried out much more frequently as compared to the periodic, batch-oriented approach of prior techniques. | 08-08-2013 |
| 20130205366 | DYNAMIC CATEGORIZATION OF APPLICATIONS FOR NETWORK ACCESS IN A MOBILE NETWORK - Systems and methods of dynamic categorization of applications for network use and access in a mobile network are disclosed. Using application profile information, applications can be categorized into one of multiple categories that define restrictions on the application's access to the wireless network or cellular network. One example of such categories is the concept of black, white and grey listings. The “white” listed applications may be always allowed access, “black” listed application may never or almost never be granted network access (e.g., application may be malware like or otherwise consumes large amounts of network/device resources), and grey listed applications may be granted access based on one or more criteria. | 08-08-2013 |
| 20130205367 | Methods and Systems for Active Data Security Enforcement During Protected Mode Use of a System - Systems and method are provided for enforcing data security. One example method includes receiving user identification information from a screen of a device that is connectable to a database of secure information. The method includes authenticating the user identification information. The authenticating includes capturing image data of a user associated with the user identification information. The method provides access to the database of secure information upon authenticating the user identification information, such that while the access is provided the capturing of the image data of the user is maintained. The method includes recording data of user interactive input and viewed images displayed on the screen while the access provided. The method disables the access to the database of secure information upon detecting a predefined security enforcement violation associated with an activity by the user during access to the database. The method being executed by a processor. | 08-08-2013 |
| 20130205368 | RETROSPECTIVE POLICY SAFETY NET - These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. | 08-08-2013 |
| 20130212637 | MIGRATION OF CREDENTIALS AND/OR DOMAINS BETWEEN TRUSTED HARDWARE SUBSCRIPTION MODULES - Systems, methods, and instrumentalities are disclosed that allow a user to initiate migration of a credential from one domain to another domain. A request to initiate a migration of credentials from a first domain to a second domain may be initiated by a user ( | 08-15-2013 |
| 20130212638 | SYSTEMS AND METHODS FOR TESTING ONLINE SYSTEMS AND CONTENT - Systems and methods are provided for automatically monitoring a compliance of web pages and graphical user interfaces with governmental and self-regulatory privacy and security policies. In accordance with one implementation, a method is provided that comprises instructing the execution of an operation on content associated with at least one web page is generated. The operation may include at least one of (i) a scanning operation that generates forensic data corresponding to the web page or (ii) an analytical operation that analyzes at least a portion of the forensic data corresponding to the web page. The method further comprises obtaining output data associated with the executed operation, and generating information indicative of a compliance of the web page with at least one of a privacy regulation or a security regulation, the information being generated based on the output data. | 08-15-2013 |
| 20130212639 | Method, System And Apparatus For Improving Security Level Of A Terminal When Surfing Internet - A method, system, and apparatus for improving security level of a terminal when it surfs the Internet. The method includes receiving, by a network side, network security information reported by a terminal, generating a network security policy according to the network security information reported by each terminal, and transmitting a security indication to the network security policy to the terminal; providing, by the terminal, a security prompt for network information to be obtained or having been obtained according to the security indication. Various embodiments can improve the security level of the terminal when it surfs the Internet and save resources of the terminal. | 08-15-2013 |
| 20130212640 | METHODS AND SYSTEMS FOR AUTHENTICATING USERS - A method of authenticating users to reduce transaction risks includes indicating a desire to conduct a transaction, inputting information in a workstation, and determining whether the inputted information is known. Moreover, the method includes determining a state of a communications device when the inputted information is known, and transmitting a biometric authentication request from a server to a workstation when the state of the communications device is enrolled. Additionally, the method includes obtaining biometric authentication data in accordance with a biometric authentication data capture request with the communications device, biometrically authenticating the user, generating a one-time pass-phrase and storing the one-time pass-phrase on the authentication system when the user is authenticated, comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase, and conducting the transaction when the transmitted and stored one-time pass-phrases match. | 08-15-2013 |
| 20130212641 | DISTRIBUTED NETWORK INSTRUMENTATION SYSTEM - A distributed network instrumentation system ( | 08-15-2013 |
| 20130219451 | Document digest allowing selective changes to a document - Methods and apparatus, including computer program products, implementing and using techniques for digital rights management. A set of content items is defined in an electronic document based on a set of rules. The rules in the set of rules are associated with one or more operations that can be performed on content items in the electronic document. The set of content items include only content items that are invariant to the operations associated with the rules in the set of rules. A representation of the content items in the set of content items is generated. An electronic document is also described. | 08-22-2013 |
| 20130219452 | BUS MONITOR FOR ENHANCING SOC SYSTEM SECURITY AND REALIZATION METHOD THEREOF - The present invention discloses a bus monitor for enhancing SOC system security and a realization method thereof. The bus monitor disposed between a system bus and a system control unit includes a configuration unit, a condition judgment unit, an effective data selection unit, a hardware algorithm unit and a comparative output unit. Without affecting the bus access efficiency, the present invention provides the method capable of immediately monitoring the bus behavior, and the detection system notices whether a particular bus access serial behavior is changed due to an accidental fault or intentional attacking fault. If the particular bus access serial behavior is changed, the present invention warns the system to adopt a suitable security measure to prevent the security hidden trouble and leakage of classified information due to the incorrect system security process. | 08-22-2013 |
| 20130219453 | DATA LEAK PREVENTION FROM A DEVICE WITH AN OPERATING SYSTEM - A data leak from a computer can be prevented by intercepting one or more system calls from an unknown application and applying different policies to the intercepted action associated with the system call(s) depending on the data itself and the metadata of a document associated with the system call. | 08-22-2013 |
| 20130219454 | LOCATION-BASED SECURITY SYSTEM FOR PORTABLE ELECTRONIC DEVICE - A location-dependent security method and system for a portable electronic device is disclosed. Without requiring that the user enter any location information, the system determines one or more familiar areas for the device based on locations where the device has received at least a threshold amount of successful user authentication entries. Thereafter, when a user attempts to access the device or an application of the device, the device will implement a first authentication process if the device is in one of the familiar areas, or a different authentication process if the device is not in one of the familiar areas. | 08-22-2013 |
| 20130219455 | CERTIFICATE MANAGEMENT METHOD BASED ON CONNECTIVITY AND POLICY - Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By associating the existing certificate store structure and key store structure with a mode of operation, certificates and keys can be assigned to one space among plural spaces. Furthermore, management (viewing/importation/deletion) of certificates associated with specific modes of operation may be controlled based on the presence or absence of a mobile device administration server and the status (enabled/disabled) of an IT policy. | 08-22-2013 |
| 20130219456 | Secure Virtual File Management System - A virtual file management system provides user access to managed content on mobile devices. The system comprises storage domains storing the managed content distributively using file systems, and a data infrastructure that organizes the managed content into a virtual file system that maintains information of storage domain specific file system primitives for accessing corresponding portions of the managed content. The data infrastructure, which maintains metadata of the storage domains and the mobile devices, comprises a policy definition and decision component that maintains policies defining controls for permissible operations on the managed content, the permissible operations including the file system primitives. A client application hosted on the mobile devices is coupled to the data infrastructure and the storage domains and includes an enforcement component that communicates with the policy definition and decision component to retrieve and enforce the policies by applying the controls on the mobile devices. | 08-22-2013 |
| 20130219457 | System and Method for Providing Network Security to Mobile Devices - A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy. | 08-22-2013 |
| 20130219458 | METHODS AND SYSTEMS FOR SECURE DIGITAL CONTENT DISTRIBUTION AND ANALYTICAL REPORTING - The present disclosure relates to methods and systems for securely distributing digital content and analytical reporting. In one aspect, a system for restricting access of digital content to a predetermined number of devices includes a content distribution system that can receive a specification of a predetermined number of devices to which digital content of a publisher may be accessed by one or more users on devices to be identified at time of distribution. The content distribution system can receive a request from a device to access the digital content and identify that the device has not been previously activated by the content distribution system to access the digital content. The content distribution system can restrict the device from accessing the digital content in response to determining that a number of devices from which the digital content has been accessed has reached the predetermined number of devices for that digital content. | 08-22-2013 |
| 20130219459 | CONTENT MANAGEMENT SYSTEMS AND METHODS - This disclosure relates to systems and methods for managing content. In one embodiment, a method of managing electronic content from a plurality of a user's computing devices is disclosed. Content from the devices is automatically uploaded to a media hub service that securely routes, processes, synchronizes, and/or stores the content in accordance one or more user-specified policies. | 08-22-2013 |
| 20130219460 | Remote Security Self-Assessment Framework - A system for security self-assessment for a computer platform. The system comprises a memory, a processor, and an application stored in the memory. When executed by the processor, the application in association with a call to action transmits security self-assessment logic and at least one security self-assessment policy to a computer platform, wherein the security self-assessment policy defines at least one scan tool to be used by the security self-assessment logic when executed on the computer platform to perform a security self-assessment of the computer platform. The system further comprises a plurality of scan tools stored in the memory and accessible for downloading by the computer platform. The security self-assessment logic is configured to cause a processor of the computer platform to download at least one scan tool defined by the security self-assessment policy and to perform a security self-assessment. | 08-22-2013 |
| 20130219461 | AUTHENTICATION COLLABORATION SYSTEM, ID PROVIDER DEVICE, AND PROGRAM - A policy storage unit of an ID provider device according to an embodiment stores, for each service provider ID, policy information representing a user to which transmission of service data is permitted and policy information representing a user of a target in which transmission permission of service data is deleted. When a predetermined cycle comes or when a use status of the service provider device changes, the ID provider device acquires use status information of the service provider device transmitted from the service provider device, and updates a service use status storage unit based on the acquired use status information. When the service use status storage unit is updated, the ID provider device decides a deletion target account of each service provider ID. | 08-22-2013 |
| 20130219462 | GENERATING A DISTRUBITION PACKAGE HAVING AN ACCESS CONTROL EXECUTION PROGRAM FOR IMPLEMENTING AN ACCESS CONTROL MECHANISM AND LOADING UNIT FOR A CLIENT - A data distribution system, method and program for generating a distribution package for distribution data to a client. An environment of a requesting client requesting distribution data is detected. A determination is made of an access control execution program for implementing an access control mechanism and a loading unit on the requesting client. The access control execution program is adapted to the detected environment of the requesting client and control access to a resource from a process in the client. The loading unit loads the distribution data to a protected storage area of the client. A determination is made of a security policy specified for the distribution data. A distribution package is generated including the distribution data, the security policy, the loading unit, and the access control execution program adapted to the environment of the requesting client; and transmitting the generated distribution package to the requesting client. | 08-22-2013 |
| 20130219463 | Methods and Systems for Enterprise Data Use Monitoring and Auditing User-Data Interactions - A method for managing data use of an enterprise is disclosed. The method includes receiving login parameters from a user associated with user identification information. The method authenticates the login parameters and the user information to determine if the login parameters match the user identification information. The method provides access to specific data in a database that stores enterprise information. Upon providing access, initiating video capture of a viewing space for the screen, the viewing space being configured to include a location where the user associate with the user identification information is predefined to reside when accessing the specific data. During the video capture, capturing image data presented on the screen and input received for the user interface of the screen. The method acts to bind the video capture and the captured image data presented on the screen and the input received. | 08-22-2013 |
| 20130219464 | METHOD FOR STANDARDIZING COMPUTER SYSTEM ACTION - A method for standardizing computer system action, including: intercepting invoking command; obtaining data structure of the intercepted invoking command after intercepting the invoking command; determining the sponsor of the intercepted invoking command based on the data structure of the obtained and intercepted invoking command, and determining operation method and operation object of the intercepted invoking command; matching the sponsor, the operation method and the operation object of the intercepted invoking command with rules of standardizing computer system action, judging whether to allow executing the intercepted invoking command. The present disclosure determines the sponsor of the intercepted invoking command according to the data structure of the invoicing command, and can monitor comprehensively computer system. If only the sponsor is spiteful, the disclosure does not all allow executing the intercepted invoking command, thus detecting lawless operation comprehensively and effectively. | 08-22-2013 |
| 20130227634 | SYSTEM AND METHOD FOR PROTECTING SERVICE-LEVEL ENTITIES - An architecture is provided for protecting service-level entities. Such an architecture may escrow service requests prior to forwarding the requests to the service, and checking may be performed prior to releasing the request to the service. A crumple zone (CZ) architecture may be provided that buffers incoming service requests and may intercept attacks and/or sustain damage in lieu of the services being protected. The CZ may include an outward interface that is accessed by other entities, and the underlying service is not accessed directly. Elements of the CZ receive service requests, analyze them, and determine whether they can be safely executed by the underlying service. | 08-29-2013 |
| 20130227635 | Mechanism for Applying Security Category Labels to Multi-Tenant Applications of a Node in a Platform-as-a-Service (PaaS) Environment - A mechanism for applying security category labels to multi-tenant applications of a node in a PaaS environment is disclosed. A method of embodiments includes generating, by a virtual machine (VM), a unique security category label (SCL) for each local user identification (UID) maintained by the VM, assigning, for each local UID maintained by the VM, the unique SCL associated with the local UID to one or more Internet Protocol (IP) addresses mapped to the local UID, receiving a request to initialize an application on the VM, assigning a local UID of the local UIDs maintained by the VM to the application, assigning files of the application the unique SCL associated with the local UID of the application, and assigning the unique SCL associated with the local UID of the application to a running process of the application. | 08-29-2013 |
| 20130227636 | OFF-DEVICE ANTI-MALWARE PROTECTION FOR MOBILE DEVICES - Techniques for off-device anti-malware protection for mobile devices are disclosed. In some embodiments, off-device anti-malware protection for mobile devices includes receiving a software inventory for a mobile device, in which the software inventory identifies a plurality of applications installed on the mobile device; and determining whether one or more of the plurality of applications identified in the software inventory are associated with malware based on a policy. In some embodiments, the off-device anti-malware protection for mobile devices further includes enforcing the policy on the mobile device. In some embodiments, the off-device anti-malware protection for mobile devices is provided as a cloud service. | 08-29-2013 |
| 20130227637 | METHOD AND APPARATUS FOR MANAGEMENT OF MULTIPLE GROUPED RESOURCES ON DEVICE - A method and computing device for managing grouped resources comprising receiving, at the computing device, a policy for a set of grouped resources; applying the policy; locking at least one of the computing device or the set of grouped resources associated with the policy; waiting for receipt of an authentication parameter at the computing device; verifying the authentication parameter; associating the set of grouped resources with the authentication parameter; and unlocking the least one of the computing device or the set of grouped resources. | 08-29-2013 |
| 20130227638 | PROVISIONING AUTHORIZATION CLAIMS USING ATTRIBUTE-BASED ACCESS-CONTROL POLICIES - Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system ( | 08-29-2013 |
| 20130227639 | PROVISIONING ACCESS CONTROL USING SDDL ON THE BASIS OF A XACML POLICY - A method is disclosed, and a corresponding data carrier and policy converter, for producing at least one Security Descriptor Definition Language, SDDL, rule from an eXtensible Access Control Markup Language, XACML, policy (P), wherein said at least one SDDL rule is enforceable for controlling access to one or more resources in a computer network. A reverse query is produced indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests. Based on the reverse query, the XACML policy (P) and the given decision (d) are translated into a satisfiable logic proposition in Boolean variables (v | 08-29-2013 |
| 20130227640 | METHOD AND APPARATUS FOR WEBSITE SCANNING - Described is a website scanning apparatus comprising a policy analysis device for determining whether a link in a target website belongs to a known web application used by the target website. If the link belongs to the identified web application, then a vulnerability scanning is not performed on the link; a crawler device for obtaining the link content that the link points to; a web application identification device for determining whether the link belongs to a known web application; a full scan device for performing a full vulnerability scanning on a link determined as not belonging to the known web application; and a known web application vulnerability detection device for performing vulnerability detection for the identified web application according to known vulnerabilities to determine whether the known vulnerabilities exist in the website. A website scanning method employed by the website scanning apparatus is also described. | 08-29-2013 |
| 20130227641 | SYSTEMS AND METHODS TO ENFORCE SECURITY POLICIES ON THE LOADING, LINKING, AND EXECUTION OF NATIVE CODE BY MOBILE APPLICATIONS RUNNING INSIDE OF VIRTUAL MACHINES - Methods and systems described herein relate to enhancing security on a device by enforcing one or more policies on the loading, linking, and/or executing of native code by one or more applications executing on the device. | 08-29-2013 |
| 20130232539 | METHOD AND SYSTEM FOR CONTROLLING DATA ACCESS TO ORGANIZATIONAL DATA MAINTAINED IN HIERARCHICAL - Embodiments are described for a system and method of controlling access to information in an organization by defining a hierarchical organizational structure of boxes, and security configuration comprising user records, security roles, rules to map users to boxes, and rules to grant roles to users via mapped boxes. Access control is applied in the context of a defined organizational structure using the effective set of access control policies computed in real time per each data access request from any given user. | 09-05-2013 |
| 20130232540 | METHOD AND SYSTEM FOR APPLICATION-BASED POLICY MONITORING AND ENFORCEMENT ON A MOBILE DEVICE - A method and system for application-based monitoring and enforcement of security, privacy, performance and/or other policies on a mobile device includes incorporating monitoring and policy enforcement code into a previously un-monitored software application package that is installable on a mobile device, and executing the monitoring and policy enforcement code during normal use of the software application by a user of the mobile device. | 09-05-2013 |
| 20130232541 | Policy-driven approach to managing privileged/shared identity in an enterprise - Access to a privileged account is managed by first requiring authentication of a user logging into the account and then performing a policy evaluation to determine whether the identified user is allowed to log in using the privileged identity. Preferably, the authentication is a two factor authentication. The policy evaluation preferably enforces a policy, such as a role-based access control, and a context-based access control, a combination of such access controls, or the like. Thus, according to this approach, the entity is provided access to the privileged account if the user's identity is verified and a policy is met. In the alternative, the entity is denied access to the privileged account if either the authentication fails, or (assuming authentication does not fail) policy criteria for the user is not met. | 09-05-2013 |
| 20130232542 | SYSTEM AND METHOD TO PROVIDE SERVER CONTROL FOR ACCESS TO MOBILE CLIENT DATA - Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item. | 09-05-2013 |
| 20130232543 | SYSTEM AND METHOD TO PROVIDE SERVER CONTROL FOR ACCESS TO MOBILE CLIENT DATA - Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item. | 09-05-2013 |
| 20130232544 | SYSTEM AND METHOD FOR PERFORMING PARTIAL EVALUATION IN ORDER TO CONSTRUCT A SIMPLIFIED POLICY - The present invention proposes methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. The invention further provides improved simplification rules allowing partial evaluation to be used in a broader range of situations. | 09-05-2013 |
| 20130239166 | Operating Large Scale Systems and Cloud Services With Zero-Standing Elevated Permissions - Large scale system operation may be provided. Upon receiving an action request from a user, a determination may be made as to whether the user requires elevated permissions to perform the action request. In response to determining that the user requires elevated permissions to perform the action request, the action request may be forwarded to a lockbox for evaluation and a permission response may be received from the lockbox. | 09-12-2013 |
| 20130239167 | CONTROLLING ENTERPRISE ACCESS BY MOBILE DEVICES - A system comprising at least one component running on at least one server and receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component. The system includes a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device. The trust score is generated using a severity of the vulnerability data. The system includes an access control component coupled to the at least one component and controlling access of the plurality of devices to an enterprise using the trust score. | 09-12-2013 |
| 20130239168 | CONTROLLING ENTERPRISE ACCESS BY MOBILE DEVICES - A system comprising at least one component running on at least one server and receiving vulnerability data and, for each device of a plurality of devices, device data that includes data of at least one device component. The system includes a trust score corresponding to each device of the plurality of devices and representing a level of security applied to the device. The trust score is generated using a severity of the vulnerability data. The system includes an access control component coupled to the at least one component and controlling access of the plurality of devices to an enterprise using the trust score. | 09-12-2013 |
| 20130239169 | POLICY FOR SECURE PACKET TRANSMISSION USING REQUIRED NODE PATHS AND CRYPTOGRAPHIC SIGNATURES - Techniques ( | 09-12-2013 |
| 20130239170 | SYSTEM AND METHOD FOR ENHANCING TRUST FOR PERSON-RELATED DATA SOURCES - The technology disclosed relates to enhancing trust for person-related data sources by tracking person-related sources using trust objects that hold trust metadata. In particular, it relates to generating trust-enhanced data by appending trust metadata to social media content and other business-to-business entities, and further using the trust-enhanced data to develop social engagement models based on customer preferences. The trust metadata described includes names, interface categories and origins of the person-related data sources along with customer engagement preferences and connection types. | 09-12-2013 |
| 20130239171 | DISTRIBUTED SECURITY ARCHITECTURE - A distributed security architecture may include: a mobile anti-tamper hardware policy enforcement point configured to control communication behaviors of a mobile or stationary client by enforcing communication policies within a policy decision point; an anti-tamper hardware policy decision point encapsulated within the anti-tamper hardware policy enforcement point; a policy exchange channel for policy distribution modes configured to distribute and/or update communication and routing security policies to the client; a context manager configured to handle system-wide status change update signaling; and an authentication manager configured to provide clients with registration and credential/role assignments based on access policies. The distributed security architecture may be configured to provide open system interconnection layer 3.5 policy-based secure routing, and open system interconnection layer 2 policy-based mandatory access control address filtering to provide secure communication and computing for layers 4, 5, 6, and 7. | 09-12-2013 |
| 20130239172 | COMMUNICATION CONTROL APPARATUS, SYSTEM, METHOD, AND NON-TRANSITORY COMPUTER READABLE MEDIUM STORING PROGRAM THEREON - A communication control apparatus that controls communication via a network between a first communication apparatus for communicating via a virtual communication channel and a second communication apparatus for transmitting a communication request with the first communication apparatus including a storage unit that stores access control policy defining allowance or denial of access to the first communication apparatus, an establishment unit that establishes the virtual communication channel with the first communication apparatus, an authentication unit that authenticates the second communication apparatus based on the communication request received from the second communication apparatus, an access control unit that refers to the access control policy and evaluates whether to allow or deny access from the authenticated second communication apparatus to the first communication apparatus, and a transfer unit that transfers the received communication request to the first communication apparatus when the access control unit evaluates that the access is allowed. | 09-12-2013 |
| 20130247128 | Distribution of security policies for small to medium-sized organizations - A security policy distribution system encapsulates parameters for a security policy and instructions for applying the parameters to a corresponding security program into a self-contained configuration file. When the self-contained configuration file is executed on behalf of a computer, the corresponding security program on the computer is updated with the parameters, thus distributing the security policy to the computer. | 09-19-2013 |
| 20130247129 | System, method and computer program product for obtaining a reputation associated with a file - A reputation system, method and computer program product are provided. In use, a file associated with a first computer is identified. Thereafter, a reputation associated with the file stored at a second computer is obtained. | 09-19-2013 |
| 20130247130 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR UPDATING A SECURITY SYSTEM DEFINITION DATABASE BASED ON PRIORITIZED INSTANCES OF KNOWN UNWANTED DATA - A prioritized update system, method, and computer program product are provided. In use, a priority is assigned to a plurality of instances of known unwanted data. In addition, information associated with at least one of the instances of known unwanted data is communicated over a network for updating a system, based on the priority. In one embodiment, the prioritized update system may be provided for updating a security system definition database, based on prioritized instances of known unwanted data. | 09-19-2013 |
| 20130247131 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PREVENTING SCANNING OF A COPY OF A MESSAGE - A system, method, and computer program product are provided for preventing scanning of a copy of a message. In use, it is determined whether an identifier of a message is stored in a data structure. Further, the scanning of a copy of the message is prevented, based on the determination. | 09-19-2013 |
| 20130247132 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR SELECTING A WIRELESS NETWORK BASED ON SECURITY INFORMATION - A system, method, and computer program product are provided for selecting a wireless network based on security information. In use, a plurality of wireless networks is identified. Further, security information associated with each of the wireless networks is collected, such that one of the wireless networks is selected based on the security information. | 09-19-2013 |
| 20130247133 | SECURITY ASSESSMENT OF VIRTUAL MACHINE ENVIRONMENTS - Each virtual machine in a set of virtual machines managed by the virtual machine manager is identified. For each virtual machine in the set, it is determined whether the respective virtual machine is online. For at least the virtual machines determined to be offline, a machine image is collected for each offline virtual machine. Security of the offline virtual machines is assessed from the collected images. For virtual machines identified as online, an agent is loaded on each online virtual machine in the set via the virtual machine manager. The loaded agents are used to assess security of the online virtual machines in the set. | 09-19-2013 |
| 20130247134 | Method And Apparatus For A Distributed Security Service In A Cloud Network - Various embodiments provide a method and apparatus of providing a distributed security service that runs light instances in a number of security devices and central instances of the security services in select security devices. A received or transmitted client content segment is directed to a light instance which either applies a security policy corresponding to the client content segment if the client content segment has been previously analyzed and has a valid security policy, or else, the light instance sends the client content segment to a central instance to be analyzed. The central instance may then provide a complete security analysis on the client content segment, determine a security policy corresponding to the client content segment and push the determined security policy to one or more of the light instances. Advantageously, a distributed security service delivery may provide highly secure, network efficient and cost effective security service delivery. | 09-19-2013 |
| 20130247135 | METHOD AND APPARATUS FOR SECURITY-AWARE ELASTICITY OF APPLICATION AND SERVICES - In a method for scaling up/down security (non-functional) components of an application, determine (a) types of interactions and a number of each type of interaction each non-security (functional) component has with security components for a plurality of requests. Determine, based on (a) and an expected number of incoming requests to the application, (b) types of requests to and interactions with the security components involving the non-security components and (c) a number of requests to and interactions with the security components involving non-security components for each type of request to the security components involving non-security components. Determine, for each security component, a capacity required for each type of request involving the non-security components and a capacity required for each type of interaction involving the non-security components. Change the capacities of the security components to new capacities, wherein the new capacities are based on (a), (c) and the determined capacities. | 09-19-2013 |
| 20130247136 | Automated Validation of Configuration and Compliance in Cloud Servers - A method, an apparatus and an article of manufacture for automated validation of compliance in a cloud server. The method includes remotely accessing a target cloud server to discover at least one configuration setting of the target cloud server, integrating the at least one configuration setting from the target cloud server with information from at least one back-end tool to produce compliance evidence, and automatically answering a set of at least one checklist question for activation compliance validation of the target cloud server based on the compliance evidence. | 09-19-2013 |
| 20130247137 | METHODS AND SYSTEMS FOR AUTOMATICALLY CONFIGURING AND RE-CONFIGURING ELECTRONIC SECURITY INTERFACES - A scalable and flexible system and method for automatically configuring and re-configuring electronic security interfaces comprising video, audio, wireless hardware and software capable of capturing video and audio designed to be a true “plug-n-play” for an end-user. The system is configured to incorporate almost any type of camera, battery technology, storage device, wifi or cellular technology, microphone and provides access to the web in real-time to add applications, for example, facial recognition web services, real-time comparing of any previously identified and stored object etc. In addition, the system and method is capable of taking inputs of most custom user-deployment application requirement and generating a set of hardware to fulfill a user's particular requirements. | 09-19-2013 |
| 20130247138 | METHOD AND SYSTEM FOR REGULATING HOST SECURITY CONFIGURATION - A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period. | 09-19-2013 |
| 20130247139 | APPLICATION IDENTITY DESIGN - Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application, | 09-19-2013 |
| 20130247140 | METHOD OF PROTECTING AN INDIVIDUAL'S PRIVACY WHEN PROVIDING SERVICE BASED ON ELECTRONIC TAG - A technology for providing a service based on an electronic tag. A personalized service provider issues a new code that replaces a code recorded on an electronic tag which is attached to a product purchased by a purchaser, sets a privacy policy of the purchaser, authenticates the new code and purchaser information, and provides a service associated with the product in a limited manner according to the set privacy policy when a person who accesses the personalized service provider is not the purchaser of the product | 09-19-2013 |
| 20130247141 | METHOD AND APPARATUS FOR PROVIDING MOBILE AND SOCIAL SERVICES VIA VIRTUAL INDIVIDUAL SERVERS - A method, computer readable medium and apparatus for providing a virtual individual server service within a communications network are disclosed. For example, the method receives a request from a subscriber of the communications network to subscribe to the virtual individual server service, provides a virtual individual server to the subscriber in response to the request and executes at least one application via the virtual individual server using at least one piece of personal information associated with the subscriber. | 09-19-2013 |
| 20130247142 | AUTHENTICATION FEDERATION SYSTEM AND ID PROVIDER DEVICE - According to one embodiment, the ID provider device stores pieces of policy information for each service provider ID. The ID provider device outputs a policy evaluation request including the user ID used in the log-in processing and the service provider ID in the authentication federation request when the log-in processing is successful. The ID provider device reads the policy information in accordance with the service provider ID in the policy evaluation request. The ID provider device judges whether to permit the transmission of the service data in accordance with whether environmental conditions of the user for the execution of a service conform to the read policy information. | 09-19-2013 |
| 20130247143 | SYSTEM AND METHOD FOR CONFIGURING DEVICES FOR SECURE OPERATIONS - Systems and methods for establishing a security-related mode of operation for computing devices. A policy data store contains security mode configuration data related to the computing devices. Security mode configuration data is used in establishing a security-related mode of operation for the computing devices. | 09-19-2013 |
| 20130247144 | Controlling Access to Resources on a Network - Disclosed are various embodiments for controlling access to data on a network. Upon receiving a request comprising a device identifier and at least one user credential to access a remote resource, the request may be authenticated according to at least one compliance policy. If the request is authenticated, a resource credential associated with the remote resource may be provided. | 09-19-2013 |
| 20130254829 | Securing A Computing Environment Against Malicious Entities - The subject disclosure is directed towards securing network data traffic through a trusted partition of the computing environment. A proxy service may communicate transaction data from a client to security-critical code within the trusted partition, which compares the transaction data to a security policy from a commercial electronic entity. If the transaction data includes malicious content, a security component framework of the trusted partition may reject the transaction data and terminate communications with the client. If the transaction data does not include malicious content, the security component framework may communicate a secured version of the transaction data and retrieve response data from the commercial electronic entity, which may be further communicated back to the client. | 09-26-2013 |
| 20130254830 | APPARATUS AND METHOD FOR ASSURING COMMUNICATIONS OF CORPORATE USERS - A secure communication capability is disclosed. The secure communication capability is adapted to assure communications by or otherwise associated with a corporate user. The communications by or associated with the corporate user may be supported using a corporate user device(s) and/or a personal user device(s). The communications by or associated with the corporate user may be assured regardless of various elements or factors (e.g., regardless of one or more of a user device used for the communication, a communication channel used for the communication, a communication medium used for the communication, a communication mode used for the communication, and the like). In this manner, a secure blanket is imposed over all communication mechanisms used to support communication by or otherwise associated with the corporate user regarding corporate matters and/or personal matters. | 09-26-2013 |
| 20130254831 | METHOD AND APPARATUS FOR CONTEXT AWARE MOBILE SECURITY - An approach is provided for causing a change in a security policy of a device based on contextual information. The approach involves determining context information associated with a device. The approach also involves determining a security policy of the device. The approach further involves determining a change of the context information. The approach additionally involves processing the determined change of the context information to cause, at least in part, a revision of the security policy of the device. | 09-26-2013 |
| 20130254832 | Security Protection Domain-Based Testing Framework - Methods and apparatus for security protection domain-based testing. A testing framework enables the same certification tests to be run across different protection domains or operation modes, and on different platforms or devices. The testing framework may, for example, be directed to testing implementations of the Java Platform, Micro Edition (Java ME®) using Connected Device Configuration (CDC) or Connected Limited Device Configuration (CLDC) as the configuration layer and Mobile Information Device Profile (MIDP) as the profile layer. Different Mobile Information Device Profile (MIDP) specifications (e.g., MIDP 2.x and MIDP 3.x specifications) may be supported. The testing framework may be deployed in the context of compatibility testing and technology compatibility kits (TCKs). The testing framework may, for example, be applied in compatibility testing for Java ME® platform technology implementations. | 09-26-2013 |
| 20130254833 | METHODS AND SYSTEMS FOR CONTROLLING ACCESS TO COMPUTING RESOURCES BASED ON KNOWN SECURITY VULNERABILITIES - Methods and systems are provided for fine tuning access control by remote, endpoint systems to host systems. Multiple conditions/states of one or both of the endpoint and host systems are monitored, collected and fed to an analysis engine. Using one or more of many different flexible, adaptable models and algorithms, an analysis engine analyzes the status of the conditions and makes decisions in accordance with pre-established policies and rules regarding the security of the endpoint and host system. Based upon the conditions, the policies, and the analytical results, actions are initiated regarding security and access matters. In one described embodiment of the invention, the monitored conditions include software vulnerabilities. | 09-26-2013 |
| 20130254834 | IMPLEMENTING POLICIES FOR AN ENTERPRISE NETWORK USING POLICY INSTRUCTIONS THAT ARE EXECUTED THROUGH A LOCAL POLICY FRAMEWORK - A policy framework is maintained on the computing device, and the computing device communicates with a policy server of an enterprise network over a network to receive a set of policy instructions. The policy instructions are executed through the policy framework in order to implement one or more policies that control the mobile computing device's access to resources of the enterprise network. | 09-26-2013 |
| 20130254835 | ACCESS AUTHORIZATION HAVING EMBEDDED POLICIES - A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image's integrity prior to extracting the embedded policy. | 09-26-2013 |
| 20130254836 | BROWSER SECURITY STANDARDS VIA ACCESS CONTROL - A computing system is operable to contain a security module within an operating system. This security module may then act to monitor access requests by a web browser and apply mandatory access control security policies to such requests. It will be appreciated that the security module can apply mandatory access control security policies to such web browser access attempts. | 09-26-2013 |
| 20130254837 | Rights Management Services Integration with Mobile Device Management - Rights management services (RMS) integration with mobile device management (MDM) may be provided. A functionality associated with a document may be restricted according to a document management policy. After the document has been transmitted to a receiving device, a request to un-restrict the at least one functionality associated with the document may be received. If it is determined that the receiving device complies with the document management policy, the functionality associated with the document may be un-restricted. | 09-26-2013 |
| 20130254838 | SYSTEM AND METHOD FOR DATA MINING AND SECURITY POLICY MANAGEMENT - A method is provided in one example and includes generating a query for a database for information stored in the database. The information relates to data discovered through a capture system. The method further includes generating an Online Analytical Processing (OLAP) element to represent information received from the query. A rule based on the OLAP element is generated and the rule affects data management for one or more documents that satisfy the rule. In more specific embodiments, the method further includes generating a capture rule that defines items the capture system should capture. The method also includes generating a discovery rule that defines objects the capture system should register. In still other embodiments, the method includes developing a policy based on the rule, where the policy identifies how one or more documents are permitted to traverse a network. | 09-26-2013 |
| 20130254839 | REAL TIME LOCKDOWN - A system and method that trusts software executables existent on a machine prior to activation for different types of accesses e.g. execution, network, and registry. The system detects new executables added to the machine as well as previously existent executables that have been modified, moved, renamed or deleted. In certain embodiments, the system will tag the file with a flag as modified or newly added. Once tagged, the system intercepts particular types of file accesses for execution, network or registry. The system determines if the file performing the access is flagged and may apply one or more policies based on the requested access. In certain embodiments, the system intercepts I/O operations by file systems or file system volumes and flags metadata associated with the file. For example, the NT File System and its extended attributes and alternate streams may be utilized to implement the system. | 09-26-2013 |
| 20130263205 | SYSTEM AND METHOD FOR TRUSTED PLATFORM ATTESTATION - A method is provided in one example embodiment that includes storing a reference measurement of an object in a trusted storage and retrieving the reference measurement from the trusted storage before an operating system is loaded. In a pre-operating system environment, the reference measurement can be compared with a golden measurement and a policy action can be applied if a variance is detected between the reference measurement and the golden measurement. In more particular embodiments, the reference measurement is a measurement of firmware, and yet more particularly, the measurement is a hash of the firmware. | 10-03-2013 |
| 20130263206 | METHOD AND APPARATUS FOR POLICY ADAPTION BASED ON APPLICATION POLICY COMPLIANCE ANALYSIS - An approach is provided for policy adaption based on application policy compliance analysis. The compliance platform processes and/or facilitates a processing of one or more policy compliance logs associated with at least one application to determine one or more policy compliance profiles associated with the at least one application. The compliance platform determines one or more contexts under which the at least one application operates. The compliance platform causes, at least in part, an association of the one or more policy compliance profiles with the one or more contexts. The compliance platform then processes and/or facilitates a processing of user contextual information, user application use information, or a combination thereof against the association, the one or more policy compliance profiles, the one or more contexts, or a combination thereof to determine one or more adaptions to one or more policies associated with the at least one application. | 10-03-2013 |
| 20130263207 | DETECTION OF POTENTIALLY COPYRIGHTED CONTENT IN USER-INITIATED LIVE STREAMS - Systems and methods modifying a presentation of media content in response to a detected violation are provided. In particular, media content such as a media stream broadcasted by a user to other users can be monitored. The broadcasted media stream can be fingerprinted and compared to a fingerprint repository that includes entries associated with media content that is copyrighted or otherwise considered a violation. If the fingerprint matches entries included in the fingerprint repository, then the media stream can be modified such as modified to terminate. | 10-03-2013 |
| 20130263208 | MANAGING VIRTUAL MACHINES IN A CLOUD COMPUTING SYSTEM - Provided is a method of managing a virtual machine in a cloud computing system. Virtual servers present in a cloud computing system are organized into policy domains, wherein a policy domain is a group of virtual servers that share a common policy. Upon receipt of a request for creating a new virtual machine, a determination is made whether a policy of the new virtual machine corresponds to a policy of a policy domain. The new virtual machine is created in a policy domain whose policy corresponds with the policy of the new virtual machine. | 10-03-2013 |
| 20130263209 | APPARATUS AND METHODS FOR MANAGING APPLICATIONS IN MULTI-CLOUD ENVIRONMENTS - A system, method, and medium are disclosed for managing application deployments on cloud infrastructures. The system comprises a services console configured to store management policies. Each management policy corresponds to a respective application deployment on one or more clouds and indicates (1) one or more potential runtime conditions and (2) one or more corresponding management actions. The system further comprises a monitoring engine configured to monitor runtime conditions of the application deployments, and to determine that runtime conditions of a given application deployment match the one or more potential conditions indicated by a given management policy corresponding to the given application deployment. The system also includes a policy engine configured to respond to the determination of the monitoring engine by performing the one or more management actions of the given management policy. | 10-03-2013 |
| 20130263210 | Enforcing Application and Access Control Policies in an Information Management System with Two or More Interactive Enforcement Points - A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server. | 10-03-2013 |
| 20130263211 | SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM - An authentication server transmits a random number to and receives a other information from a service provider. Later, the first random number is received from a requester and a provider identifier, the received other information and provider authentication policy requirements are transmitted to the requester. A user identifier and validation information are received from the requester. The received validation information is determined to correspond to the provider authentication policy requirements, and compared with stored user validation information associated with the received user identifier to authenticate the requester. A message, including both the random number and other information, signed with a credential of the requesting user is received and transmitted to the first provider. | 10-03-2013 |
| 20130263212 | SECURE MOBILE FRAMEWORK - Systems and methods for a secure mobile framework to securely connect applications running on mobile devices to services within an enterprise are provided. Various embodiments provide mechanisms of securitizing data and communication between mobile devices and end point services accessed from a gateway of responsible authorization, authentication, anomaly detection, fraud detection, and policy management. Some embodiments provide for the integration of server and client side security mechanisms, binding of a user/application/device to an endpoint service along with multiple encryption mechanisms. For example, the secure mobile framework provides a secure container on the mobile device, secure files, a virtual file system partition, a multiple level authentication approach (e.g., to access a secure container on the mobile device and to access enterprise services), and a server side fraud detection system. | 10-03-2013 |
| 20130263213 | TECHNIQUES FOR IDENTITY AND POLICY BASED ROUTING - Techniques for identity and policy based routing are presented. A resource is initiated on a device with a resource identity and role assignments along with policies are obtained for the resource. A customized network is created for the resource using a device address for the device, the resource identity, the role assignments, and the policies. | 10-03-2013 |
| 20130263214 | COMMUNICATION SYSTEM, CONTROL APPARATUS, POLICY MANAGEMENT APPARATUS, COMMUNICATION METHOD, AND PROGRAM - The present invention implements detailed access control according to access rights granted to users, by a simple configuration. A communication system includes: a plurality of forwarding nodes that process a received packet in accordance with a processing rule (packet handling operation) associating a matching rule for identifying a flow and processing content to be applied to a packet that conforms with the matching rule; a policy management apparatus provided with an access control policy storage unit that associates roles assigned to users and access rights set for each role, the policy management apparatus providing information related to access rights associated with a role of a user who is successfully authenticated, to a control apparatus; and the control apparatus that creates a path between a terminal of the user who is successfully authenticated and a resource that the user can access, based on information related to access rights received from the policy management apparatus, and sets a processing rule in a forwarding node in the path in question. | 10-03-2013 |
| 20130268994 | SYSTEM AND METHOD FOR DETERMINING AND USING LOCAL REPUTATIONS OF USERS AND HOSTS TO PROTECT INFORMATION IN A NETWORK ENVIRONMENT - A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node. | 10-10-2013 |
| 20130268995 | Method For Optimising the Transfer of a Stream of Secure Data Via an Automonic Network - The invention relates to a method for optimising the transfer of secure data streams via an autonomic network between multiple information-producing users Pi and multiple information-consuming users Cj, in which, for each secure session between an information-producing user Pi and an information-consuming user Cj, non-persistent security settings are exchanged between an optimisation module and an autonomic agent via a secure control channel to apply between the autonomic agent and the optimisation module the previously negotiated security procedure, such that during an exchange of streams between the information-producing user Pi and the information-consuming user Cj, the optimisation module having non-persistent security settings appears as a client for a server during the said session. | 10-10-2013 |
| 20130268996 | METHOD OF EXECUTING VIRTUALIZED APPLICATION ABLE TO RUN IN VIRTUALIZED ENVIRONMENT - A method of executing a virtualized application able to run in a virtualized environment. The virtualized application includes application software and the virtualized environment. The application software includes a license monitor to search for a software license while monitoring an execution policy set by a software provider when software is installed or executed. The virtualized environment includes an environment monitor to monitor an execution environment provided to the application software by the virtualized environment. Therefore, it is possible to prevent software able to run in a virtualized environment from being freely copied without any limitations by the execution policy provided by the software provider. | 10-10-2013 |
| 20130268997 | SYSTEMS AND METHODS FOR ENFORCING ACCESS CONTROL POLICIES ON PRIVILEGED ACCESSES FOR MOBILE DEVICES - Methods and systems described herein relate to enhancing security on a device by enforcing security and access control policies on privileged code execution. | 10-10-2013 |
| 20130276052 | METHODS, APPARATUSES, AND SYSTEMS FOR THE DYNAMIC EVALUATION AND DELEGATION OF NETWORK ACCESS CONTROL - Embodiments of the inventions are generally directed to methods, apparatuses, and systems for the dynamic evaluation and delegation of network access control. In an embodiment, a platform includes a switch to control a network connection and an endpoint enforcement engine coupled with the switch. The endpoint enforcement engine may be capable of dynamically switching among a number of network access control modes responsive to an instruction received from the network connection. | 10-17-2013 |
| 20130276053 | SYSTEM ASSET REPOSITORY MANAGEMENT - A plurality of system entities described in an asset repository are identified, the asset repository defining a particular hierarchical organization of the plurality of system entities within a computing environment. A particular system entity in the plurality of system entities is tagged with a particular tag. The particular system entity is associated with a particular security policy based on the particular system entity being tagged with the particular tag. The particular security policy is applied to system entities in the asset repository tagged with one or more tags in a particular set of tags including the particular tag. | 10-17-2013 |
| 20130276054 | RECORDING ACTIVITY-TRIGGERED COMPUTER VIDEO OUTPUT - An application that is capable of monitoring Internet or network traffic and performing recordings of computer video output based on one or more violations of network activity policies. The recording application can be installed on the computer to be recorded or another computer or server that is connected through the network to the computer to be recorded. The monitoring application contains a configuration interface that allows a user to set thresholds for certain types of network policy violations. When the one or more violations are detected, the recording application will begin recording video of the computer's video activity. The application can be configured to include settings such as the length of the recording. In a typical environment, the application is a hardware appliance that is capable of monitoring web activity and network traffic and can connect to the computer over the network in order to perform the recording. | 10-17-2013 |
| 20130276055 | NETWORK POLICY MANAGEMENT AND EFFECTIVENESS SYSTEM - The Present Invention discloses a method and apparatus for maintaining policy compliance on a computer network. A system in accordance with the principles of the Present Invention performs the steps of electronically monitoring network user compliance with a network security policy stored in a database, electronically evaluating network security policy compliance based on network user compliance and electronically undertaking a network policy compliance action in response to network security policy non-compliance. The network policy compliance actions may include automatically implementing a different network security policy selected from network security policies stored in the database, generating policy effectiveness reports and providing a retraining module to network users. | 10-17-2013 |
| 20130276056 | AUTOMATIC CURATION AND MODIFICATION OF VIRTUALIZED COMPUTER PROGRAMS - In an embodiment, a data processing method comprises receiving computer program data at a security unit having one or more processors; implementing one or more security-related modifications to the computer program data, resulting in creating modified computer program data; executing the modified computer program data in a monitored environment; analyzing output from the modified computer program data and identifying one or more variances from an expected output; performing a responsive action selected from one or more of: disabling one or more security protections that have been implemented in the modified computer program data; reducing or increasing the stringency of one or more security protections that have been implemented in the modified computer program data; updating the security unit based on the variances. | 10-17-2013 |
| 20130276057 | AUTHENTICATED LAUNCH OF VIRTUAL MACHINES AND NESTED VIRTUAL MACHINE MANAGERS - An embodiment of the invention provides for an authenticated launch of VMs and nested VMMs. The embodiment may do so using an interface that invokes a VMM protected launch control mechanism for the VMs and nested VMMs. The interface may be architecturally generic. Other embodiments are described herein. | 10-17-2013 |
| 20130283335 | SYSTEMS AND METHODS FOR APPLYING POLICY WRAPPERS TO COMPUTER APPLICATIONS - Systems and methods are provided that allow an enterprise to apply a policy wrapper to any computer application. The use of a policy wrapper allows for any enterprise user to securely communicate with an enterprise, or generally communicate over a communication network, at a computer application level. A policy wrapper includes policies that can specify how to handle different types of API calls associated with a computer application, such as the re-routing, modification, or recording of IP packets, the storage of data, the displaying of data, the printing of data, or any other suitable data and/or actions. The policies can treat the different types of data and/or actions the same or differently. The policies can further distinguish between a user's enterprise-related information and the user's personal information, and specify the locations to which the information should be directed. | 10-24-2013 |
| 20130283336 | CYBER SECURITY ANALYZER - An overall cyber security risk diagram is generated from a hierarchy of determined KPI's by combining a Procedures and Protocol KPI determined from values assigned to answers to questions presented to organization personnel implementing a control systems, with a Group Security Policies KPI that is determined from system-wide policy information and settings of the automation system by an automated processing device tool, and a Computer Settings KPI determined from device setting data collected from individual system devices by the automated processing device tool and relevant to cyber security. The device setting data comprises service areas unique to each device that are not assessable by review of the domain data collected and used to determine the Group Security Policies KPI. Each level of the hierarchy of determined KPI's may be used to generate a representation of relative risk of a cyber-security attribute. | 10-24-2013 |
| 20130283337 | PREDICTING NEXT CHARACTERS IN PASSWORD GENERATION - A current prefix character string representing a prefix of a proposed password may be obtained from a user input device. A prediction of a most likely next character of the proposed password may be determined, based on applying a set of heuristics to the current prefix character string. A response indicating an impact on a security strength of the proposed password may be determined, based on a selection of the predicted most likely next character. | 10-24-2013 |
| 20130283338 | Policy Management of Multiple Security Domains - A mechanism is provided in a data processing system for centralized policy management of multiple security domains in accordance with an illustrative embodiment. A policy enforcement point component in the data processing system receives an access request. The policy enforcement point component is managed by a plurality of security domains. The policy enforcement point component queries a policy broker component in the data processing system. The policy broker component determines an access decision that complies with policies of the plurality of security domains. It does so by orchestrating a workflow that involves the policy decision, administration, and information components of those domains. The policy broker component returns the access decision to the policy enforcement point component. | 10-24-2013 |
| 20130283339 | OPTIMIZED POLICY MATCHING AND EVALUATION FOR HIERARCHICAL RESOURCES - Improved techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources. | 10-24-2013 |
| 20130283340 | OPTIMIZED POLICY MATCHING AND EVALUATION FOR NON-HIERARCHICAL RESOURCES - Improved techniques are provided for processing authorization requests. In some embodiments, an authorization request specifying a non-hierarchical resource can be processed without having to sequentially process the various security policies configured for a collection of resources. | 10-24-2013 |
| 20130283341 | METHOD OF SECURING A MOBILE TERMINAL - The present invention relates to a method of implementing a security system for preemptively preventing a decrease in work efficiency due to leaked confidential secrets or the browsing of non work-related sites through a mobile terminal. A security manager implements an environment for allowing, blocking, or recording Internet usage in an independent mobile communication network in an area requiring security, uses a security system server to preregister information on mobile terminals of users who are expected to use the Internet, makes agreements on how personal information will be handled when outside visitors visit the network, registers information on mobile terminals of outside visitors with the security system server, and oversees the installation of a security app whenever necessary. | 10-24-2013 |
| 20130283342 | Transformation of Sequential Access Control Lists Utilizing Certificates - The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL. | 10-24-2013 |
| 20130283343 | Enforcing Universal Access Control in an Information Management System - A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server. | 10-24-2013 |
| 20130283344 | METHODS FOR RESTRICTING RESOURCES USED BY A PROGRAM BASED ON ENTITLEMENTS - In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program. | 10-24-2013 |
| 20130283345 | TECHNIQUES FOR DYNAMIC ENPOINT SECURE LOCATION AWARENESS - Techniques for dynamic endpoint secure location awareness may include dynamically sending a location query in response to a change in location for a mobile device. A location response may be received. The platform security engine may determine whether the mobile device is located in a secure location based on the location response. Other embodiments are described and claimed. | 10-24-2013 |
| 20130291051 | SYSTEM CALL INTERCEPTION - System call interception is activated for an application process. It is recorded that system call interception is active for the application process. Ongoing checking is performed to determine whether system call interception remains active. | 10-31-2013 |
| 20130291052 | TRUSTED PUBLIC INFRASTRUCTURE GRID CLOUD - Systems and methods of implementing a secured cloud environment allow for design and instantiation of a security policy at the infrastructure level. An example system may comprise a first module to facilitate selecting at least two cloud computing component templates from a cloud computing component catalog. The system may comprise a second module to facilitate defining a connection between the at least two selected cloud computing component templates. The system may comprise a third module to facilitate assigning a security level and a policy to at least one of the at least two selected cloud computing component templates. The system may comprise a fourth module to facilitate building a cloud computing component blueprint. | 10-31-2013 |
| 20130291053 | Security Controlled Multi-Processor System - Embodiments of the present disclosure provide systems and methods for implementing a secure processing system having a first processor that is certified as a secure processor. The first processor only executes certified and/or secure code. An isolated second processor executes non-secure (e.g., non-certified) code within a sandbox. The boundaries of the sandbox are enforced (e.g., using a hardware boundary and/or encryption techniques) such that code executing within the sandbox cannot access secure elements of the secure processing system located outside the sandbox. The first processor manages the memory space and the applications that are permitted to run on the second processor. | 10-31-2013 |
| 20130291054 | METHOD AND APPARATUS FOR PROVIDING AUDIO OR VIDEO CAPTURE FUNCTIONALITY ACCORDING TO A SECURITY POLICY - Systems and methods for providing capture functionality according to a security policy are provided. A request to capture content is received from a requesting application at a capture controller. The request is evaluated based on the security policy of the capture controller. Based on the evaluation, a determination is made as to whether the request is to be granted completely, denied, or granted subject to a constraint. Capture of the requested content is initiated via capture hardware or software if the request is granted completely or granted subject to the constraint. | 10-31-2013 |
| 20130291055 | Policy-based dynamic information flow control on mobile devices - A method for securing data on a mobile device that supports both enterprise and personal applications. According to the method, information flows and data accesses are tracked on the device at run-time to enable access control decisions to be performed based on a policy, such as an enterprise privacy policy that has been distributed to the device from an enterprise server. The policy may be updated by events at the device as well as at the enterprise server. | 10-31-2013 |
| 20130291056 | QUORUM-BASED SECURE AUTHENTICATION - Representative embodiments of secure authentication to a resource in accordance with a predefined, electronically stored quorum-based authentication policy include causing electronic interaction among multiple devices that constitute a quorum in accordance with the policy, computationally determining whether the interaction satisfies the policy, and if so, electronically according access to the resource to one or more individuals associated with the interacting device(s). | 10-31-2013 |
| 20130291057 | SECURITY SYSTEM AND METHOD FOR CONTROLLING INTERACTIONS BETWEEN COMPONENTS OF A COMPUTER SYSTEM - The embodiments of the present invention relate to controlling interactions between one or more components of a computer system, where each component is assigned a fixed security level and all currently active and newly requested interactions between components of the system are monitored. | 10-31-2013 |
| 20130291058 | SYSTEMS AND METHODS FOR IMPLEMENTING CUSTOM PRIVACY SETTINGS - A social network aggregation platform collects user generated content from multiple disparate social network platforms. The platform includes methods and systems for maintaining and applying user-selected and/or platform-specific privacy settings to the content when distributed or published. User privacy settings are compiled across platforms and used as a filter list against user-generated content. As a content stream is ingested into a platform, the source(s) of the invention content items are checked and the appropriate privacy settings are applied. | 10-31-2013 |
| 20130291059 | SYSTEM AND METHOD FOR USING PARTIAL EVALUATION FOR EFFICIENT REMOTE ATTRIBUTE RETRIEVAL - An attribute-based policy defining subjects' access to resources is enforced by a computer system. A processing means (PDP) in the system communicates with a nearby attribute value source and at least one remote attribute value source and is adapted to evaluate the policy for an access request containing one or more explicit attribute values, which together with the policy define at least one implicit reference to a further attribute value, which is retrievable from one of said attribute value sources. The processing means reduces the policy by substituting attribute values for attributes in the policy if they are contained in the request or retrievable from the nearby source. References to further attributes retrievable from a remote source only are cached together with intermediate results. All attribute values from a given remote source are retrieved on one occasion, and the intermediate results are used to terminate the evaluation. | 10-31-2013 |
| 20130291060 | SECURITY FACILITY FOR MAINTAINING HEALTH CARE DATA POOLS - Disclosed herein are systems and methods for syndication and management of structured and unstructured data to assist institutional healthcare delivery, healthcare providers' practices, healthcare providers' group practices, collaborative academic research and decision making in healthcare, including through the utilization of medical devices and healthcare pools. | 10-31-2013 |
| 20130298181 | NOISE, ENCRYPTION, AND DECOYS FOR COMMUNICATIONS IN A DYNAMIC COMPUTER NETWORK - A method and apparatus for processing data messages in a dynamic computer network is disclosed. The method includes implementing a mission plan specifying a message type, a message generation location, and a message distance vector for false messages, receiving a data message that includes a plurality of identity parameters, and determining a message type and a message distance vector for the received message. The network device is configured to generate false messages and process received messages. If the message type is a false message and the distance vector of the false message has been exhausted, the data message is dropped. If the distance vector of the false message has not been exhausted, transmitting the false message in accordance with the mission plan. | 11-07-2013 |
| 20130298182 | POLICY-BASED CONFIGURATION OF INTERNET PROTOCOL SECURITY FOR A VIRTUAL PRIVATE NETWORK - A method for performing policy-based configuration of Internet Protocol Security (IPSec) for a Virtual Private Network (VPN) is provided. According to one embodiment, a browser-based interface of a network device displays a policy page through which multiple settings may be configured for a VPN connection. The settings include a type of IPSec tunnel to be established between the network device and a peer. One or more parameter values corresponding to one or more of the settings are received and responsive thereto a policy file is created or modified corresponding to the VPN connection. The policy file has contained therein multiple parameter values corresponding to the settings. Establishment of the VPN connection between the network device and the peer is requested based on the parameter values contained within the policy file by sending a notification request, including the policy file, from the network device to the peer. | 11-07-2013 |
| 20130298183 | CARTRIDGES IN A MULTI-TENANT PLATFORM-AS-A-SERVICE (PaaS) SYSTEM IMPLEMENTED IN A CLOUD COMPUTING ENVIRONMENT - A mechanism for providing cartridges in a multi-tenant PaaS system implemented in a cloud computing environment is disclosed. A method of embodiments includes maintaining, by a virtual machine (VM) executing on a computing device, a cartridge library comprising cartridge packages that provide functionality for multi-tenant applications executed by the VM, receiving a request to configure a cartridge on the VM, wherein the cartridge to provide functionality for a multi-tenant application executed by the VM, establishing a container to provide process space for the functionality of the cartridge, calling a configure hook for a type of the cartridge, and in response to calling the configure hook, embedding an instance of the cartridge in the container, the instance of the cartridge obtained from a cartridge package of the cartridge library. | 11-07-2013 |
| 20130298184 | SYSTEM AND METHOD FOR MONITORING APPLICATION SECURITY IN A NETWORK ENVIRONMENT - A method includes determining an application role in a distributed application in a network environment, generating a role profile for the application role from an interaction pattern, mapping the role profile to a virtual machine (VM), and detecting a security breach of the VM. Determining the application role includes obtaining network traces from the distributed application, and analyzing the network traces to extract the application role. In one embodiment, detection of the security breach includes generating an access control policy for the VM from the role profile, and determining an anomaly in traffic based thereon. In another embodiment, detection of the security breach includes inserting the role profile in a port profile of the VM, generating a small state machine from the role profile, running the small state machine on a port associated with the VM, and inspecting, by the small state machine, an application level traffic at the port. | 11-07-2013 |
| 20130298185 | MOBILE APPLICATION MANAGEMENT SYSTEMS AND METHODS THEREOF - A mobile application management through policy inclusion using centralized enforcement libraries is disclosed. The method includes storing independently developed mobile applications on at least one server. The method further includes storing independently developed policies associated with each of the independently developed mobile applications on the at least one server. The method further includes associating a policy of the stored independently developed policies with any of the mobile applications of the independently developed mobile applications. The method further includes providing the associated policy and mobile application to a mobile device where the enforcement libraries restrict the app as instructed by the policy. | 11-07-2013 |
| 20130298186 | System and Method for Policy Based Privileged User Access Management - Embodiments dynamically manage privileged access to a computer system according to policies enforced by rule engine. User input to the rule engine may determine an extent of system access, as well as other features such as intensity of user activity logging (including logging supplemental to a system activity log). Certain embodiments may provide access based upon user selection of a pre-configured ID at a dashboard, while other embodiments may rely upon direct user input to the rule engine to generate an ID at a policy enforcement point. Embodiments of methods and apparatuses may be particularly useful in granting and/or logging broad temporary access rights allowed based upon emergency conditions. | 11-07-2013 |
| 20130298187 | MANAGING VIRTUAL IDENTITIES - Multiple personas associated with an identity are managed. Managing multiple personas may comprise providing a list of available personas associated with an authenticated user on a workspace, each available persona comprising policy information and configuration information, receiving a selection of a persona selected from the list of available personas and providing policy information and configuration information to a security enforcement point for a program for the selected persona. The persona can also include authentication information. The policy information may be used to determine access to a program. | 11-07-2013 |
| 20130298188 | TECHNIQUES FOR PROJECT LIFECYCLE STAGED-BASED ACCESS CONTROL - Techniques for project lifecycle staged-based access control are provided. Access control rights are defined for a stage of a project's lifecycle. As requestors transition to the stage, the access control rights are enforced on top of any existing security restrictions. In an embodiment, selective resources are not visible to requestors within the stage in response to the access control rights. | 11-07-2013 |
| 20130298189 | Functionality Watermarking and Management - A method, system and non-transitory computer-readable medium product are provided for functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to perform at least one function of a user device and identifying at least one watermark template. The method further includes applying the at least one watermark template to at least one function of the user device and authorizing the request to perform the at least one function of the user device. | 11-07-2013 |
| 20130298190 | SYSTEMS AND METHODS FOR MANAGING APPLICATION SECURITY PROFILES - Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching. | 11-07-2013 |
| 20130298191 | MANAGING COMMUNICATIONS BETWEEN COMPUTING NODES - Techniques are described for managing communications between multiple intercommunicating computing nodes, such as multiple virtual machine nodes hosted on one or more physical computing machines or systems. In some situations, users may specify groups of computing nodes and optionally associated access policies for use in the managing of the communications for those groups, such as by specifying which source nodes are allowed to transmit data to particular destinations nodes. In addition, determinations of whether initiated data transmissions from source nodes to destination nodes are authorized may be dynamically negotiated for and recorded for later use in automatically authorizing future such data transmissions without negotiation. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims. | 11-07-2013 |
| 20130305311 | APPARATUS AND METHOD FOR PROVIDING A FLUID SECURITY LAYER - A security management capability enables migration of individual security rules between storage/application locations. The migration of a security rule may include selection of a location at which the security rule is to be applied and migration of the security rule to the selected location at which the security rule is to be applied. The selection of the location at which the security rule is to be applied may be performed based on security rule policies and/or security rule location selection information. The security rule is migrated from a current location (e.g., a location at which the security rule is currently applied, a management system, or the like) to the selected location at which the security rule is to be applied. In this manner, a fluid security layer may be provided. The fluid security layer may be optimized for one or more of security level, performance, cost, or the like. | 11-14-2013 |
| 20130305312 | METHOD AND SYSTEM FOR AUTHENTICATION BY DEFINING A DEMANDED LEVEL OF SECURITY - There is provided a computer-implemented method for authentication, the method comprising:
| 11-14-2013 |
| 20130305313 | AUTHENTICATION POLICY USAGE FOR AUTHENTICATING A USER - A method and system for authenticating a user. A first server of multiple servers generates an authentication policy table by inserting into the authentication policy table an authentication policy of each server and setting a relative priority of each server in the authentication policy table of the first server in order of decreasing number of users registered in an authentication system of each server. The authentication policy of each server is at least one rule of each server for authenticating users of a federated computing environment that includes the multiple servers. The first server receives an access request from the user to access the federated computing environment, receives input authentication information from the user, and determines from use of both the input authentication information and the at least one rule in the authentication policy table of the first server that the user is authorized to access the federated computing environment. | 11-14-2013 |
| 20130312054 | Transport Layer Security Traffic Control Using Service Name Identification - Traffic control techniques are provided for intercepting an initial message in a handshaking procedure for a secure communication between a first device and a second device at a proxy device. Identification information associated with the second device is extracted from the initial message. A policy is applied to communications between the first device and second device based on the identification information. | 11-21-2013 |
| 20130312055 | SECURITY MANAGEMENT DEVICE AND METHOD - In a case where a master virtual machine, which is constructed on the basis of master information for configuring either part or all of a virtual machine, and an individual virtual machine, which is constructed on the basis of individual information that is configured partially or entirely in accordance with the master information, exist as the types of virtual machines that a physical client provides to a user terminal, a security check of a plurality of virtual machines is selectively executed, with respect to each check item, for a virtual machine of the type corresponding to the contents of the check item. | 11-21-2013 |
| 20130312056 | Zone-Based Firewall Policy Model for a Virtualized Data Center - Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed. | 11-21-2013 |
| 20130312057 | Functionality Management via Application Modification - Methods, systems, apparatuses, and/or computer-readable media for providing device management via application modification may be provided. In some embodiments, a request to perform an action may be received. Upon determining that the action is associated with a metered resource, a further determination may be made as to whether the request complies with at least one management policy. In response to determining that the request complies with the at least one management policy, the requested action may be authorized and/or caused to be performed. | 11-21-2013 |
| 20130312058 | SYSTEMS AND METHODS FOR ENHANCING MOBILE SECURITY VIA ASPECT ORIENTED PROGRAMMING - Methods and systems described herein relate to enhancing security on a mobile device. A method for enhancing mobile device security includes applying a security policy to process code by an aspect-oriented program. | 11-21-2013 |
| 20130312059 | RECEIVING DEVICE, TRANSMITTING DEVICE, BROADCASTING SYSTEM, RECEIVING METHOD, AND NON-TRANSITORY COMPUTER-READABLE RECORDING MEDIUM - A receiving device includes: an output unit configured to output content broadcast from a transmitting device; an application execution unit configured to execute an application; a security policy acquiring unit configured to acquire security policy level data sent from the transmitting device with respect to the application, the security policy level data indicating a sorted level of the application; a policy level acquiring unit configured to acquire policy level data sent from the transmitting device with respect to currently broadcast content, the policy level data indicating a sorted level of the currently broadcast content; a determining unit configured to determine whether or not the application is an application to be controlled, based on the policy level data acquired by the policy level acquiring unit and the security policy data of the application acquired by the security policy acquiring unit; and an application control unit configured to instruct the application execution unit to control the application determined to be the application to be controlled. | 11-21-2013 |
| 20130312060 | Creating an Access Control Policy Based on Consumer Privacy Preferences - A system for generating an access control policy comprises a user interface ( | 11-21-2013 |
| 20130318567 | Reporting and Management of Computer Systems and Data Sources - A system and method are provided for managing data, such as for example security or other business data. For the example of security data, security data is received from a plurality of assets that may or may not be remotely located. A plurality of security metrics are computed and normalized according to thresholds. Security metrics are aggregated to generate an aggregate score, this may include weighting the metrics according to metric priorities. A change effort corresponding to each metric is also received and a corresponding change effort for the aggregate score is calculated. Aggregate scores and aggregate change efforts are analyzed to generate risk reduction recommendations. Upon instruction, metrics corresponding to an aggregate score may be displayed including recommendations of metrics for risk reduction. The recommended metrics may be selected according to analysis of change-to-effort ratios for the metrics. | 11-28-2013 |
| 20130326577 | POLICY ENFORCEMENT FOR MULTIPLE DEVICES USING AN AUDIENCE DEFINITION - In one embodiment, a method determines an audience rule to be applied for delivering content. The audience rule specifies an audience that is defined based on a combination of device properties, content properties, and digital rights management (DRM) properties. A device group associated with a group of devices is determined where devices in the device group are associated with content authorization properties, device properties, and digital rights management (DRM) properties. The method then applies the audience rule to the device group to determine any devices in the group of devices in which a content authorization for a device should be altered based on analyzing the content authorization properties, device properties, and digital rights management (DRM) properties of the device group and the combination of device properties, content properties, and digital rights management (DRM) properties of the audience rule. | 12-05-2013 |
| 20130326578 | METHOD AND APPARATUS FOR DETERMINING PRIVACY POLICY BASED ON DATA AND ASSOCIATED VALUES - A method includes determining at least one value for at least one instance of data; determining at least one privacy policy, at least one security policy, or a combination thereof based, at least in part, on the at least one value; and causing, at least in part, an application of the at least one privacy policy, the at least one security policy, or a combination thereof with respect to the at least one instance of data. | 12-05-2013 |
| 20130326579 | HEALTHCARE PRIVACY BREACH PREVENTION THROUGH INTEGRATED AUDIT AND ACCESS CONTROL - A computer-implemented method for compliance with a privacy requirement. The method comprises analyzing, using one or more processors, an access log related to a history of users accessing records; deriving a plurality of roles assigned to the users and a plurality of accesses reflecting actions taken by the users; and deriving from the access log a mapped log comprising a plurality of mapping records including a plurality of mapped role-access pairs. The method further comprises generating, using the one or more processors, a reduced log including a plurality of reduced records comprising a mapped role-access pair and statistics that are associated with the mapped role-access pair, the statistics being derived from a subset of the mapping records that include the mapped role-access pair; and deriving an access policy based on the reduced log, wherein the access policy includes a plurality of proposed role-access pairs. | 12-05-2013 |
| 20130326580 | METHODS AND APPARATUS FOR CREATING AND IMPLEMENTING SECURITY POLICIES FOR RESOURCES ON A NETWORK - Methods and apparatus for creating an access permission relationship for resources may include receiving and presenting a matrix comprising roles for users of a system and resources on the system. The methods and apparatus may also include presenting access permissions at an intersection of a role and a resource on the matrix and receiving an assignment of one or more access permissions for the role and the resources. The methods and apparatus may include creating a security policy for the resources based on the assigned access permissions. | 12-05-2013 |
| 20130326581 | Client Side Security Management for an Operations, Administrations and Maintenance System for Wireless Clients - An Operations, Administration, and Maintenance (OA&M) | 12-05-2013 |
| 20130332981 | METHOD AND SYSTEM FOR EXTENDING SELINUX POLICY WITH ENFORCEMENT OF FILE NAME TRANSLATIONS - An operating system identifies a request of a process to create, in a file system of the computing device, a new object, the new object having a name. The operating system identifies a policy rule applicable to the new object using a label of the process, a label of a parent object pertaining to the new object, a class of the new object, and the name of the new object. The operating system creates a label for the new object using the applicable policy rule and associates the new object with the associated label. | 12-12-2013 |
| 20130332982 | SYSTEM AND METHOD FOR IDENTITY BASED AUTHENTICATION IN A DISTRIBUTED VIRTUAL SWITCH NETWORK ENVIRONMENT - An example method includes forwarding user credentials from a virtual machine in a distributed virtual switch (DVS) network environment to a network element outside the DVS network environment, receiving a user policy from the AAA server, and facilitating enforcement of the user policy within the DVS network environment. The user credentials may relate to a user attempting to access the VM. In a specific embodiment, the user credentials are provided in a 802.1X packet. In a particular embodiment, a network access control (NAC) in the DVS network environment forwards the user credentials, receives the user policy, and facilitates the enforcement of the user policy. In one embodiment, the NAC is provisioned as another VM in the DVS network environment. | 12-12-2013 |
| 20130332983 | Elastic Enforcement Layer for Cloud Security Using SDN - An efficient elastic enforcement layer (EEL) for realizing security policies is deployed in a cloud computing environment based on a split architecture framework. The split architecture network includes a controller coupled to switches. When the controller receives a packet originating from a source VM, it extracts an application identifier from the received packet that identifies an application running on the source VM. Based on the application identifier, the controller determines a chain of middlebox types. The controller further determines middlebox instances based on current availability of resources. The controller then adds a set of rules to the switches to cause the switches to forward the packet toward the destination VM via the middlebox instances. | 12-12-2013 |
| 20130332984 | AUTHORIZATION SYSTEM FOR HETEROGENEOUS ENTERPRISE ENVIRONMENTS - A unified authorization system for an enterprise that includes heterogeneous access control environments is provided. For example, components in the enterprise utilizing either JPS or OAM can both use the unified authorization system to perform authorization. A common policy store can contain policies applicable to diverse components in a canonical form conducive to varieties of access control models. The data model used within the common policy store can support access control features found in both JSP and OAM environments, such as both role-based policies and delegable access control administration. The common policy store can enable the querying and retrieval of authorization policies that are based on various access control models. A single unified administrator interface permits administrators of applications following any kind of access control model to administer policies for resources. A single unified policy decision engine can evaluate whether authorization policies are satisfied, regardless of the access control models that those policies follow. | 12-12-2013 |
| 20130332985 | OBLIGATION SYSTEM FOR ENTERPRISE ENVIRONMENTS - An authorization system that conforms to legacy access control models provides mechanisms whereby structures already existing within those legacy access control models can be used to pass additional information to and from that authorization system. Because the authorization system conforms to the legacy model, legacy applications can still interact with the authorization system without modification. Because the authorization system also provides mechanisms whereby the existing structures can be used to pass the additional information or return additional information, more advanced applications can make use of enhanced access control features of the authorization system. Such enhanced features can involve policy-based decisions that take into account the additional information in determining whether to permit resource access. Such enhanced features can involve the placement of policy-specified obligations within the existing structures to be returned back to the advanced applications. Such obligations can indicate requirements that those applications need to fulfill in conjunction with performing operations on resources. | 12-12-2013 |
| 20130332986 | METHODS AND APPARATUS FOR DYNAMICALLY REDUCING VIRTUAL PRIVATE NETWORK TRAFFIC FROM MOBILE DEVICES - A computer-implemented method for dynamically directing mobile device traffic in a computing system programmed to perform the method includes receiving with the computing system, a request for resolution of a domain name associated with a web address from a mobile device, determining in the computing system, whether the domain name is not subject to security policies, determining in the computing system, a publically-accessible IP address associated with the domain name, when the domain name is determined to not be subject to the security policies, the method comprises providing from the computing system, the publically-accessible IP address associated with the domain name to the mobile, and when the domain name is determined to be subject to the security policies, the method comprises providing from the computing system, an IP address associated with the computing system to the mobile. | 12-12-2013 |
| 20130332987 | DATA COLLECTION AND ANALYSIS SYSTEMS AND METHODS - This disclosure relates to systems and methods for the secure management of digital or electronic information relating to a user. In certain embodiments, systems and methods disclosed herein may allow for personal information related to a user to be managed, shared, and/or aggregated between one or more devices used by the user to consume content. In further embodiments, systems and methods disclosed herein may be used to ensure privacy and/or security of user personal information. | 12-12-2013 |
| 20130332988 | Aggregating The Knowledge Base Of Computer Systems To Proactively Protect A Computer From Malware - Techniques for aggregating a knowledge base of a plurality of security services or other event collection systems to protect a computer from malware are provided. In embodiments, a computer is protected from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware. A determination is made as to whether a combination of the suspicious events is indicative of malware. If the combination of suspicious events is indicative of malware, a restrictive security policy designed to prevent the spread of malware is implemented. | 12-12-2013 |
| 20130332989 | Watermarking Detection and Management - A method, system and non-transitory computer-readable medium product are provided for watermarking detection and management. In the context of a method, a method is provided that includes identifying at least one resource accessible to a user device and determining whether a watermark template is applied to the at least one resource accessible to the user device. The method further includes identifying at least one compliance rule and determining whether the at least one compliance rule is satisfied in response to a determination that the watermark template is applied to the at least one resource accessible to the user device. The method yet further includes performing at least one remedial action in response to a determination that the at least one compliance rule is not satisfied. | 12-12-2013 |
| 20130332990 | Enforcement Of Data Privacy To Maintain Obfuscation Of Certain Data - A computer-readable medium is disclosed that tangibly embodies a program of machine-readable instructions executable by a digital processing apparatus to perform operations including determining whether data to be released from a database is associated with one or more confidential mappings between sets of data in the database. The operations also include, in response to the data being associated with the one or more confidential mappings, determining whether release of the data meets one or more predetermined anonymity requirements of an anonymity policy. Methods and apparatus are also disclosed. | 12-12-2013 |
| 20130332991 | METHOD AND SYSTEM FOR DYNAMICALLY ASSOCIATING ACCESS RIGHTS WITH A RESOURCE - A method for dynamically associating, by a server, access rights with a resource includes the step of receiving, by the server, a request for a resource from a client. The server requests, from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client. The server associates the resource with the plurality of access rights via a rights markup language. The server transmits the resource to the client with the identification of the associated plurality of access rights. An application program on the client makes an access control decision responsive to the associated plurality of access rights. The application program provides restricted access to the resource responsive to the access control decision. | 12-12-2013 |
| 20130340026 | Association of Service Policies Based on the Application of Message Content Filters - A method for associating service policies based on application of message content filters to messages sent by a consumer may include receiving a message in which the message relates to a service accessible via a network and access to the service is restricted by a policy enforcement runtime. The method may further include applying at least one message content filter to the message content received to extract information indicative of a message flow associated with a configured policy attachment and correlating the message flow to a selected policy regarding consumer access to the service. The method may further include enforcing the selected policy relative to access to the service by the consumer. | 12-19-2013 |
| 20130340027 | Provisioning Managed Devices with States of Arbitrary Type - Described is a technology by which a target machine (managed device) is provisioned with arbitrary states for subsequent communication with a central authority, in which the configuration provisioning of the device is decoupled from the collection of the provisioning data. In a provisioning phase, arbitrary state information for provisioning the managed device is obtained and packaged in a container. In a configuration phase, the container is accessed, and the arbitrary state information is unpackaged to apply state to the managed device. The target machine thus may be provisioned with arbitrary states without actively communicating with the central authority. | 12-19-2013 |
| 20130340028 | Secure web container for a secure online user environment - Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for invocation of a secure web container which may display data representative of a requesting party's application at a user's machine. The secure web container is invoked upon receipt of an API call from the requesting party. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable web container), insulating the user and requesting parties from the threats associated with being online for the purposes of providing secure, policy-based interaction with a requesting party's online services. | 12-19-2013 |
| 20130340029 | ASSOCIATION OF SERVICE POLICIES BASED ON THE APPLICATION OF MESSAGE CONTENT FILTERS - A method for associating service policies based on application of message content filters to messages sent by a consumer may include receiving a message in which the message relates to a service accessible via a network and access to the service is restricted by a policy enforcement runtime. The method may further include applying at least one message content filter to the message content received to extract information indicative of a message flow associated with a configured policy attachment and correlating the message flow to a selected policy regarding consumer access to the service. The method may further include enforcing the selected policy relative to access to the service by the consumer. | 12-19-2013 |
| 20130340030 | PROPOSAL SYSTEM ACCESS POLICY ENFORCEMENT - Described herein are techniques and mechanisms for access policy creation and enforcement. According to various embodiments, a message may be received via a communications interface. The message may include a request to perform an action within a proposal system. The proposal system may be operable to create a request for proposals based on user input. The request for proposals may describe a business need associated with a business entity. The proposal system may be further operable to process a plurality of proposal documents received in response to the request for proposals. The request may be associated with a user account. A determination may be made as to whether the requested action complies with an access policy. The requested action may be performed when it is determined that the requested action complies with the access policy. | 12-19-2013 |
| 20130340031 | ACCESS CONTROL SYSTEM FOR A MOBILE DEVICE - A method, apparatus and product that provide a access control system for mobile devices. The mobile device performing: selecting a proxy to handle a request to a remote server, the request is issued by a program being executed by the mobile device, wherein the proxy is configured to perform a security action in response to the request; and sending the request to the proxy; whereby selectively performing the predetermined security action on a portion of the requests issued by the mobile device. Additionally or alternatively, a computer performing: receiving from a mobile device, an instruction to provide a Proxy Auto Config (PAC) file; and generating a PAC file that comprises a function which is configured to receive a URL and return a proxy to handle a request to the URL, wherein the proxy is configured to perform a security action in response to receiving a request. | 12-19-2013 |
| 20130340032 | SYSTEM AND METHOD FOR ACHIEVING COMPLIANCE THROUGH A CLOSED LOOP INTEGRATED COMPLIANCE FRAMEWORK AND TOOLKIT - The disclosed embodiments relate to a method, apparatus, and computer-readable medium for managing policy compliance. As exemplary method comprises receiving, by at least one of the one or more computing devices, information associated with a policy event corresponding to a system resource; determining, by at least one of the one or more computing devices, whether the policy event is in compliance with one or more policies; determining, by at least one of the one or more computing devices, a corrective action if the policy event is not in compliance with at least one of the one or more policies; and transmitting, by at least one of the one or more computing devices, information associated with the corrective action if the policy event is not in compliance with at least one of the one or more policies. | 12-19-2013 |
| 20130340033 | APPARATUS, METHODS AND MEDIA FOR LOCATION BASED DATA ACCESS POLICIES - A method of administering an application management policy is provided. The method includes determining, in response to a request for access to a service, whether the first device is known. The service is provided by an application running on the server. The method also includes determining whether the first device is capable of providing location information. The method further includes, when it is determined that the first device is incapable of providing the location information, determining whether the first device is in communication with a second device capable of providing second location information. The first and second devices are in close proximity that the second location information can be used as a proxy for the first location information. The method also includes determining the physical location of the first device using the second location information. The method further includes setting the policy based on the physical location of the first device. | 12-19-2013 |
| 20130340034 | APPLICATION AUTHENTICATION POLICY FOR A PLURALITY OF COMPUTING DEVICES - In one embodiment, the present invention includes a method for launching an application authentication policy (AAP) application on a computing device, enabling the device for use as a personal device of a user if the user is authenticated by the AAP application, and otherwise enabling the device for use as a non-personal device that provides only basic functionality but protects other users' personal data and applications. Other embodiments are described and claimed. | 12-19-2013 |
| 20130340035 | PERFORMING A CHANGE PROCESS BASED ON A POLICY - A request to change a component of an infrastructure is received ( | 12-19-2013 |
| 20130340036 | POLICY ARBITRATION METHOD, POLICY ARBITRATION SERVER, AND PROGRAM - A policy arbitration method comprises: entering a user policy in which a privacy information holder describes at least one rule that is a pair of a data type of privacy information possessed by the privacy information holder and the way to handle the data type; generating, using the user policy and a service policy set that includes at least one service policy in which a privacy information user describes at least one rule that is a pair of a data type of the privacy information and the way to handle the data type, a ranking of the service policy according to the degree of divergence between the user policy and the service policy; and displaying the service policy ranking on a privacy information holder terminal. | 12-19-2013 |
| 20130347052 | MULTI-PART INTERNAL-EXTERNAL PROCESS SYSTEM FOR PROVIDING VIRTUALIZATION SECURITY PROTECTION - In embodiments of the present invention improved capabilities are described for a host machine that manages a plurality of virtual machines associated with an enterprise through a supervisory process, the host machine including a threat management facility coupled in a communicating relationship with the plurality of virtual machines and enforcing a security policy of the enterprise for the plurality of virtual machines; and a first virtual machine from among the plurality of virtual machines, the first virtual machine capable of operating in a first state on the host machine wherein the security policy is enforced by the threat management facility, and the first virtual machine capable of operating in a second state wherein a local security facility executable on the first virtual machine autonomously enforces the security policy in the absence of the threat management facility. | 12-26-2013 |
| 20130347053 | Approach For Managing Access To Data On Client Devices - A device management system is configured to manage access to electronic documents on client devices using policies. The policies specify one or more download and processing restrictions to be enforced with respect to the particular electronic document at client devices for example, particular hardware and software configurations that are required at client devices before data is permitted to be downloaded to those client devices. The policies may also specify other requirements that must be satisfied before data is permitted to be downloaded to those client devices, for example, user authentication. | 12-26-2013 |
| 20130347054 | Approach For Managing Access To Data On Client Devices - A device management system is configured to manage access to electronic documents on client devices using policies. The policies specify one or more download and processing restrictions to be enforced with respect to the particular electronic document at client devices for example, particular hardware and software configurations that are required at client devices before data is permitted to be downloaded to those client devices. The policies may also specify other requirements that must be satisfied before data is permitted to be downloaded to those client devices, for example, user authentication. | 12-26-2013 |
| 20130347055 | Approach For Managing Access To Data On Client Devices - A device management system is configured to manage access to electronic documents on client devices using policies. The policies specify one or more download and processing restrictions to be enforced with respect to the particular electronic document at client devices for example, particular hardware and software configurations that are required at client devices before data is permitted to be downloaded to those client devices. The policies may also specify other requirements that must be satisfied before data is permitted to be downloaded to those client devices, for example, user authentication. | 12-26-2013 |
| 20130347056 | Content Rights Protection with Arbitrary Correlation of Second Content - A disclosed content rights management system defines a content usage policy via a conditional rule set contained in metadata. The conditional rule set is correlated to at least one second content. An access control manager determines, dynamically, access rights conferrable to a user device or a server, based on the content usage policy and user history parameters. The embodiments may confer limited access rights for a first activity by a user device, or by a server, with respect to the protected content and the second content, and block a second activity with respect to the protected content and the second content, in response to determining that the request for the second content, in conjunction with the user history parameters, does not comply with the conditional rule set for the second activity. | 12-26-2013 |
| 20130347057 | Privacy Manager for Restricting Correlation of Meta-Content Having Protected Information Based on Privacy Rules - A method intercepts correlation instructions related to a plurality of meta-content elements associated with a primary content. The primary content or the meta-content elements may have associated privacy rules. At least one meta-content element of the group is selected as having privacy protected information specified in the privacy rules. A set of meta-content items, of meta-content element, are determined that are subject to a correlation restriction based on evaluation of the privacy rules with respect to each meta-content item contained in the meta-content element, and the privacy rules for the set of meta-content items are enforced. The privacy rule enforcement may involve preventing execution of the correlation instructions, excluding the selected at least one meta-content element from a correlation based on the correlation instructions, excluding the set of meta-content items from a correlation based on the correlation instructions, or restricting access to a correlation result based on the correlation instructions. | 12-26-2013 |
| 20130347058 | Providing Geographic Protection To A System - In one embodiment, a method includes determining a location of a system responsive to location information received from at least one of a location sensor and a wireless device of the system, associating the location with a key present in the system to generate an authenticated location of the system, and determining whether the authenticated location is within a geofence boundary indicated in a location portion of a launch control policy (LCP) that provides a geographic-specific policy. Other embodiments are described and claimed. | 12-26-2013 |
| 20130347059 | Method for Propagating Access Policies - The present disclosure describes a network appliance and associated access policy protocol (APP) that communicates and obeys access policies within a network. The network appliance (APP node) propagates access policies to other APP nodes that can utilize the policies most effectively. When an access policy reaches the network boundary, intra network bandwidth is optimized. The access policies may be distributed and executed in the cloud—e.g. proxy firewall, proxy policy execution. | 12-26-2013 |
| 20130347060 | SYSTEMS AND METHODS FOR COMBINED PHYSICAL AND CYBER DATA SECURITY - Methods and systems for protecting computer systems against intrusion. The disclosed techniques detect intrusions by jointly considering both cyber security events and physical security events. In some embodiments, a correlation subsystem receives information related to the computer system and its physical environment from various information sources in the cyber domain and in the physical domain. The correlation subsystem analyzes the information and identifies both cyber security events and physical security events. The correlation subsystem finds cyber security events and physical security events that are correlative with one another, and uses this correlation to detect intrusions. | 12-26-2013 |
| 20130347061 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR PUBLISHING NON-MALICIOUS THIRD PARTY CONTENT TO A DATA FEED - In accordance with embodiments, there are provided mechanisms and methods for publishing non-malicious third party content to a data feed. These mechanisms and methods for publishing non-malicious third party content to a data feed can provide analysis of third party content requested to be published to a data feed, which can be used to safeguard against the publication of malicious content to the data feed. | 12-26-2013 |
| 20130347062 | SECURED NETWORK ARRANGEMENT AND METHODS THEREOF - A high density network arrangement for managing an integrated secured multiple networks arrangement is provided. The arrangement includes a power module for providing power to a circuitry of the high density network arrangement. The arrangement also includes a plurality of network interfaces, wherein each network interface of the plurality of network interfaces is configured for coupling with a network arrangement. The arrangement further includes a processor for providing processing capability to the high density network arrangement. The arrangement yet also includes logic arrangement for managing data traffic flowing through the plurality of network interfaces, wherein the data traffic is configured to traverse the high density network arrangement between the plurality of network arrangement interfaces irrespective whether the power is provided to the circuitry of the high density network arrangement. | 12-26-2013 |
| 20140007177 | SECURE AUTHENTICATION USING MEMORY CARDS | 01-02-2014 |
| 20140007178 | MODEL FOR MANAGING HOSTED RESOURCES USING LOGICAL SCOPES | 01-02-2014 |
| 20140007179 | IDENTITY RISK SCORE GENERATION AND IMPLEMENTATION | 01-02-2014 |
| 20140007180 | PREVENTION OF INFORMATION LEAKAGE FROM A DOCUMENT BASED ON DYNAMIC DATABASE LABEL BASED ACCESS CONTROL (LBAC) POLICIES | 01-02-2014 |
| 20140007181 | SYSTEM AND METHOD FOR DATA LOSS PREVENTION IN A VIRTUALIZED ENVIRONMENT | 01-02-2014 |
| 20140007182 | SECURE MOBILE BROWSER FOR PROTECTING ENTERPRISE DATA | 01-02-2014 |
| 20140007183 | CONTROLLING MOBILE DEVICE ACCESS TO ENTERPRISE RESOURCES | 01-02-2014 |
| 20140007184 | Method and System for Protecting Data Flow at a Mobile Device | 01-02-2014 |
| 20140007185 | Automatic Association of Authentication Credentials with Biometrics | 01-02-2014 |
| 20140007186 | PREVENTION OF INFORMATION LEAKAGE FROM A DOCUMENT BASED ON DYNAMIC DATABASE LABEL BASED ACCESS CONTROL (LBAC) POLICIES | 01-02-2014 |
| 20140007187 | AUTOMATED DISCOVERY AND LAUNCH OF AN APPLICATION ON A NETWORK ENABLED DEVICE | 01-02-2014 |
| 20140013382 | OPTIONS DETECTION IN SECURITY PROTOCOLS - The embodiments provide an apparatus for detecting configuration options including an option detector configured to receive a basic model of a security protocol and a set of options, where each option is a variation of the basic model. The option detector is configured to detect which options are configured in an implementation of at least one at least one security protocol entity based on the basic model and the set of options. | 01-09-2014 |
| 20140013383 | NETWORK NODE AND METHOD TO CONTROL ROUTING OR BYPASSING OF DEPLOYED TRAFFIC DETECTION FUNCTION NODES - A network is described herein which can control, through subscriber profile data and/or policy preconfigured control data, whether deep packet inspection for data flow/s for an Internet Protocol-Connectivity Access Network (IP-CAN) session established by an end user should take place, or not, according to a defined “User Privacy Policy”, and, in the former case, to which traffic detection function (TDF) node the data flow(s) should be directed. | 01-09-2014 |
| 20140013384 | NETWORK APPLIANCE FOR VULNERABILITY ASSESSMENT AUDITING OVER MULTIPLE NETWORKS - An apparatus, system, and method are directed towards enabling auditing of network vulnerabilities from multiple network vantage points virtually simultaneously. Multiple network vantage points may include, but are not limited to, remote/branch enterprise sites, devices on an enterprise perimeter, on either side of a security perimeter, and even through the security perimeter. In one embodiment, an auditor performs reflected audits thereby extending auditing of network vulnerabilities to provide a comprehensive 360 degree audit of internal, external, and remote enterprise network sites. In one embodiment, the present invention may be implemented employing a single auditing device, and one or more audit extension devices that are configured to extend the auditing device's audit reach. The auditing device and one or more audit extension devices may communicate using an encrypted network channel through a security perimeter and/or across multiple networks. | 01-09-2014 |
| 20140013385 | POLICY-BASED SELECTION OF REMEDIATION - Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information is received by one computer system regarding a program-code-based operational state of another computer system at a particular time. It is determined whether the program-code-based operational state represents a violation of security policies that have been applied to or are active in regard to the computer system at issue by evaluating the received information with respect to the security policies. Each security policy defines at least one parameter condition violation of which is potentially indicative of unauthorized activity or manipulation to make the computer system at issue vulnerable to attack. When a security policy violation is detected, then a remediation is identified that can address the violation; and the remediation is caused to be deployed to the computer system at issue. | 01-09-2014 |
| 20140013386 | METHOD, APPARATUS AND PROGRAM STORAGE DEVICE FOR PROVIDING NETWORK PERIMETER SECURITY ASSESSMENT - A method for providing network perimeter security assessment that involves a combination of perimeter security assessment disciplines is disclosed. A security review of a network perimeter architecture is performed along with a review of the security of data processing devices that transfer data across the perimeter of the network, a review of the security of applications that transfer data across said perimeter and a review of the vulnerability of applications or data processing devices within said perimeter from computers or users outside of said perimeter. Each of the reviews may be performed by comparison to a security policy of an enterprise that owns or controls the network. | 01-09-2014 |
| 20140020043 | AUTOMATING AND/OR RECOMMENDING DATA SHARING COORDINATION AMONG APPLICATIONS IN MOBILE DEVICES - Coordinating data sharing among applications in mobile devices, in one aspect, may include a shared data manager application on a mobile device that manages data trade requirements automatically of a plurality of mobile applications, and permission grants or denials to reads and writes of data managed by the shared data manager and used by the plurality of mobile applications. | 01-16-2014 |
| 20140020044 | UNIFORM POLICY FOR SECURITY AND INFORMATION PROTECTION - System and methods for the implementation and/or enforcement of an email policy for an organization's email system are presented. A Data Loss Prevention (DLP) policy may be implemented on top of the email system. In one embodiment, the DLP policy may comprise modules and/or processing that tests emails for such sensitive data within emails. If an email comprises such sensitive data, then the DLP policy directives may specify processing to be applied as part of each stage of mail processing, from authoring to mail processing on the server and delivery. A single policy may be authored and managed that will apply the policy directives uniformly across all aspects of the message lifecycle. Each of the message policy enforcement systems may evaluate the single policy definition and apply the policy directives in a manner consistent with the contextual evaluation of the policy. | 01-16-2014 |
| 20140020045 | DATA DETECTION AND PROTECTION POLICIES FOR E-MAIL - Systems and/or methods for deploying and implementing data loss prevention (DLP) policy definition that may encapsulate the requirements, control objectives and directives, and/or the definitions of sensitive data types as stipulated directly or indirectly by the regulatory policy are disclosed. In one embodiment, DLP policies may be identified by an organization to run on top of a set of electronic file systems (e.g., email systems, file systems, web servers and the like). Organizations and their administrators may implement a set of DLP policy instance which are derived from DLP policy templates. DLP policy templates may comprise both structure and meaning—and may acquire a given DLP policy by the replacement of parameterized expressions with desired parameter values. In another embodiment, the state of the DLP policy instance may change according to the lifecycle of the policy instance deployment. | 01-16-2014 |
| 20140020046 | SOURCE CODE ANALYSIS OF INTER-RELATED CODE BASES - A method and system for analyzing source code is disclosed. A computer identifies a call in a first source code to an application programming interface in a second source code. Responsive to identifying the call in the first source code to the application programming interface in the second source code, the computer determines whether a set of policies for calls to application programming interfaces includes a policy for calls to the application programming interface. Responsive to a determination that the set of policies for calls to application programming interfaces does not include the policy for calls to the application programming interface, the computer generates the policy for calls to the application programming interface and adds the generated policy to the set of policies for calls to application programming interfaces. | 01-16-2014 |
| 20140020047 | CLOUD EMAIL MESSAGE SCANNING WITH LOCAL POLICY APPLICATION IN A NETWORK ENVIRONMENT - A method for applying policies to an email message includes receiving, by an inbound policy module in a protected network, message metadata of an email message. The method also includes determining, based on the message metadata, whether receiving the email message in the protected network is prohibited by at least one metadata policy. The method further includes blocking the email message from being forwarded to the protected network if receiving the email message in the protected network is prohibited by the metadata policy. In specific embodiments, the method includes requesting scan results data for the email message if receiving the email message in the protected network is not prohibited by one or more metadata policies. In further embodiments, the method includes receiving the scan results data and requesting the email message if receiving the email message in the protected network is not prohibited by one or more scan policies. | 01-16-2014 |
| 20140020048 | METHODS AND SYSTEMS FOR PROVIDING CONTENT WORKFLOW - Methods and systems for providing a content workflow include, for example, various embodiments for ascribing metadata and processing media assets such as video, audio, and the like for ingestion into a media delivery platform. The content workflow can be implemented in a client/server environment where media assets can be ingested and processed electronically. According to an exemplary embodiment, a method for operating a system includes receiving, via the system, a metadata file for at least one of audio and video content represented by a title, the metadata file including a provider identification; and generating, via the system and in response to the provider identification, one or more software elements representing one or more rules for distributing the content. | 01-16-2014 |
| 20140020049 | SYSTEM AND METHOD FOR POLICY DRIVEN PROTECTION OF REMOTE COMPUTING ENVIRONMENTS - A system that incorporates teachings of the subject disclosure may include, for example, receiving multiple software agents and configuring a network of the multiple software agents according to a predetermined policy. The process can further include facilitating secure communications among software agents of the network of the multiple software agents according to the predetermined policy. A state of one of the system, a system environment within which the system operates, or a combination thereof can be determined, based on the secure communications among the software agents of the network of the multiple software agents. A computing environment can be facilitated conditionally on the state of the one of the system, the system environment, or the combination thereof, according to the predetermined policy to support a mission application. Other embodiments are disclosed. | 01-16-2014 |
| 20140020050 | Method for Determining Integrity in an Evolutionary Collaborative Information System - A method for determining integrity in an evolutionary collaborative information system is provided. The method involves recursively defining interaction of each component ensembles that respects product and technology information for identifying credentials on components and constraints on component interactions. Constraints are explicitly defined as interactional properties that are measured, derived from measurements, or evaluated from other constraints or credentials in the context of an component ensemble. Credentials are defined as properties of components that are measured, derived from measurements, or evaluated from other credentials in the context of an component ensemble. The applied ensemble decompositions that realize a service are identified for a service invocation. The values of constraints and the values of credentials in the ensemble decompositions are recursively evaluated. The integrity of the ensembles as a function of the values of the credentials and constraints is determined. | 01-16-2014 |
| 20140020051 | USER TO USER DELEGATION SERVICE IN A FEDERATED IDENTITY MANAGEMENT ENVIRONMENT - Method for providing user-to-user delegation service in federated identity environment, characterized in that it comprises a delegation or assignment step wherein a delegator specifies said delegation at an identity provider for delegating a privilege or task to a delegatee to be performed at a service provider. | 01-16-2014 |
| 20140020052 | METHODS AND SYSTEMS FOR NETWORK-BASED MANAGEMENT OF APPLICATION SECURITY - To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process's token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process. | 01-16-2014 |
| 20140020053 | SETTING DEFAULT SECURITY FEATURES FOR USE WITH WEB APPLICATIONS AND EXTENSIONS - According to one general aspect, a computer-implemented method for implementing default security features for web applications and browser extensions includes receiving a request to include a web application or a web browser extension in a digital marketplace. A determination is made if the web application or the web browser extension conforms to default security features, wherein the default security features include a prohibition against running in-line script on web pages. The web application or the browser extension is included in the digital marketplace if the web application or the browser extension conforms to the default security features. | 01-16-2014 |
| 20140020054 | Techniques of Transforming Policies to Enforce Control in an Information Management System - In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions. | 01-16-2014 |
| 20140026179 | DYNAMIC USER IDENTIFICATION AND POLICY ENFORCEMENT IN CLOUD-BASED SECURE WEB GATEWAYS - A cloud-based secure Web gateway, a cloud-based secure Web method, and a network deliver a secure Web gateway (SWG) as a cloud-based service to organizations and provide dynamic user identification and policy enforcement therein. As a cloud-based service, the SWG systems and methods provide scalability and capability of accommodating multiple organizations therein with proper isolation therebetween. There are two basic requirements for the cloud-based SWG: (i) Having some means of forwarding traffic from the organization or its users to the SWG nodes, and (ii) Being able to authenticate the organization and users for policy enforcement and access logging. The SWG systems and methods dynamically associate traffic to users regardless of the source (device, location, encryption, application type, etc.), and once traffic is tagged to a user/organization, various polices can be enforced and audit logs of user access can be maintained. | 01-23-2014 |
| 20140026180 | SECURITY IN WIRELESS COMMUNICATION SYSTEM AND DEVICE - A method of implementing security in a wireless communication device ( | 01-23-2014 |
| 20140026181 | DATA LOSS PREVENTION (DLP) METHODS AND ARCHITECTURES BY A CLOUD SERVICE - Embodiments of the present disclosure include data loss prevention (DLP) methods and architectures by a cloud-based service. The disclosed techniques of the cloud-based platform (e.g., collaboration platform in an enterprise environment) can detect (and may optionally prevent) violations to, e.g., corporate policies, which can be configurable by a corporate administrator, for example regarding the use, storage, or transmission of sensitive information. The types of sensitive information can include, for example, financial information—credit card and bank account numbers, Personally Identifiable Information (PII)—Social Security Number (SSN), health/healthcare information, Intellectual Property—earnings forecasts, sales pipeline, trade secrets, source code, etc. | 01-23-2014 |
| 20140026182 | DATA LOSS PREVENTION (DLP) METHODS BY A CLOUD SERVICE INCLUDING THIRD PARTY INTEGRATION ARCHITECTURES - Embodiments of the present disclosure include data loss prevention methods by a cloud-based service including third party integration architectures. The disclosed techniques of the cloud-based platform (e.g., collaboration platform in an enterprise environment) can detect (and may optionally prevent) violations to, e.g., corporate policies, which can be configurable by a corporate administrator, for example, regarding the use, storage, and/or transmission of sensitive information. The types of sensitive information can include, for example, financial information—credit card and bank account numbers, Personally Identifiable Information (PII)—Social Security Number (SSN), health/healthcare information, Intellectual Property—earnings forecasts, sales pipeline, trade secrets, source code, etc. | 01-23-2014 |
| 20140026183 | INFORMATION PROCESSING DEVICE AND COMPUTER PROGRAM PRODUCT - According to an embodiment, an information processing device includes a kernel configured to execute a system call, and a managing unit configured to determine whether or not to permit execution of the system call. The kernel includes a holding unit and a system call executing unit. The holding unit holds execution of the system call until a result of determination as to whether or not to permit execution of the system call is returned from the managing unit. The system call executing unit executes the system call. | 01-23-2014 |
| 20140026184 | METHOD FOR CONFIGURING PERSONAL DATA DISTRIBUTION RULES - The invention pertains to a method for configuring rules for distributing personal data of a social network user (U) with respect to a target contact (CC). The method consists of retrieving behavioral data of the target contact. Based on this retrieved behavioral data and a sensitivities profile defined by the user, an assessment grade is assigned to the target contact with respect to the danger that he or she represents of propagating the user's personal data. Based on the grade assigned to the target contact, a recommendation to configure the rules for distributing his or her personal data is issued to the user. | 01-23-2014 |
| 20140026185 | System, Method, and Apparatus for Modular, String-Sensitive, Access Rights Analysis with Demand-Driven Precision - A static analysis for identification of permission-requirements on stack-inspection authorization systems is provided. The analysis employs functional modularity for improved scalability. To enhance precision, the analysis utilizes program slicing to detect the origin of each parameter passed to a security-sensitive function. Furthermore, since strings are essential when defining permissions, the analysis integrates a sophisticated string analysis that models string computations. | 01-23-2014 |
| 20140026186 | WHITE LISTING DNS TOP-TALKERS - Systems and methods for creating a list of trustworthy resolvers in a domain name system. A computer receives a resolver profile for a resolver sending queries to a domain name server. The resolver profile is based on any, or a combination, of a top-talker status of the resolver, a normalcy of distribution of domain names queried, a continuity of distribution of query type, and a RD bit status, and information related to query traffic based on the topology of the domain name server. Resolver profiles can be compared to a trust policy to determine whether the resolver is trustworthy. Resolvers deemed trustworthy can be added to a list of trustworthy resolvers. Embodiments can detect the occurrence of a network-based attack. Embodiments can mitigate the effect of a network-based attack by responding only to queries from resolvers on the list of trustworthy resolvers. | 01-23-2014 |
| 20140033265 | DIGITAL RIGHTS MANAGEMENT IN A COLLABORATIVE ENVIRONMENT - A system for enforcing rights management policies in a collaborative environment is provided. The system may reside at a collaboration host and may include a session manager to manage a collaborative session associated with a plurality of participants, a shared view detector to detect a request to distribute shared content to participants of the collaborative session, a policy module to obtain a rights management policy associated with at least a portion of the shared content, a filter generator to generate a filter based on the obtained rights management policy, and a shared view distributor to distribute the shared content to the participants of the collaborative session together with the filter. | 01-30-2014 |
| 20140033266 | METHOD AND APPARATUS FOR PROVIDING CONCEALED SOFTWARE EXECUTION ENVIRONMENT BASED ON VIRTUALIZATION - A method and apparatus provides a concealed software execution environment based on virtualization. The method and apparatus constructs a concealed domain that is exclusively executed without being exposed to the outside using a virtualization-based domain separating technology and executes security information such as key information provided by a secure element within the concealed domain. | 01-30-2014 |
| 20140033267 | TYPE MINING FRAMEWORK FOR AUTOMATED SECURITY POLICY GENERATION - One embodiment provides an automated security policy generation system for a computing system including at least one resource and at least one subject. The automated security policy generation system comprises a clustering module configured for clustering the subjects and the resources into at least one subject cluster and at least one resource cluster, respectively, based on one or more access permissions. Each access permission represents a permission that a subject requires to access a resource. The automated security policy generation system further comprises a recommendation module configured for generating a security recommendation for the computing system based the subject clusters and the resource clusters. Access to the resources by the subjects is controlled based on the security recommendation. | 01-30-2014 |
| 20140033268 | AUTOMATED NETWORK DEPLOYMENT OF CLOUD SERVICES INTO A NETWORK - A method for automated network deployment of cloud services into a network is suggested. The method includes receiving a certain cloud service with a certain resource protection template specifying an isolation policy for isolating zones in the network, receiving certain customer protection parameters specifying customer needs regarding protection in the network, providing security requirements by matching the received resource protection templates and the received customer protection parameters, and automatically deploying the certain cloud service into the network by using the provided security requirements. | 01-30-2014 |
| 20140033269 | COLLABORATIVE GRAPHICS RENDERING USING MOBILE DEVICES TO SUPPORT REMOTE DISPLAY - Systems, devices and methods are described including receiving a policy from a secure storage device, where the policy may be used to implement collaborative rendering of image content. The image content may include multiple portions of image content. The policy may be used to determining rendering assignments for multiple mobile devices where the assignments may specify that a mobile device is to render one content portion while another mobile device is to render another content portion. The rendering assignments may be provided to the mobile devices and rendered output corresponding to the different content portions may be received from the mobile devices. The rendered output may then be assembled into one or more image frames and wirelessly communicated to a remote display. | 01-30-2014 |
| 20140033270 | SYSTEM AND METHOD FOR PROVIDING CUSTOMIZED RESPONSE MESSAGES BASED ON REQUESTED WEBSITE - The invention describes a system, method and computer product to regulate user access to websites. The system receives a URL request by a user corresponding to a website that the user wishes to access. Thereafter, the system determines the associated group of the user and the associated category of the website. Subsequently, a message to be displayed to the user is determined based on the associated group of the user and the associated category of the website. The message is included in a block page and then displayed to the user. | 01-30-2014 |
| 20140033271 | Policy-Based Application Management - Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things. | 01-30-2014 |
| 20140040973 | METHOD FOR CONTROLLING INITIAL ACCESS RIGHTS TO OPEN MOBILE ALLIANCE DEVICE MANAGEMENT SERVERS - A client device and a server device communicate using an Open Mobile Alliance (OMA)-Device Management (DM) protocol. The client device is configured to grant the desired access rights to a newly bootstrapped DM server, upon successful completion of a bootstrap procedure, by using nodes in the Bootstrap Config Management Object (MO) to specify the access rights for different portions of the Management Tree. | 02-06-2014 |
| 20140040974 | SYNCHRONOUS INTERFACE TO ASYNCHRONOUS PROCESSES - Methods, apparatus, and computer program products are disclosed for facilitating access to one or more services in a network environment. At a host, a request is received from a client machine in communication with the host over a network. An asynchronous service description file indicates one or more asynchronous communication techniques configured to be performed to access or communicate with a service over the network. The asynchronous service description file is a conversion of a synchronous service description file indicating one or more synchronous communication techniques for accessing or communicating with a synchronous service. The asynchronous service description file is provided to the client machine. | 02-06-2014 |
| 20140040975 | Virtualized Policy & Charging System - A network system for providing one or more services to one or more end-user devices communicatively coupled to the network system over a wireless access network, the network system comprising: a policy enforcement function, a first policy element, a second policy element, and a network element, wherein the network element is communicatively coupled to the policy enforcement function, the first policy element, and the second policy element, and wherein the network element is configured to communicate first policy information between the policy enforcement function and the first policy element, and communicate second policy information between the first policy enforcement function and the second policy element. | 02-06-2014 |
| 20140040976 | SECURITY-MINDED CLONING METHOD, SYSTEM AND PROGRAM - In order to solve this problem, the first aspect of the present invention is a system for duplicating (cloning) a physical environment in a virtual environment using CMDB, the system comprising: means for setting a level of confidentiality for attributes of configuration items (CI) of CMDB managing the source hardware information and software information, and means for sending CMDB information including CI having the level of confidentiality set to a virtual environment constructing means connected via a network; the virtual environment constructing means having a means for constructing the source environment in a virtual environment based on sent CMDB information; and the sending means having a means for changing the level of confidentiality of CI attributes having the level of confidentiality set in accordance with a default confidentiality policy. | 02-06-2014 |
| 20140040977 | Policy-Based Application Management - Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things. | 02-06-2014 |
| 20140040978 | Policy-Based Application Management - Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things. | 02-06-2014 |
| 20140040979 | Policy-Based Application Management - Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things. | 02-06-2014 |
| 20140040980 | SYNDICATION INCLUDING MELODY RECOGNITION AND OPT OUT - A syndication system facilitates rights management services between media content owners and media hosting services that elect to participate in the syndication system and mutually elect to participate with each other. The syndication system utilizes a content recognition system to identify hosted media content and ownership rights associated with the hosted content. By applying melody recognition, the content recognition system can identify compositions embodied in hosted media content even when these compositions do not precisely match any known sound recording. Thus, the content recognition system is beneficially able to detect, for example, recorded cover performances and recorded live performances embodied in hosted media content. Once identified, ownership information is determined and the syndication system can facilitate rights management policies associated with the content such as monetizing or blocking the protected content. | 02-06-2014 |
| 20140040981 | SYSTEMS AND METHODS FOR APPLYING A SECURITY POLICY TO A DEVICE BASED ON LOCATION - A security policy may be applied to a mobile communications device based on a location of the mobile communications device. For example, a first location of the mobile communications device may be obtained and a first security policy may be applied to the mobile communications device based on the first location. Furthermore, a change in the location of the mobile communications device may be detected. For example, the location of the mobile communications device may change from the first location to a second location. In response to the mobile communications device now being located at the second location, a second security policy may be applied to the mobile communications device. Thus, different security policies may be applied to a mobile communications device as the current location of the mobile communications device changes. | 02-06-2014 |
| 20140047498 | SYSTEM AND METHOD FOR SHARED FOLDER CREATION IN A NETWORK ENVIRONMENT - A method includes receiving a request over a network from a user to mount a shared folder, which is configured to store electronic data to be selectively accessed based on a policy. The method also includes evaluating whether the user is authenticated. The method also includes generating a random mount point for mounting the shared folder, and redirecting the user to the random mount point if the user is authenticated. | 02-13-2014 |
| 20140047499 | TECHNIQUES FOR CREDENTIAL AUDITING - Techniques for credential auditing are provided. Histories for credentials are evaluated against a principal credential policy for a user and an enterprise credential policy for an enterprise as a whole. An audit trail is produced within a report for the histories. The report indicates whether compliance with the principal and enterprise credential policies occulted and if not at least one reason is provided as to why compliance was not met within the histories. | 02-13-2014 |
| 20140047500 | METHOD AND SYSTEM FOR PROPAGATING NETWORK POLICY - A technique for acquiring and disseminating network node characteristics to enable policy decisions including receiving a resolution request from one or more clients in a network environment is disclosed. Information, for example, network address, is then acquired from one or more sources regarding a specific location in a network, for example, a network node. A list of the network addresses is then generated and ranked based on one or more parameters that merit making traffic handling decisions. The network addresses are then associated with a host name on at least one directory server and then propagated to the one or more clients. | 02-13-2014 |
| 20140047501 | SYSTEM AND METHOD FOR PERFORMING PARTIAL EVALUATION IN ORDER TO CONSTRUCT A SIMPLIFIED POLICY - Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations. | 02-13-2014 |
| 20140047502 | Detecting and applying different security policies to active client requests running within secure user web sessions - A method, apparatus and computer program product to detect and apply security policy to active client requests within a secure user session begins by applying a first heuristic to a plurality of requests for a particular resource to identify a pattern indicating of an active client. In one embodiment, the heuristic evaluates a frequency of requests for the particular resource across one or more secure user sessions. Later, upon receipt of a new request for the particular resource, a determination is then made whether the new request is consistent with the pattern. If so, an action is taken with respect to a secure session policy. | 02-13-2014 |
| 20140047503 | NETWORK DATA TRANSMISSION ANALYSIS - Network computing systems may implement data loss prevention (DLP) techniques to reduce or prevent unauthorized use or transmission of confidential information or to implement information controls mandated by statute, regulation, or industry standard. Implementations of network data transmission analysis systems and methods are disclosed that can use contextual information in a DLP policy to monitor data transmitted via the network. The contextual information may include information based on a network user's organizational structure or services or network infrastructure. Some implementations may detect bank card information in network data transmissions. Some of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network. | 02-13-2014 |
| 20140047504 | IMAGE PROCESSING APPARATUS THAT OPERATES ACCORDING TO SECURITY POLICIES, CONTROL METHOD THEREFOR, AND STORAGE MEDIUM - An image processing apparatus which is capable of restraining operation that does not comply with security policies even in a case where security policies are changed through setting of user modes. The security policies are set in advance in the image processing apparatus. The image processing apparatus has a UI operation unit that enables operation on the image processing apparatus. When settings of the image processing apparatus are changed via the UI operation unit, it is verified whether or not the changed settings match the security policies. Operation of the image processing apparatus is restrained until it is verified that the changed settings match the security policies. | 02-13-2014 |
| 20140053226 | SELF-ADAPTIVE AND PROACTIVE VIRTUAL MACHINE IMAGES ADJUSTMENT TO ENVIRONMENTAL SECURITY RISKS IN A CLOUD ENVIRONMENT - A computer system includes a security coordinator configured to be communicatively coupled to a plurality of managed machines deployed in a same computing environment and managed by an environment manager. The security coordinator is configured to detect a security condition with respect to a first one of the managed machines, and to automatically initiate modification of a second one of the managed machines in the same computing environment responsive to detection of the security condition. The security coordinator is configured to initiate the modification of the second one of the managed machines prior to occurrence of a security condition therein and prior to action by the environment manager with respect to the second one of the managed machines in response to the detected security condition. | 02-20-2014 |
| 20140053227 | System and Method for Secure Synchronization of Data Across Multiple Computing Devices - A computer implemented method and apparatus comprises detecting a file content update on a first client computer system, the file to be synchronized on a plurality of different types of client computer systems in a plurality of formats. The method further comprises associating a security policy with the file, wherein the security policy includes restrictions to limit one or more actions that can be performed with the file, and synchronizing the file to a second client computing system while applying the security policy to provide controls for enforcement of the restrictions at the second client computer system. | 02-20-2014 |
| 20140053228 | SYSTEM AND METHODS FOR AUTOMATICALLY DISSEMINATING CONTENT BASED ON CONTEXUAL INFORMATION - A content-dissemination system distributes, publishes, or makes available a content item to one or more target entities based on contextual information associated with the content item. When a user creates a new content item or the system detects a new content item for a local user, the system determines contextual information for the content item, and uses this contextual and previous historical contextual information to generate a set of structured names for the content item. The system also determines security and privacy polices for disseminating the content item from the determined contextual information and the historical contextual information. The system associates the set of structured names and the security and privacy policies with the content item, and can disseminate the content item to one or more target entities based on these structured names, the security and privacy policies, and the requirements and capabilities of the recipients. | 02-20-2014 |
| 20140053229 | Systems and Methods for Policy Propagation and Enforcement - Many organizations want to extend the services and capabilities available to their users, but need to ensure that devices that are not within the perimeter and not under the direct control of the organization are managed in accordance with the organization's policies. A computerized method is disclosed for propagating resource access policies to a client device to provide compliance with security policies, comprising automatically receiving from a policy server via push communication at a client device a resource access policy comprising a trigger event and an action; when the trigger event is satisfied, executing the action; and sending an indication to the policy server that the resource access policy has been executed. | 02-20-2014 |
| 20140053230 | MULTI-SECURITY-CPU SYSTEM - A computing system includes a first security central processing unit (SCPU) of a system-on-a-chip (SOC), the first SCPU configured to execute functions of a first security level. The computing system also includes a second SCPU of the SOC coupled with the first SCPU and coupled with a host processor, the second SCPU configured to execute functions of a second security level less secure than the first security level, and the second SCPU executing functions not executed by the first SCPU. | 02-20-2014 |
| 20140053231 | STREAMLINED SECURITY-LEVEL DETERMINATION OF AN ELECTRONIC DOCUMENT AND SELECTIVE RELEASE INTO AN INFORMATION SYSTEM - Described herein are systems and methods for managing electronic documents. In particular, embodiments of the present invention are focussed on managing ingestion of documents into an information system, such as ingestion of documents generated by a device having scanning functionality. Embodiments include devices, software (defined by computer executable code), carrier media, and methodologies. In overview, a document is received from an ingestion source, such as a Multi Function Device (MFD) having a scanner. For example, the document is a scanned into an electronic form from a paper form. This electronic form is subjected to additional processing thereby to implement a predefined security protocol prior to the document (or a modified version thereof) being released into an information system. | 02-20-2014 |
| 20140053232 | AUTOMATED REDACTION OF DOCUMENTS BASED ON SECURITY-LEVEL DETERMINATION - Described herein are systems and methods for managing electronic documents. In particular, embodiments of the present invention are focussed on managing ingestion of documents into an information system, such as ingestion of documents generated by a device having scanning functionality. Embodiments include devices, software (defined by computer executable code), carrier media, and methodologies. In overview, a document is received from an ingestion source, such as a Multi Function Device (MFD) having a scanner. For example, the document is a scanned into an electronic form from a paper form. This electronic form is subjected to additional processing thereby to implement a predefined security protocol prior to the document (or a modified version thereof) being released into an information system. | 02-20-2014 |
| 20140053233 | ONLINE MEDIA POLICY PLATFORM - An online media policy platform comprises: a policy engine, and a sampler adapted to sample content of digital media, the sampler being further adapted to request policies from the policy engine that are applicable to the requested content. The platform further comprises a discriminator adapted to determine a condition that the content is to be consumed under. The platform further comprises a decision tree, which uses inputs from the discriminator to determine which policy to apply to the content. The platform retrieves enforcement instructions from the policy engine and enforces the policy at a device or network enforcement point so that access to the content is controlled. | 02-20-2014 |
| 20140053234 | Policy-Based Application Management - Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things. | 02-20-2014 |
| 20140053235 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data. | 02-20-2014 |
| 20140053236 | THRESHOLD REPORTING PLATFORM APPARATUSES, METHODS AND SYSTEMS - The THRESHOLD REPORTING PLATFORM APPARATUSES, METHODS AND SYSTEMS (“TRP”) transform content seed selections and recommendations via TRP components such as discovery and social influence into events and discovery of other contents for users and revenue for right-holders. In one implementation, the TRP detects user initiation of a universally resolvable media content (“URMC”) event in a client and obtains the URMC event identifying information. In a further implementation, the TRP may record the URMC event identifying information in association with the event in an event log in the client. The TRM may obtain reporting frequency preference setting, wherein the preference setting includes at least one URMC user activity upload rule and may determine activation of a URMC upload threshold trigger by evaluating the at least one URMC user activity upload rule. The TRP may initiate reporting of the logged URMC event identifying information based on the trigger activation and update the client upon successful acknowledgement of said reporting by a server. | 02-20-2014 |
| 20140053237 | RULE-BASED ROUTING TO RESOURCES THROUGH A NETWORK - Techniques for determining which resource access requests are handled locally at a remote computer, and which resource access requests are routed or “redirected” through a virtual private network. One or more routing or “redirection” rules are downloaded from a redirection rule server to a remote computer. When the node of the virtual private network running on the remote computer receives a resource access request, it compares the identified resource with the rules. Based upon how the identified resource matches one or more rules, the node will determine whether the resource access request is redirected through the virtual private network or handled locally (e.g., retrieved locally from another network). A single set of redirection rules can be distributed to and employed by a variety of different virtual private network communication techniques. | 02-20-2014 |
| 20140053238 | Attempted Security Breach Remediation - Methods, systems, apparatuses, and computer program products are provided for remediating suspected attempted security breaches. For example, a method is provided that includes receiving information regarding at least one authentication attempt and determining, based at least in part on the information regarding the at least one authentication attempt, whether the at least one authentication attempt comprises a suspected attempted security breach. The method further includes causing, in an instance in which it is determined that the at least one authentication attempt comprises a suspected attempted security breach, at least one recording to be captured via at least one recording device communicatively coupled to the at least one processor and causing at least a portion of the at least one recording to be compared against at least one database. | 02-20-2014 |
| 20140053239 | DYNAMIC ACCESS CONTROL POLICY WITH PORT RESTRICTIONS FOR A NETWORK SECURITY APPLIANCE - A network security appliance supports definition of a security policy to control access to a network. The security policy is defined by match criteria including a layer seven network application, a static port list of layer four ports for a transport-layer protocol, and actions to be applied to packet flows that match the match criteria. A rules engine dynamically identifies a type of layer seven network application associated with the received packet flow based on inspection of application-layer data within payloads of packets of the packet flow without basing the identification solely on a layer four port specified by headers within the packets. The rules engine is configured to apply the security policy to determine whether the packet flow matches the static port lists specified by the match criteria. The network security appliance applies the actions specified by the security policy to the packet flow. | 02-20-2014 |
| 20140059640 | Adapting Network Policies Based on Device Service Processor Configuration - Disclosed herein are various embodiments to prevent, detect, or take action in response to the moving a device credential from one device to another, the improper configuration of a service processor, a missing service processor, or the tampering with a service processor in device-assisted services (DAS) systems. | 02-27-2014 |
| 20140059641 | AUTOMATED FEEDBACK FOR PROPOSED SECURITY RULES - A computer receives entry of a proposed security rule during a security rule entry or editing session and determines that the proposed security rule requires review of a type of security data. The number of matches of the proposed security rule to the logged security data is determined and a user is notified as to the number of matches. The computer searches the security data and applies the proposed security rule to the security data to determine the predicted performance of the proposed security rule. The computer generates a report that may include warnings, recommendations, and information correlated to the security data. The report is presented to a user during the rule editing session, and based on the report a modification to the proposed security rule can be made. | 02-27-2014 |
| 20140059642 | METHOD AND SYSTEM FOR FACILITATING ISOLATED WORKSPACE FOR APPLICATIONS - A system maintains a workspace environment of enterprise applications on a mobile device. The system receives enterprise applications for installation on the mobile device, wherein functionality has been inserted into binary executables of the enterprise applications to force the enterprise applications to communicate with an application management agent to obtain a security policy including a validity time period value related to keeping the workspace valid. The application management agent provides cryptographic keys to the enterprise applications to share encrypted messages. Upon launching, an enterprise application stores a workspace expiration time value as an encrypted message. The workspace expiration time value is extended if the user continues its use or, by another enterprise application, if the other enterprise application is launched by the user before an expiration of the expiration time value. The application management agent requests authentication credentials from the user if the workspace expiration time value expires. | 02-27-2014 |
| 20140068696 | PARTIAL AND RISK-BASED DATA FLOW CONTROL IN CLOUD ENVIRONMENTS - Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for risk-based data flow control in a cloud environment. Implementations include actions of intercepting first data transmitted from a first application to a second application before receipt of the first data at the second application, the first application and the second application being hosted within the cloud environment, processing the first data to provide a first risk factor, the first risk factor reflecting a degree of risk if the first data is received by the second application, generating first sanitized data based on the first data, the first risk factor and a first access control policy associated with the first data and transmitting the first sanitized data to the second application. | 03-06-2014 |
| 20140068697 | STATIC ENFORCEMENT OF PROCESS-LEVEL SECURITY AND COMPLIANCE SPECIFICATIONS FOR CLOUD-BASED SYSTEMS - Implementations of the present disclosure are directed to statically checking conformance of a computer-implemented service at a source code level to requirements specified at a process level and include actions of receiving source code of the computer-implemented service, receiving one or more rules, the one or more rules being generated based on a mapping and including a set of technical requirements that can be checked on the source code level, the mapping associating the requirements with the source code, and processing the source code and the one or more rules using static code analysis (SCA) to generate a result, the result indicating whether the computer-implemented service conforms to the requirements. | 03-06-2014 |
| 20140068698 | Automatically Recommending Firewall Rules During Enterprise Information Technology Transformation - Techniques for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment. A method includes obtaining at least one communication pattern occurring in a pre-transformation source environment, and automatically generating one or more vendor-neutral rules for one or more intended firewall interfaces in a post-transformation target environment based on the at least one communication pattern occurring in the source environment and based on information derived from the target environment. | 03-06-2014 |
| 20140068699 | NETWORK SYSTEM FOR IMPLEMENTING A CLOUD PLATFORM - A network system for implementing a cloud platform within a network to which a device defining a computing environment for a user has access comprises an application management module, a community management module, and a user enrolment portal. The application management module enables access to an abstract application associated with a concrete application defining an implementation of the abstract application for the computing environment. The community management module manages a community comprised of a user credential and the abstract application, the community defines at least one of: a policy, a management process, and a service, under which the user can access the abstract application. The user enrolment portal supports an enrolment of the user in the community from the device and orchestrates a policy management mechanism to support an enforcement of the policy under which the user has access to the concrete application from the device. | 03-06-2014 |
| 20140068700 | PRIORITIZED TOKEN BASED ARBITER AND METHOD - An apparatus and method for employing a token based arbiter. The apparatus includes a priority provider ( | 03-06-2014 |
| 20140068701 | Automatically Recommending Firewall Rules During Enterprise Information Technology Transformation - A system and computer program product for automatically generating one or more rules during IT transformation for configuring one or more firewall interfaces in a post-transformation target environment include obtaining at least one communication pattern occurring in a pre-transformation source environment, and automatically generating one or more vendor-neutral rules for one or more intended firewall interfaces in a post-transformation target environment based on the at least one communication pattern occurring in the source environment and based on information derived from the target environment. | 03-06-2014 |
| 20140068702 | SINGLE SIGN-ON SYSTEM AND METHOD - A computer-readable storage medium having computer-executable instructions for authenticating in a computing environment where the computer-executable instructions instruct a processor to receive a token from a client by a first process, send the token to a second process, validate the token by the second process by sending the token to a policy server and receiving a validation of the token from the policy server, and selectively grant access to the computing resource based at least in part upon the validation of the token. The validation of the token indicates that the token is associated with a previous successful authentication of the client by the second process. A system also includes the first process and the second process. | 03-06-2014 |
| 20140068703 | SYSTEM AND METHOD PROVIDING POLICY BASED DATA CENTER NETWORK AUTOMATION - Systems, methods, architectures and/or apparatus for implementing policy-based management of network resources within a data center (DC) by detecting compute events via the hypervisor and responsively generating a registration event in which a policy-based determination is made regarding event authorization and DC resource allocation. | 03-06-2014 |
| 20140068704 | MITIGATING UNAUTHORIZED ACCESS TO DATA TRAFFIC - One particular example implementation of an apparatus for mitigating unauthorized access to data traffic, comprises: an operating system stack to allocate unprotected kernel transfer buffers; a hypervisor to allocate protected memory data buffers, where data is to be stored in the protected memory data buffers before being copied to the unprotected kernel transfer buffers; and an encoder module to encrypt the data stored in the protected memory data buffers, where the unprotected kernel transfer buffers receive a copy the encrypted data. | 03-06-2014 |
| 20140068705 | METHOD FOR CLOUD-BASED ACCESS CONTROL POLICY MANAGEMENT - A Web-based management server includes an ACP manager to manage access control rules (ACRs) and access control policies (ACPs). The ACRs and ACPs are configured by an administrator via a Web interface of the management server. The ACP manager is to transmit over the Internet the ACPs and the ACRs to network access devices (NADs) to allow the NADs to apply the ACPs to their respective network client devices (NCDs) based on the ACRs, where the NADs are managed by the management server over the Internet. Each of the NADs operates as one of a router, a network switch, and an access point. The ACP manager is to periodically update the ACRs and ACPs stored in the NADs, including receiving an update from one NAD and broadcasting the update to a remainder of the NADs, | 03-06-2014 |
| 20140068706 | Protecting Assets on a Device - Embodiments of the present invention are directed to systems and methods for protecting data assets on a device. In embodiments of the invention, a data protection module dynamically and statically searches for one or more data assets and identifies the data assets based on one or more security and privacy attributes. The data assets are classified based on a policy and protected using one or more protection mechanisms. Additionally, data assets are ranked and a security and privacy map is generated and maintained. The security and privacy map may include association of the data assets with their location, ranking, protection mechanism, etc. In some embodiments, a user interface is provided on the device for viewing and generating the policy and/or the security and privacy map. | 03-06-2014 |
| 20140068707 | Internetwork Authentication - A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration. | 03-06-2014 |
| 20140068708 | SYSTEM AND METHOD OF MONITORING AND CONTROLLING APPLICATION FILES - A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the launched application to control access to the application on the workstation. | 03-06-2014 |
| 20140068709 | METHOD AND APPARATUS FOR NEGOTIATING SECURITY DURING HANDOVER BETWEEN DIFFERENT RADIO ACCESS TECHNOLOGIES - Solution for security negotiation during handover of a user equipment (UE) between different radio access technologies are provided. In the solution, the UE receives NAS security information and AS security information which are selected by the target system and then performs security negotiation with the target system according to the received NAS security information and AS security information. As such, the UE may obtain the key parameter information of the NAS and AS selected by a LTE system and perform security negotiation with the LTE system when the UE hands over from a different system, such as a UTRAN, to the LTE system. | 03-06-2014 |
| 20140075492 | Identity context-based access control - Identity context-based access control is implemented by generating an identity context expression from user identity data. In particular, users are clustered based on combinations of one or more attributes. These clusters comprise one or more identity context(s). Preferably, an intersection of attribute sets of each user in the cluster is formed. In addition, an intersection of attribute sets of each user not in the cluster also is formed. If the attribute set that is common across the cluster of users is not a subset of the attribute set that is common across the rest of the users, then the attribute set forms a unique identity context expression. To reduce the number of roles used in role-based access control (RBAC), at least one role is replaced with an identity context expression. Run-time access control is then enabled. | 03-13-2014 |
| 20140075493 | SYSTEM AND METHOD FOR LOCATION-BASED PROTECTION OF MOBILE DATA - System and method to provide location-based levels of data protection, the method including: receiving, by a receiver, login credentials of a user of a mobile device; authenticating, by use of a policy server, a credentials-based level of data access as configured by a policy; retrieving, by a geo-location module, a location of the mobile device; determining, by use of the policy server, a location-based level of data access as configured by the policy; and granting sensitive data access based upon a more restrictive limitation of the credentials-based level of data access and the location-based level of data access. | 03-13-2014 |
| 20140075494 | MANAGING SECURITY CLUSTERS IN CLOUD COMPUTING ENVIRONMENTS USING AUTONOMOUS SECURITY RISK NEGOTIATION AGENTS - A method includes receiving at a similarity arbitrator information about a security policy of a candidate virtual machine that is proposed to be included in a cluster of virtual machines, comparing the security policy of the candidate virtual machine to the security policies of a plurality of virtual machines in the cluster, and in response to the comparison, recommending that a virtualization environment manager exclude the candidate virtual machine from the cluster or include the candidate virtual machine in the cluster. Related systems and computer program products are also disclosed. | 03-13-2014 |
| 20140075495 | METHOD AND SYSTEM FOR FACILITATING SECURE FILE CREATION USING SELINUX POLICIES - An operating system identifies a request of a process to create, in a file system of the computing device, a new object. The operating system creates an object label for the new object, identifies one or more security policy rules applicable to the process, and verifies whether the process is authorized to create the new object with the object label in the file system of the computing device using the applicable security policy rules. When the process is authorized to create the new object with the object label, the operating system creates the new object with the object label in the file system of the computing device. When the process is not authorized to create the new object with the object label, an error message is generated. | 03-13-2014 |
| 20140075496 | MOBILE PLATFORM WITH SENSOR DATA SECURITY - Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data. | 03-13-2014 |
| 20140075497 | Early Policy Evaluation of Multiphase Attributes in High-Performance Firewalls - A policy is established comprising a condition having a multiphase attribute of a multiphase transaction. Phase specific policies are established for each phase in which the multiphase attribute may become known. The multiphase transaction is evaluated according to the phase specific policies at each phase of the multiphase transaction in which the multiphase attribute may become known until a policy decision of the policy is determined. | 03-13-2014 |
| 20140075498 | SECURITY MEDIATION FOR DYNAMICALLY PROGRAMMABLE NETWORK - A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. A security mediation service permits such dynamic reprogramming as long as the new directives are consistent with the then-current network security policy. The security mediation service evaluates candidate packet disposition directives for conflicts with the currently active security policy, before instantiating the candidate packet disposition directives at the network switches. | 03-13-2014 |
| 20140075499 | SECURITY INFRASTRUCTURE FOR CLOUD SERVICES - A framework for handling a secure interaction between components in a cloud infrastructure system that wish to transfer information between each other during processing of a customer's subscription order is described. The framework orders the security zones of components based on security levels and protects the transfer of information between components in security zones with different security levels. The assignment of a component to a security zone is based upon the sensitivity of the data handled by the components, the sensitivity of functions performed by the component, and the like. | 03-13-2014 |
| 20140075500 | REPUTATION-BASED AUDITING OF ENTERPRISE APPLICATION AUTHORIZATION MODELS - Reputation metrics are used to gauge risk of individuals to an organization, such as employees of a business. The reputation metrics may be calculated from both internal and external data sources, including social network profiles of the individuals. Calculations of risk are used to make determinations regarding the activities the individuals are authorized to engage in. | 03-13-2014 |
| 20140075501 | LDAP-BASED MULTI-TENANT IN-CLOUD IDENTITY MANAGEMENT SYSTEM - A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store implemented as a single LDAP directory can contain identity information for multiple customers' domains. This single LDAP directory can store identities for entities for all tenants, in separate partitions or subtrees of the LDAP directory, each such partition or subtree being dedicated to a separate identity domain for a tenant. Components of the cloud computing environment ensure that LDAP entries within a particular subtree are accessible only to service instances that have been deployed to the identity domain that corresponds to that particular subtree. | 03-13-2014 |
| 20140075502 | RESOURCE MANAGEMENT OF EXECUTION ENVIRONMENTS - Techniques for managing resources on a computing device may include a resource management module that can identify an asset available for use by the computing device. The asset can be classified based on one or more properties of the asset, and the value of the asset is determined based on the classification. The resource management module may determine that the value of the asset has changed, and the asset is ranked based on the value of the asset. The appropriate execution environment for the asset can be determined based on the ranking, and the asset can be dynamically migrated from one execution environment to another execution environment based on the dynamic value of the asset. | 03-13-2014 |
| 20140075503 | SYSTEM, ARRANGEMENTS AND METHODS RELATING TO ACCESS HANDLING - A core network access packet data node and a core network access edge node are described herein. The core network access packet data node and/or the core network access edge node is/are adapted to hold or receive access priority related information comprising a subscriber related access allocation priority parameter relating to a subscriber requesting a network resource. Further, the core network access packet data node and/or the core network access edge node is/are adapted to have a preliminary access decision unit being provided for deciding if a network resource request is to be handled. Moreover, the core network access packet data node and/or the core network access edge node is/are adapted to have a final decision unit being provided for making a final decision relating to grant/rejection of a request to be handled, i.e. given preliminary access. | 03-13-2014 |
| 20140075504 | METHOD AND SYSTEM FOR DYNAMIC SECURITY USING AUTHENTICATION SERVERS - Disclosed is a method and system for network access control, including an authentication proxy that authenticates different access-points, retrieves data from security databases and from Network Monitoring Systems, processing said data according to a dynamic security policy and using said processing outcome to determine the access level which will be granted to an access point in the network. | 03-13-2014 |
| 20140082688 | RULE-BASED DERIVED-GROUP SECURITY DATA MANAGEMENT - Methods for rule-based group security data management and corresponding systems and computer-readable mediums. A method includes receiving a complex rule set corresponding to at least one electronic document, the complex rule set including a combination of granting rules, denying rules, and rule precedence. The method includes generating derived user groups according to the complex rule set. The method includes deriving grant rules for each electronic document according to the complex rule set to produce a derived grant rule set. The method includes storing the derived grant rules as associated with the electronic document. | 03-20-2014 |
| 20140082689 | CREATION OF SECURITY ROLES THROUGH USER WALKTHROUGH OF BUSINESS PROCESS WORKFLOW - A user interface is displayed to an administrator (or other user) and allows the administrator to walk through a workflow performed by a user in a given role. Data access steps performed in walking through the workflow are recorded and a set of permissions is identified, based upon the recorded workflow. The set of permissions corresponds to the role. | 03-20-2014 |
| 20140082690 | MOBILE COMPUTING SYSTEM FOR PROVIDING HIGH-SECURITY EXECUTION ENVIRONMENT - A mobile computing system for providing a high-security execution environment is provided. The mobile computing system separates execution environments in the same mobile device on the basis of virtualization technology and manages user-specific execution environments using the same hardware security module, thereby facilitating protection of personal privacy. | 03-20-2014 |
| 20140082691 | Anomalous Activity Detection - The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards a system for receiving an indication relating to a plurality of controls, identification information associated with a responsible account, and instructions from a responsible account associated with the monitoring of thresholds of controls being monitored. The plurality of user account may be organized into groups based upon information relating to the user accounts, and instructions may be applied to the groups to create a dynamic security policy. | 03-20-2014 |
| 20140082692 | Stateful Reference Monitor - A Stateful Reference Monitor can be loaded into an existing commercial operating system, and then can regulate access to many different types of resources. The reference monitor maintains an updateable storage area whose contents can be used to affect access decisions, and access decisions can be based on arbitrary properties of the request. | 03-20-2014 |
| 20140090008 | DETECTING, ENFORCING AND CONTROLLING ACCESS PRIVILEGES BASED ON SANDBOX USAGE - Systems and methods may provide for receiving web content and detecting an access control attribute associated with the web content. Additionally, the access control attribute may be monitored for a disablement condition. In one example, the disablement condition may be detected, an access policy may be determined in response to the disablement condition, and the access policy may be implemented. Other embodiments are described and claimed. | 03-27-2014 |
| 20140090009 | SECURE DATA CONTAINER FOR WEB APPLICATIONS - Systems and methods may provide for identifying web content and detecting an attempt by the web content to access a local data store. Additionally, a determination may be made as to whether to permit the attempt based on a context-based security policy. In one example, the context-based security policy is obtained from one or more of a user profile, a multi-user data source and a cloud service. | 03-27-2014 |
| 20140090010 | CHANGING LEVELS OF QUALITY OF SERVICE - A first network device is configured to receive information regarding a quality of service application that is part of an application stored on a device. The first network device is configured to further receive a request for a network to apply the level of quality service to the application stored on the device. The first network device is configured to further send an authorization request to the second network device. The first network device is configured to further receive an authorization result from the second network device. The first network device is configured send a first message to a third network device and receiving a response from the third network device that the level of quality of service is applied to the information; and send a message to the provider that the level of quality of service is applied to the information. | 03-27-2014 |
| 20140090011 | Stealth packet switching - Systems, methods, devices, and network architectures are disclosed for creating and implementing secure wireless, wired, and/or optical networks using specially modified “stealth” packets, cells, frames, and/or other “stealth” information structures. This enables stealth packets, network elements, and networks to have a low probability of detection, interception, and interpretation. The “stealth” packets, switches, networks, and methods provide invisibility or “cloaking” by modifying previously existing standards rules for packet structures, protocols, timing, synchronization, and other elements. | 03-27-2014 |
| 20140090012 | Enforcing Policy-based Application and Access Control in an Information Management System - A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server. | 03-27-2014 |
| 20140090013 | POLICY-BASED CONTENT FILTERING - Methods and systems are provided for processing application-level content of network service protocols. According to one embodiment, one or more content processing configuration schemes are defined within a firewall device. Each of the one or more content processing configuration schemes including multiple content processing configuration settings for one or more network service protocols. The one or more content processing configuration schemes are stored by the firewall device. One or more of the stored content processing configuration schemes are associated with a firewall policy by the firewall device. | 03-27-2014 |
| 20140090014 | POLICY-BASED CONTENT FILTERING - Methods and systems for processing application-level content of network service protocols are described. According to one embodiment, a firewall device maintains a policy database including multiple policies. The policies includes information regarding an action to take with respect to a network session based on a set of source internet protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol. When the action is to allow the network session, the policy also includes information regarding a configuration scheme defining administrator-configurable content filtering processes to be performed on traffic associated with the network session. Policy-based content filtering is performed by the firewall device by (i) identifying a matching policy for the network session at issue; (ii) identifying multiple content filtering processes to be performed on the traffic based on the configuration scheme associated with the matching policy; and (iii) applying the identified content filtering processes on the traffic. | 03-27-2014 |
| 20140096177 | FACILITATING VARIED ACCESS BASED ON AUTHENTICATION SCORING - Systems and methods may provide for determining a composite false match rate for a plurality of authentication factors in a client device environment. Additionally, the composite false match rate can be mapped to a score, wherein an attestation message is generated based on the score. In one example, the score is associated with one or more of a standardized range and a standardized level. | 04-03-2014 |
| 20140096178 | ALLOWING VARIED DEVICE ACCESS BASED ON DIFFERENT LEVELS OF UNLOCKING MECHANISMS - Systems and methods may provide for receiving runtime input from one or more unlock interfaces of a device and selecting a level of access with regard to the device from a plurality of levels of access based on the runtime input. The selected level of access may have an associated security policy, wherein an authentication of the runtime input may be conducted based on the associated security policy. In one example, one or more cryptographic keys are used to place the device in an unlocked state with regard to the selected level of access if the authentication is successful. If the authentication is unsuccessful, on the other hand, the device may be maintained in a locked state with regard to the selected level of access. | 04-03-2014 |
| 20140096179 | SYSTEM AND METHOD FOR PERFORMING SECURE COMMUNICATIONS - A system establishes secure communications between first and second electronic devices. The first device stores secured content to be accessed by second device based on identification information of the first device. The identification information of the first device may be manually input into the second device, and the second device may perform an initial pairing operation with the first device based on this manually entered information. The identification information stored from initial pairing may allow secure automatic pairing. | 04-03-2014 |
| 20140096180 | SYSTEM, DEVICES, AND METHODS FOR PROXIMITY-BASED PARENTAL CONTROLS - Systems, devices, and methods for proximity-based parental controls include a dominant computing device and a subordinate computing device configured to pair and establish a shared secret. Later, upon determining that the dominant computing device and the subordinate computing device are in proximity, the dominant computing device authenticates the subordinate computing device using the shared secret and authorizes access to an application on the subordinate computing device. The dominant computing device may configure an access control policy associated with the application. The access control policy may define allowed usage time, allowed usage time of day, allowed content, and/or other parameters. The subordinate computing device may enforce the access control policy. The application on the subordinate computing device may be a user interface shell, a game, a web browser, a particular web site, or other application. Other embodiments are described and claimed. | 04-03-2014 |
| 20140096181 | EVENT INTEGRATION FRAMEWORKS - Disclosed herein are representative embodiments of methods, apparatus, and systems for processing and managing information from a compliance and configuration control (“CCC”) tool and generating information for a security information and event management (“SIEM”) tool based on the information from the CCC tool. For example, in one exemplary embodiment, information from a CCC tool is transferred to a SIEM tool or logging tool by receiving the information from the CCC tool in a format that is not recognized by the SIEM tool or logging tool, and generating an output message in a message format that is recognized by the SIEM tool or logging tool. In particular embodiments, the message format is a customizable message format that is adaptable to multiple different SIEM tools or logging tools. In further embodiments, the data transferred to the SIEM tool comprises data indicative of compliance policy changes. | 04-03-2014 |
| 20140096182 | SYSTEMS AND METHODS FOR DISTRIBUTED TRUST COMPUTING AND KEY MANAGEMENT - Devices, systems, and methods for conducting trusted computing tasks on a distributed computer system are described. In some embodiments, a client device initiates a trusted task for execution within a trusted execution environment of a remote service provider. The devices, systems, and methods may permit the client to evaluate the trusted execution capabilities of the service provider via a planning and attestation process, prior to sending data/code associated with the trusted task to the service provider for execution. Execution of the trusted task may be performed while enforcing security and/or compartmentalization context on the data/code. Systems and methods for managing and exchanging encryption keys are also described. Such systems and methods may be used to maintain the security of the data/code before during, and/or after the execution of the trusted task. | 04-03-2014 |
| 20140096183 | PROVIDING SERVICES TO VIRTUAL OVERLAY NETWORK TRAFFIC - In one embodiment, a method for applying security policy in an overlay network includes receiving a request, including a packet, for a communication path through an overlay network, determining whether a security policy is to be applied to the packet based on at least one of: contents of the packet, first information, and second information, selecting a communication path between a source physical switch and a destination physical switch, wherein the selected communication path directly connects the source physical switch to the destination physical switch when it is determined to not apply the security policy to the packet, and the selected communication path connects the source physical switch to the destination physical switch via a security appliance when it is determined to apply the security policy to the packet, and sending the selected communication path to the source physical switch. | 04-03-2014 |
| 20140096184 | System and Method for Assessing Danger of Software Using Prioritized Rules - Disclosed are system, method and computer program product for assessing security danger of software. The system collects information about a suspicious, high-danger software objects, including one or more malicious characteristics of the software object, security rating of the software object, and information about one or more security rating rules used in assessing the security rating of the software object. The system then determines whether the suspicious object is a clean (i.e., harmless). When the suspicious object is determined to be clean, the system identifies one or more unique, non-malicious characteristics of the software object and generates a new security rating rule that identifies the software object as clean based on the one or more selected non-malicious characteristics. The system then assigns high priority ranking to the new security rating rule to ensure that the rule precedes all other rules. | 04-03-2014 |
| 20140096185 | METHOD AND APPARATUS FOR PROVIDING AUTHORIZED REMOTE ACCESS TO APPLICATION SESSIONS - A method and apparatus for providing authorized remote access to one or more application sessions includes a client node, a collection agent, a policy engine, and a session server. The client node requests access to a resource. The collection agent gathers information about the client node. The policy engine receives the gathered information, and makes an access control decision based on the received information. The session server establishes a connection between a client computer operated by the user and the one or more application sessions associated with the user of the client node identified in response to the received information. | 04-03-2014 |
| 20140096186 | Policy-Based Application Management - Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things. | 04-03-2014 |
| 20140096187 | Systems and Methods for Updating Scanning Rules - Systems and methods are provided for updating one or more scanning rules. For example, one or more first operation records being uploaded are obtained; scanning information corresponding to the first operation records is extracted; one or more recommended operations corresponding to the scanning information are obtained based on at least information associated with one or more scanning rules; a matching degree between the first operation records and the recommended operations is calculated; and the scanning rules are updated based on information associated with the matching degree. | 04-03-2014 |
| 20140096188 | SYSTEM AND METHOD FOR POLICY GENERATION - One example provides a collaborative policy refinement service to aggregate policy inputs from organizational layers and to generate security policies that are consistent across the organizational layers. This includes an interactive policy component to facilitate collaborative interaction between the organizational layers and to facilitate determination of the security policies. | 04-03-2014 |
| 20140101713 | DATA MAPPING USING TRUST SERVICES - Embodiments are directed to mapping encryption policies to user data stored in a database using a policy column uniform resource identifier (URI). In one scenario, a computer system receives the following: a database schema name that identifies the name of a specified schema within a relational database in which user data is stored, a table name that identifies a specified table within the relational database, a column name that identifies a specified column in the specified table and a namespace identifier that identifies a set of relational databases. The computer system also receives an indication that identifies which type of encryption is to be applied when encrypting the column of data specified by the column name. The computer system then generates a policy column URI that includes a hierarchical string comprising the namespace identifier, the database schema name, the table name and the column name. | 04-10-2014 |
| 20140101714 | PRIVACY AWARE AUTHENTICATED MAP-REDUCE - A computer-implemented process for privacy aware authenticated map-reduce processing receives data for a MapReduce operation to form received data, identifies a control point in a set of control points of the MapReduce operation to form an identified control point and identifies an applicable set of policies for the identified control point to form a selected set of policies. The selected set of policies is applied at the identified control point and responsive to a determination that application of the selected set of policies at the identified control point returned a positive result, the computer-implemented process continues operation to a next stage in the MapReduce operation. | 04-10-2014 |
| 20140101715 | PRIVACY AWARE AUTHENTICATED MAP-REDUCE - A computer-implemented process for privacy aware authenticated map-reduce processing receives data for a MapReduce operation to form received data, identifies a control point in a set of control points of the MapReduce operation to form an identified control point and identifies an applicable set of policies for the identified control point to form a selected set of policies. The selected set of policies is applied at the identified control point and responsive to a determination that application of the selected set of policies at the identified control point returned a positive result, the computer-implemented process continues operation to a next stage in the MapReduce operation. | 04-10-2014 |
| 20140101716 | Transaction Security Systems and Methods - Outbound traffic of a host application may be received from a host device having a host processor. The secure resource may be configured to provide a secure transaction based on the outbound network traffic. Using a second processor different than the host processor, it may be determined whether the host application is authorized to provide the outbound network traffic to the secure resource. The outbound network traffic may be allowed to be forwarded to the secure resource if the host application is authorized. The outbound network traffic may be disallowed to be forwarded to the secure resource if the host application is not authorized. | 04-10-2014 |
| 20140101717 | MOBILE APPLICATION DEPLOYMENT FOR DISTRIBUTED COMPUTING ENVIRONMENTS - Embodiments of the present invention provide a method, system, and computer program product for ensuring the veracity of a mobile application for deployment in a distributed computing environment. In an embodiment of the invention, a method for ensuring the veracity of a mobile application for deployment in a distributed computing environment is provided. The method includes detecting a mobile application being uploaded for deployment to a mobile computing device in the distributed computing environment, creating and then storing a fingerprint for the uploaded mobile application, calculating an offset value according to the fingerprint for the uploaded mobile application, and storing the offset value for the uploaded mobile application. The method further includes, prior to deploying the uploaded mobile application to the mobile computing device, validating the offset value for the uploaded mobile application to determine that the uploaded mobile application is an unaltered version of the uploaded mobile application. | 04-10-2014 |
| 20140101718 | CROSS-DOMAIN AUTHENTICATION - Providing services within a network of service providers sharing an authentication service and a set of business rules. A central server receives a first request from a first server to provide a first service to a user via a client without forcing the user to present credentials. In response to the received first request, the central server stores data identifying the first service on the client. The central server further receives a second request from a second server to provide a second service to the user via the client after the user presents the credentials to the second service. After receiving the second request and the presented credentials, the central server allows the user access to the second service. In response to allowing the user access to the second service, the central server further allows the user access to the first service as a result of the stored data. | 04-10-2014 |
| 20140109168 | Automated role and entitlements mining using network observations - A role and entitlements mining system uses network intelligence to facilitate role definition. The system records traffic on a network. The traffic is analyzed to identify the user and application involved. The matched data is then provided to an analytics engine, which analyzes that data to attempt to derive an initial set of one or more roles and the application entitlements for each role. Each role derived by the analytics engine identifies one or more users who are identified as belonging to the role, as well as one or more application entitlements. Preferably, one or more directory services are then interrogated for known group and user relationships to detect whether the roles identified by the analytics engine can be modified or enriched. Evaluation of the known group and user relationships provides a way to identify a more granular set of role definitions. A role-based access control policy is then generated. | 04-17-2014 |
| 20140109169 | Systems and methods for assessing the compliance of a computer across a network - The disclosed principles describe systems and methods for assessing the security posture of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Thus, the disclosed principles reduce the need for internal IT resources to manage the deployment and updates of client software on the target device. Also, conducting a remote scan according to the disclosed principles allows for the remote scan to be performed even if the scanner computer and remote device run different operating systems. | 04-17-2014 |
| 20140109170 | UNAUTHORIZED ACCESS AND/OR INSTRUCTION PREVENTION, DETECTION, AND/OR REMEDIATION, AT LEAST IN PART, BY STORAGE PROCESSOR - An embodiment may include a storage processor that may be comprised, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute at least one host operating system (OS). The storage processor may execute at least one operation in isolation from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may facilitate, at least in part: (1) prevention, at least in part, of unauthorized access to storage, (2) prevention, at least in part, of execution by the at least one host CPU of at least one unauthorized instruction, (3) detection, at least in part, of the at least one unauthorized instruction, and/or (4) remediation, at least in part, of at least one condition associated, at least in part, with the at least unauthorized instruction. | 04-17-2014 |
| 20140109171 | Providing Virtualized Private Network tunnels - Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects. | 04-17-2014 |
| 20140109172 | Providing Virtualized Private Network Tunnels - Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects. | 04-17-2014 |
| 20140109173 | Providing Virtualized Private Network Tunnels - Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects. | 04-17-2014 |
| 20140109174 | Providing Virtualized Private Network Tunnels - Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects. | 04-17-2014 |
| 20140109175 | Providing Virtualized Private Network Tunnels - Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects. | 04-17-2014 |
| 20140109176 | CONFIGURING AND PROVIDING PROFILES THAT MANAGE EXECUTION OF MOBILE APPLICATIONS - Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein. | 04-17-2014 |
| 20140109177 | CONFIGURING AND PROVIDING PROFILES THAT MANAGE EXECUTION OF MOBILE APPLICATIONS - Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein. | 04-17-2014 |
| 20140109178 | CONFIGURING AND PROVIDING PROFILES THAT MANAGE EXECUTION OF MOBILE APPLICATIONS - Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein. | 04-17-2014 |
| 20140109179 | MULTIPLE SERVER ACCESS MANAGEMENT - An access management system receives an access request for a target computer from a client computer. The access request comprises a digital certificate belonging to a user. The access management system verifies the identity of the user by validating the digital certificate. When so verified, the user receives access privileges from a policy database. The access privileges contain one or more access attributes. The access management system evaluates the access request based the one or more access attributes and grants the user access to the target computer if all the one or more access attributes are satisfied. | 04-17-2014 |
| 20140109180 | METHODS AND SYSTEMS FOR PREVENTING ACCESS TO DISPLAY GRAPHICS GENERATED BY A TRUSTED VIRTUAL MACHINE - The methods and systems described herein provide for preventing a non-trusted virtual machine from reading the graphical output of a trusted virtual machine. A graphics manager receives a request from a trusted virtual machine to render graphical data using a graphics processing unit. The graphics manager assigns, to the trusted virtual machine, a secure section of a memory of the graphics processing unit. The graphics manager renders graphics from the trusted virtual machine graphical data to the secure section of the graphics processing unit memory. The graphics manager receives a request from a non-trusted virtual machine to read graphics rendered from the trusted virtual machine graphical data and stored in the secure section of the graphics processing unit memory, and prevents the non-trusted virtual machine from reading the trusted virtual machine rendered graphics stored in the secure section of the graphics processing unit memory. | 04-17-2014 |
| 20140115652 | Real-Time Module Protection - Technologies for securing an electronic device include trapping an attempt to access a secured system resource of the electronic device, determining a module associated with the attempt, determining a subsection of the module associated with the attempt, the subsection including a memory location associated with the attempt, accessing a security rule to determine whether to allow the attempted access based on the determination of the module and the determination of the subsection, and handling the attempt based on the security rule. The module includes a plurality of distinct subsections. | 04-24-2014 |
| 20140115653 | METHODS AND SYSTEMS FOR IMPLEMENTING SECURITY POLICIES ON A MOBILE DEVICE - Methods and devices for implementing security policies on a wireless device. The wireless device may include a non-volatile memory comprising a security type hard-coded in the non-volatile memory. Based on the security type, it may be determined whether a received security policy governing behavior of one or more resources designated as personal is applicable to the one or more resources designated as personal. If the security type is determined to indicate that the received security policy is not applicable to the one or more resources designated as personal, the security policy may not be applied to the one or more resources designated as personal. | 04-24-2014 |
| 20140115654 | METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK - Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets. | 04-24-2014 |
| 20140115655 | SYSTEMS AND METHODS FOR THE RAPID DEPLOYMENT OF NETWORK SECURITY DEVICES - A configuration service comprises a deployment package and a production configuration for a network security device. One or more configuration parameters of the production configuration may be defined by an administrator of the network security device (e.g., the customer). The network security device may be preconfigured with a network address and identifier. The network security device may be configured to automatically request and apply the deployment package at deployment time by use of the preconfigured network address and identifier. The network security device may automatically request and apply the production configuration from the configuration service in response to applying the deployment package. | 04-24-2014 |
| 20140115656 | SECURITY MANAGEMENT UNIT, HOST CONTROLLER INTERFACE INCLUDING SAME, METHOD OPERATING HOST CONTROLLER INTERFACE, AND DEVICES INCLUDING HOST CONTROLLER INTERFACE - A method of operating a host controller interface includes receiving a buffer descriptor including sector information from a main memory, fetching data by using a source address included in the buffer descriptor, selecting one of a plurality of entries included in a security policy table by using the sector information, and determining whether to encrypt the fetched data by using a security policy included in the selected entry. | 04-24-2014 |
| 20140115657 | Method of Reducing Fraud in System User Account Registration - Provided is a method of reducing the creation of inappropriate or fraudulent accounts within a digital system. The method prompts a user for input of key biographical data and then initiates capture of a live video of the user. Video capture is accomplished via activation of a user's own webcam or other audio-video capture device. System software activates the audio-video capture device and instructs the device to continue recording for a predetermined period of time. The resultant multimedia file is stored in conjunction with the submitted biographical data in a database. System administrators review the multimedia file or appropriateness of content and check the file contents against the provided biographical data. If the file is inappropriate or the data does not match the file contents, the account creation request is denied and the account is deleted prior to activation on the system. | 04-24-2014 |
| 20140115658 | Multi-User Interactive Multimedia Chat - Provided is a method of establishing a multimedia interactive chat room populated with a pseudo-random sampling of available participants. The pool of available participants is defined as the group composed of members of an online community whose user accounts have been reviewed by system administrators for appropriateness of content and consistency between captured videos and submitted biographical data. Results of sample selection are displayed to the requesting user, who can then decide to begin multimedia interactive chat sessions with one or more users, or may select a “reshuffle” option, which results in the display of a new sample of available members. Requesting users can limit the type of persons displayed by selecting filters such as interest based filters. Users are thus provided with the ability to speak with other community members without all participants having to actively enter a chat room website. | 04-24-2014 |
| 20140115659 | System and Methods for Secure Utilization of Attestation in Policy-Based Decision Making for Mobile Device Management and Security - Policy-based client-server systems and methods for attestation in managing and scouring mobile computing devices. Attestation provides the means to make efficient, secure, and reproducible use of knowledge possessed by trust expert parties and authorities within the expression and enforcement of policies for controlling use of and access to, onboard software and hardware, network capabilities, and remote assets and services. Aspects of secure attestation of applications that use shared and dynamically loaded libraries are presented, a well as potential business models for attestation used in such a policy-based system. | 04-24-2014 |
| 20140115660 | METHODS AND SYSTEMS FOR FORCING AN APPLICATION TO STORE DATA IN A SECURE STORAGE LOCATION - The present application is directed to methods and systems for redirecting write requests issued by trusted applications to a secure storage. Upon redirecting the write requests, the data included in those requests can be stored in the secure storage area of a client computer. In some embodiments, the methods and systems can include determining whether an application issuing the request is a trusted application that requires data to be stored in a secure storage repository. Upon making this determination, a filter driver can identify a secure storage area on a client computer and can redirect the write request to this secure storage. In other embodiments, the filter driver may deny requests of trusted applications to write to unsecure storage areas. | 04-24-2014 |
| 20140123206 | SYSTEM AND METHOD FOR WRITING TO REMOVABLE MEDIA - The invention provides a system and method for writing data to a removable media device in accordance with a security policy. According to a method of the invention a request to write data to a first file on the removable media device is detected. Dummy data is written to the first file instead of writing the requested data. The requested data is written instead to a corresponding second file on a fixed media device. The corresponding second file is compared to a security policy. Response to the write request is based on the results of the comparison. | 05-01-2014 |
| 20140123207 | KEYSTORE ACCESS CONTROL SYSTEM - A keystore access system is provided that controls access to a keystore. The keystore access control system receives a request to access content of the keystore from a software application component. The keystore access control system applies a stored authorization policy to the request to determine whether access to the content of the keystore is granted. The keystore access system further grants the software application component access to the content of the keystore when it is determined that access to the content of the keystore is granted. The keystore access system further denies the software application component access to the content of the keystore when it is determined that access to the content of the keystore is not granted. | 05-01-2014 |
| 20140123208 | PRIVACY AWARE CAMERA AND DEVICE STATUS INDICATOR SYSTEM - A privacy indicator is provided that shows whether sensor data are being processed in a private or non-private mode. When sensor data are used only for controlling a device locally, it may be in a private mode, which may be shown by setting the privacy indicator to a first color. When sensor data are being sent to a remote site, it may be in a non-private mode, which may be shown by setting the privacy indicator to a second color. The privacy mode may be determined by processing a command in accordance with a privacy policy of determining if the command is on a privacy whitelist, blacklist, greylist or is not present in a privacy command library. A non-private command may be blocked. | 05-01-2014 |
| 20140123209 | INPUT/OUTPUT GATEKEEPING - Disclosed are various embodiments providing a portable wireless communication device that includes a secure element configured to route a set of input/output (I/O) channels to host processing circuitry of a mobile communication device. The secure element includes an application executable by the secure element, the application being configured to obtain a policy via an I/O channel of the set of I/O channels. The application is further configured to prevent the host processing circuitry from accessing data corresponding to at least a portion of the set of I/O channels according to the policy. | 05-01-2014 |
| 20140123210 | APPARATUS CONNECTING TO NETWORK, CONTROL METHOD FOR APPARATUS, AND STORAGE MEDIUM - An apparatus verifies whether a setting value is set correctly according to a security policy, and controls a screen to shift to a screen indicating a correction method if there is any incorrect setting. | 05-01-2014 |
| 20140123211 | System And Method For Securing Virtualized Networks - A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy. In addition, each of the one or more second network policy network elements adds an additional policy on how network traffic is processed in the dynamic virtualized network by a port of one of the plurality of network access devices. The device further applies the network security policy to each network access device that is affected by the network security policy. | 05-01-2014 |
| 20140123212 | System And Method For Securing Virtualized Networks - A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy. In addition, each of the one or more second network policy network elements adds an additional policy on how network traffic is processed in the dynamic virtualized network by a port of one of the plurality of network access devices. The device further applies the network security policy to each network access device that is affected by the network security policy. | 05-01-2014 |
| 20140123213 | ENABLING DYNAMIC AUTHENTICATION WITH DIFFERENT PROTOCOLS ON THE SAME PORT FOR A SWITCH - The invention enables a client device that does not support IEEE 802.1X authentication to access at least some resources provided through a switch that supports 802.1X authentication by using dynamic authentication with different protocols. When the client device attempts to join a network, the switch monitors for an 802.1X authentication message from the client device. In one embodiment, if the client fails to send an 802.1X authentication message, respond to an 802.1X request from the switch, or a predefined failure condition is detected the client may be deemed incapable of supporting 802.1X authentication. In one embodiment, the client may be initially placed on a quarantine VLAN after determination that the client fails to perform an 802.1X authentication within a backoff time limit. However, the client may still gain access to resources based on various non-802.1X authentication mechanisms, including name/passwords, digital certificates, or the like. | 05-01-2014 |
| 20140123214 | Establishing and Maintaining an Authenticated Connection Between a Smart Pen and a Computing Device - A system and method establishes a connection between a smart pen and a computing device, and establishes a privilege level that regulates data requests for specific data from the smart pen. The smart pen determines whether a connection should be established between the smart pen and a computing device, based on device information received from the computing device. If a connection is established, a privilege level is established for an application executing on the computing device based on the device information, which determines whether a request from the application for specific data from the smart pen is allowed or denied. | 05-01-2014 |
| 20140123215 | COMMUNICATION CONTROL APPARATUS, COMMUNICATION CONTROL METHOD, AND PROGRAM - A communication control apparatus controls communication between a first apparatus and a second apparatus connected to the first apparatus via a plurality of relay apparatuses. The communication control apparatus comprises: a communication path generation unit that refers to a control policy including access control and supplementary control that is other than the access control from the first apparatus to the second apparatus and refers to network configuration information about a network configuration among the first apparatus, the second apparatus, and the plurality of relay apparatuses and generates a communication path that matches the control policy from the first apparatus to the second apparatus and goes through at least one of the plurality of relay apparatuses; and a communication path control unit that instructs a relay apparatus(es) on the communication path among the plurality of relay apparatuses to execute the access control and the supplementary control included in the control policy. | 05-01-2014 |
| 20140123216 | METHOD OF GENERATING SECURITY RULE-SET AND SYSTEM THEREOF - There are provided a method of generation of a security rule-set and a system thereof. The method includes: obtaining a group of log records of communication events resulting from traffic related to the security gateway; generating a preliminary rule-set of permissive rules, said set covering the obtained group of log records; generating, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the group of log records; and generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records. | 05-01-2014 |
| 20140123217 | PROVISIONING LAYER THREE ACCESS FOR AGENTLESS DEVICES - A method may include obtaining a layer two identification of an endpoint that is seeking access to a network, the endpoint omitting an agent to communicate a layer three address of the endpoint to a policy node, applying one or more authentication rules based on the layer two identification of the endpoint, assigning the layer three address to the endpoint, learning, by the policy node, the layer three address of the endpoint, and provisioning layer three access for the endpoint to the network based on the learned layer three address. | 05-01-2014 |
| 20140123218 | SYSTEM FOR CONTROLLING ACCESS AND DISTRIBUTION OF DIGITAL PROPERTY - Digital data protection is provided by a processor running an operating system programmed to generate one or more interrupts; an access mechanism detects one or more interrupts at or below a BIOS level, a given detected interrupt being associated with an operating system request to access protected portions of the data, and restricts access to the protected portions of the data by the operating system in accordance with at least one rule; a tamper detecting mechanism prevents access to the data in an unprotected form has means for destroying data stored in the access mechanism when tampering is detected. | 05-01-2014 |
| 20140123219 | POLICY-BASED SERVICE MANAGEMENT SYSTEM - A policy-based management mechanism is provided, whereby the mechanism provides for at least the controlling of access to network resources, the integration of different frameworks into a common open standard, and modular components for assembling integrated date and voice services. The mechanism accomplishes this by using an access management component that checks for access credentials, a service management component that identifies which resources are available to a requestor of resources, and a resource management component that manages the requested resources. In one exemplary implementation, a fourth component, the policy management component links the first three components such that a resource request gains access to resources based on policy decisions determined by the fourth component for the first three components. | 05-01-2014 |
| 20140130117 | SYSTEM, APPARATUS AND METHOD FOR SECURING ELECTRONIC DATA INDEPENDENT OF THEIR LOCATION - The present disclosure relates to a system, apparatus and method for securing electronic files and folders independent of their location. A computer network implemented system for securing data is provided. The system includes a central server ( | 05-08-2014 |
| 20140130118 | APPLICATION BASED POLICY ENFORCEMENT - One embodiment is directed to a system that comprises a network device, including at least a first port, which is configured to analyze information within one or more messages received during a session initiated by another network device. The system is configured to perform operations including determining a total number of sessions for the first port of the network device and determining whether the total number of sessions for the first port exceeds a threshold value. If the total number of sessions for the first port exceeds the threshold value, an application associated with the first port is classified as a peer-to-peer application. Thereafter, a policy may be enforced based on this classification. | 05-08-2014 |
| 20140130119 | AUTOMATED MULTI-LEVEL FEDERATION AND ENFORCEMENT OF INFORMATION MANAGEMENT POLICIES IN A DEVICE NETWORK - Methods, apparatus, systems, and non-transitory computer-readable media for managing a plurality of disparate computer application and data control policies on a computing device, especially a computing device connected to a computer network, are described. In one example, at least one policy distribution point is provided that includes least one policy distribution point including at least one information management policy. A plurality of policy enforcement points, including a first policy enforcement point operating at a first policy enforcement level, and a second enforcement point operating at second policy enforcement level, are also provided. A first policy element to the first policy enforcement point, and a second policy element to the second policy enforcement point, are allocated. A management compartment in computer memory in communication with said computing device including one or more computer applications, data, and metadata specified and controlled by the information management policy is also provided. | 05-08-2014 |
| 20140130120 | POLICY-BASED SELECTION OF REMEDIATION - Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, an agent running on an endpoint system collects information regarding a program-code-based operational state of the endpoint system. The agent transmits the information to a remote computer system via a network coupling the endpoint system and the remote computer system in communication. The remote computer system enforces one or more security policies with respect to the endpoint system based on the received information. | 05-08-2014 |
| 20140130121 | System and Method for Information Risk Management - The present invention provides a system and method for evaluating risk associated with information access requests. The information access requests are collected, assigned a risk level according to user defined policies, a total risk is calculated and presented to user. The user can select a high risk event for further analysis. The system will break down the event into basic elements, so the user can ascertain the risk. The system allows a user to customize a report and the customized report can be saved as a template for future use. | 05-08-2014 |
| 20140130122 | SYSTEMS AND METHODS FOR PROVIDING SECURITY SERVICES DURING POWER MANAGEMENT MODE - Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting with a mobile security system a wake event on a mobile device, providing from the mobile security system a wake signal, the providing being in response to the wake event to wake a mobile device from a power management mode, and managing with the mobile security system security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data. | 05-08-2014 |
| 20140137178 | ATTACK PROTECTION FOR TRUSTED PLATFORM MODULES - A trusted platform module stores information in a protected object having an associated policy. A program requesting access to the information is allowed to access the information if the policy is satisfied, and is denied access to the information if the policy is not satisfied. The trusted platform module uses one or more monotonic counters associated with the protected object to track attempts to access the information. If a threshold number of unsuccessful requests to access the information are received, then the trusted platform module locks the information to prevent the program from accessing the information for an indefinite amount of time. | 05-15-2014 |
| 20140137179 | PROTECTION OF USER DATA IN HOSTED APPLICATION ENVIRONMENTS - A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component. | 05-15-2014 |
| 20140137180 | Hypervisor-Based Enterprise Endpoint Protection - Described systems and methods allow the detection and prevention of malware and/or malicious activity within a network comprising multiple client computer systems, such as an enterprise network with multiple endpoints. Each endpoint operates a hardware virtualization platform, including a hypervisor exposing a client virtual machine (VM) and a security VM. The security VM is configured to have exclusive use of the network adapter(s) of the respective endpoint, and to detect whether data traffic to/from the client VM comprises malware or is indicative of malicious behavior. Upon detecting malware/malicious behavior, the security VM may block access of the client VM to the network, thus preventing the spread of malware to other endpoints. The client system may further comprise a memory introspection engine configured to perform malware scanning of the client VM from the level of the hypervisor. | 05-15-2014 |
| 20140137181 | PROTECTION OF USER DATA IN HOSTED APPLICATION ENVIRONMENTS - A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component. | 05-15-2014 |
| 20140137182 | POLICY ENFORCEMENT IN COMPUTING ENVIRONMENT - An embodiment may include policy engine circuitry that may enforce, at least in part, one or more platform resource management policies in a cloud computing environment. The one or more policies may be based, at least in part, upon service arrangements of the cloud computing environment. The one or more policies may establish respective isolated computing environments in the cloud computing environment that may be used by respective users. The enforcement of the one or more policies may result in the respective isolated computing environments being virtually isolated from each other and prevented from interfering with each other in derogation of the one or more policies. The one or more policies may be established, at least in part, via interaction of at least one management process with one or more application program interfaces of the circuitry. Many modifications are possible. | 05-15-2014 |
| 20140137183 | SECURITY SYSTEM AND METHOD FOR THE ANDROID OPERATING SYSTEM - A method of linking a security policy stored in a policy database that is specific to an application in the application layer with a new corresponding process launched in the Linux layer in a security system for an operating system running on a device that comprises a Linux-based kernel. The system architecture is defined by a middleware layer between the Linux layer associated with the kernel and the higher application layer comprising the applications. | 05-15-2014 |
| 20140137184 | SECURITY SYSTEM AND METHOD FOR OPERATING SYSTEMS - A device comprising an operating system to run processes and a middleware layer operable to launch applications. An application launched by the middleware layer is run using one or more processes in the operating system. The operating system has a user layer and a kernel wherein the processes run in the user layer and interact with other processes running in the user layer through the kernel, the interaction being in response to calls to the kernel made by the processes. The device has one or more policy files defining policies for interaction of processes with the kernel of the device, and a monitor configured to monitor interaction of a process with the kernel to link or associate defined policies to the process, and to read code defined in the policy file or files linked or associated to the process. | 05-15-2014 |
| 20140137185 | METHOD AND SYSTEM FOR IMPLEMENTING MANDATORY FILE ACCESS CONTROL IN NATIVE DISCRETIONARY ACCESS CONTROL ENVIRONMENTS - A method is provided for implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme. A method for implementing mandatory access control in a system comprising a plurality of computers, the system comprising a plurality of information assets, stored as files on the plurality of computers, and a network communicatively connecting the plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes a software agent component operable to perform the steps of intercepting a request for a file operation on a file from a user of one of the plurality of computers including the software agent, determining whether the file is protected, if the file is protected, altering ownership of the file from the user to another owner, and providing access to the file based on a mandatory access control policy. | 05-15-2014 |
| 20140143825 | Reputation-Based In-Network Filtering of Client Event Information - A policy management system is described herein which generates rules based, at least in part, on reputation information provided by at least one reputation source and client event information forwarded by filtering logic. The policy management system then deploys the rules to the filtering logic. The filtering logic, which resides in-network between clients and at least one service, uses the rules to process client event information sent by the clients to the service(s). In one illustrative environment, the service corresponds to an ad hosting service, which uses the policy management system and filtering logic to help prevent malicious client traffic from reaching the ad host service, or otherwise negatively affecting the ad hosting service. | 05-22-2014 |
| 20140143826 | POLICY-BASED TECHNIQUES FOR MANAGING ACCESS CONTROL - A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities. | 05-22-2014 |
| 20140143827 | Malicious Mobile Code Runtime Monitoring System and Methods - Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts. | 05-22-2014 |
| 20140143828 | METHODS AND SYSTEMS FOR ENABLING COMMUNITY-TESTED SECURITY FEATURES FOR LEGACY APPLICATIONS - A computer-implemented method for enabling community-tested security features for legacy applications may include: 1) identifying a plurality of client systems, 2) identifying a legacy application on a client system within the plurality of client systems, 3) identifying a security-feature-enablement rule for the legacy application, 4) enabling at least one security feature for the legacy application by executing the security-feature-enablement rule, 5) determining the impact of the security-feature-enablement rule on the health of the legacy application, and then 6) relaying the impact of the security-feature-enablement rule on the health of the legacy application to a server. Various other methods, systems, and computer-readable media are also disclosed. | 05-22-2014 |
| 20140143829 | AUTOMATED LOCAL EXCEPTION RULE GENERATION SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT - A system, method and computer readable medium pertaining to evaluation of events from a computer system to assess security risks to that system. Events are evaluated according to the aspects of each event and the aspects are used to make a preliminary determination regarding violation of a security rule. In addition to a preliminary determination of a rule violation, exceptions to the rule may be identified. | 05-22-2014 |
| 20140143830 | Inspecting Code and Reducing Code Size Associated to a Target - Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target's profile. A code component may be a policy of an information management system. | 05-22-2014 |
| 20140150049 | METHOD AND APPARATUS FOR CONTROLLING MANAGEMENT OF MOBILE DEVICE USING SECURITY EVENT - A method controls the management of a mobile device using a security event. The method includes acquiring, by a wireless intrusion prevention server, security threat information by monitoring RF signals generated from an access point (AP) and the mobile device, transmitting the security threat information to a mobile device management server, and executing, by the mobile device management server, a device management policy for the mobile device based on the security threat information. | 05-29-2014 |
| 20140150050 | METHOD, A SYSTEM, AND A COMPUTER PROGRAM PRODUCT FOR MANAGING ACCESS CHANGE ASSURANCE - A method for evaluating a deployment of a network access change request, the method includes: (a) formatting a network access change request to provide a formatted network access change request; wherein the formatted network access change request includes multiple formatted request items; wherein the multiple formatted request items includes a requested access type, an address of an access source, an address of an access destination; (b) determining multiple relationships between the multiple formatted request items and corresponding items of at least one entity out of a network model and a current network policy; and (c) responding to the network access change request in response to the multiple determined relationships. | 05-29-2014 |
| 20140150051 | DYNAMIC RESOLUTION OF FULLY QUALIFIED DOMAIN NAME (FQDN) ADDRESS OBJECTS IN POLICY DEFINITIONS - Dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions is provided. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes receiving a network policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes dynamically performing a first local Domain Name Server (DNS) lookup for a first VSYS using a first DNS server on a first domain name for implementing a network policy based on the first domain name; dynamically performing a second local DNS lookup for a second VSYS using a second DNS server on the first domain name for implementing the network policy based on the first domain name; in which the network policy includes a network security rule that is based on the first domain name, and the network policy includes a network security rule that is based on the second domain name. | 05-29-2014 |
| 20140150052 | WEB SERVICE PROVISION SYSTEM, SERVER DEVICE, AND METHOD - A web application server includes a user information management unit that manages user IDs and attributes such that each of the user IDs is associated with corresponding one of the attributes, a security policy management unit that manages security policies such that each of security policies is associated with corresponding one of the attributes, a security policy acquisition unit that acquires one of the security policies based on one of the attributes associated with one of the user IDs, and an HTML file generation unit that generates an HTML file in which a script to acquire personal data of corresponding one of users from an intra-company database server is embedded based on one of the security policies of the corresponding one of the users. | 05-29-2014 |
| 20140150053 | COMBINING NETWORK ENDPOINT POLICY RESULTS - An endpoint integrity system controls access to resources of a protected network for endpoint devices attempting to access the protected network. The system may include a number of evaluation modules that communicate with an endpoint device. The evaluation modules generate policy results for the endpoint device, in which each of the policy results assume one of three or more states, called a multi-state policy result. The multi-state policy results are combined to produce a combined Boolean policy result. | 05-29-2014 |
| 20140150054 | METHOD AND APPARATUS FOR A MASTER PRIVACY POLICY MECHANISM IN A COMMUNICATIONS NETWORK - A method, non-transitory computer readable medium and apparatus for providing a master privacy policy in a communications network are disclosed. For example, the method receives a privacy control parameter to configure a master privacy policy, stores the master privacy policy in the communications network, and applies the master privacy policy to configure a third party service provider privacy policy for a third party service provider based upon the master privacy policy. | 05-29-2014 |
| 20140157349 | Verified Sensor Data Processing - Sensor data may be filtered in a secure environment. The filtering may limit distribution of the sensor data. Filtering may modify the sensor data, for example, to prevent identification of a person depicted in a captured image or to prevent acquiring a user's precise location. Filtering may also add or require other data use controls to access the data. Attestation that a filter policy is being applied and working properly or not may be provided as well. | 06-05-2014 |
| 20140157350 | ROLE-BASED ACCESS CONTROL MODELING AND AUDITING SYSTEM - A role-based access control (RBAC) modeling and auditing system is described that enables a user to access and/or create security roles that can be applied to users of a first software application. When a security role having a particular set of permissions has been accessed or created, the system can present a simulated user interface (UI) that indicates information that can be viewed and/or actions that can be performed by a user to whom the security role has been assigned when interacting with the first software application. The system may further provide “run as” functionality that enables a simulated UI to be generated for a particular user and that can display the security role(s) associated with the particular user. The system may be embodied in a second software application, such as a tool that is associated with the first software application. | 06-05-2014 |
| 20140157351 | Mobile device security policy based on authorized scopes - A technique to enforce mobile device security policy is based on a “risk profile” of the individual device, where the risk profile is fine-grained and based on the types of applications installed on the device, the services they are accessing, and the operation(s) the user granted the device authorization to perform. Thus, the approach takes into account not only the actual applications installed on the device (and those actively in use), but also the services those applications are accessing, and the scope of operations the user has granted the device authorization to perform. By combining this information to create the risk profile, a suitable security policy, including one that does not unnecessarily degrade device usability, may then be applied. | 06-05-2014 |
| 20140157352 | APPARATUS AND METHOD FOR ANALYZING AND MONITORING SERVICE ADVERTISING PROTOCOL APPLICATION TRAFFIC, AND INFORMATION PROTECTION SYSTEM USING THE SAME - Provided are a traffic analysis apparatus and method. The traffic analysis apparatus includes an analysis unit and a policy application unit. The analysis unit determines whether a network packet between at least one client and a server is a packet of a pre-registered SAP session, and, when the network packet is not the packet of the pre-registered SAP session, the analysis unit determines whether the network packet is a packet of a new SAP session. The policy application unit determines whether the network packet includes predetermined monitoring information when the network packet is the packet of the pre-registered SAP session or new SAP session and, when the network packet includes the monitoring information, the policy application unit performs a response action conforming to a predetermined security policy. | 06-05-2014 |
| 20140157353 | MOBILE DEVICE SECURITY MANAGEMENT SYSTEM - A method for managing the security of a client device in a mobile device management system (MDMS) comprises receiving a security policy at a client device, applying the security policy on the client device, determining an occurrence of a security policy event, determining a violation based on the occurrence of the security policy event and applying different security controls based on predefined elapsed times on the client device. | 06-05-2014 |
| 20140157354 | Securing Access to Resources on a Network - Secure access to resources on a network may be provided. Upon receiving a request for at least one resource, a determination may be made as to whether the at least one resource comprises a secure resource. In response to determining that the at least one resource comprises a secure resource, the at least one resource may be retrieved; and at least one security policy may be applied to the at least one resource. | 06-05-2014 |
| 20140157355 | SYSTEMS AND METHODS FOR ENHANCING MOBILE DEVICE SECURITY WITH A PROCESSOR TRUSTED ZONE - Methods and systems described herein relate to enhancing security on a mobile device. A method for enhancing mobile device security includes providing a trusted zone of a processor, and configuring various items in the trusted zone. Such items may include a specialized debugging interface; a remote auditing tool; an inter-process communication mechanism; a secure daemon; a package manager; a virtual machine, a configuration function, a device management system, touch screen management software, and a geo-localization function. | 06-05-2014 |
| 20140157356 | FIREWALL POLICY INSPECTION APPARATUS AND METHOD - A firewall policy inspection apparatus and method is provided. The firewall policy inspection apparatus includes an intrusion prevention rule obtainment unit for obtaining intrusion prevention rules from a target firewall policy. An anomaly rule detection unit detects an anomaly rule in a relationship between the intrusion prevention rules. A screen display unit displays an anomaly rule graph on a screen using results of the detection. | 06-05-2014 |
| 20140157357 | SYSTEMS, DEVICES, AND METHODS FOR TRAFFIC MANAGEMENT - Systems, devices, and methods for traffic management are provided. An example of a method for traffic management includes receiving a number of policies for data traffic redirection | 06-05-2014 |
| 20140157358 | Policy Driven Fine Grain URL Encoding Mechanism for SSL VPN Clientless Access - The present disclosure presents methods, systems and intermediaries which determine an encoding scheme of a uniform resource location (URL) from a plurality of encoding schemes for a clientless secure socket layer virtual private network (SSL VPN) via a proxy. An intermediary may receive a response from a server comprising a URL. The response from the server may be directed to a client via a SSL VPN session and via the intermediary. The intermediary may determine, responsive to an encoding policy, one of a transparent, opaque or encrypted encoding scheme for encoding the URL. The intermediary may rewrite the URL for transmission to the client in accordance with the determined encoding scheme. | 06-05-2014 |
| 20140157359 | ELECTRONIC DEVICES HAVING ADAPTIVE SECURITY PROFILES AND METHODS FOR SELECTING THE SAME - Adaptive security profiles are supported on an electronic device. One or more security profiles may be automatically or selectively applied to the device based on the device's location and one or more geographic zone definitions. The security profiles may be used to determine the level of authentication or number of invalid authentication attempts for a particular feature or application or set of features or applications. | 06-05-2014 |
| 20140157360 | Security Context Lockdown - A method and system for locking down a local machine zone associated with a network browser is provided. Placing the local machine zone in a lockdown mode provides stricter security settings that are applied to active content attempting to publish within a local page open in the network browser. The stricter setting are provided in a new set of registry keys that correspond to the lockdown mode of the local machine zone. The original security settings remain unchanged so that other systems and applications functionality that depends on the original security settings remains unaffected for the local machine zone. A user may also selectively allow active content to render despite the local machine zone being locked down. | 06-05-2014 |
| 20140157361 | SYSTEMS AND METHODS FOR CONFIGURATION DRIVEN REWRITE OF SSL VPN CLIENTLESS SESSIONS - The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client. | 06-05-2014 |
| 20140165127 | NATURAL LANGUAGE PROCESSING INTERFACE FOR NETWORK SECURITY ADMINISTRATION - To administer computer network security, a computer system receives a bit string that encodes a natural-language request for adjusting a security policy of the network and parses the bit string to identify one or more objects and an action to be applied to the object(s). Preferably, the system displays a description of one of the objects and a menu of operations that are applicable to the object, receives a user selection of one of the options, and effects the selected operation. The scope of the invention also includes a non-transient computer-readable storage medium bearing code for implementing the method and a system for implementing the method. | 06-12-2014 |
| 20140165128 | AUTOMATED SECURITY POLICY ENFORCEMENT AND AUDITING - An approach for managing a connection to or from a device is presented. Connections of the device are identified. Based on the connections, the device is determined and classified based on security zones to which the device is or has been connected, a quality of service requirement for one or more applications within the device, or a level of information technology service management for the device. Whether an existing or proposed connection of the device is consistent with the classification of the device is determined, and if not, an indication is displayed or a notification is sent that the existing or proposed connection is inconsistent with the classification of the device. | 06-12-2014 |
| 20140165129 | UNIFORMLY TRANSFORMING THE CHARACTERISTICS OF A PRODUCTION ENVIRONMENT - Embodiments of the present invention disclose a method, computer program product, and system for generating a secure sandbox environment. A computer identifies components of a production environment that utilizes sensitive information during operation. The components of the production environment can include one or more server computers, one or more storage devices, and one or more applications. The computer receives a security policy that defines what constitutes sensitive information, and in response identifies the sensitive information of the production environment. The computer modifies the sensitive information such that the production environment can utilize the sensitive information without error, and such that the sensitive information cannot be identified from the modified sensitive information. The computer generates the sandbox environment, based at least in part, on the identified components of the production environment and the modified sensitive information. | 06-12-2014 |
| 20140165130 | APPLICATION-SPECIFIC RE-ADJUSTMENT OF COMPUTER SECURITY SETTINGS - System and method for re-adjustment of a security application to various application execution scenarios. Application execution scenarios for each of a set of software applications are created, each representing a specific subset of functionality of a corresponding application. Sets of security application configuration instructions are stored, each corresponding to at least one of the application execution scenarios. A current one or more of the application execution scenarios that is being executed in the computing device is determined and, in response, a set of security application configuration instructions corresponding to each current application execution scenario are carried out, such that the security application is adjusted to perform a specific subset of security functionality that is particularized to the current one or more of the application execution scenarios. | 06-12-2014 |
| 20140165131 | System and Method for Policy Based Control of NAS Storage Devices - A system and method for providing policy-based data management and control on a NAS device deployed on a network and having event enabling framework software. When a user makes a request to store, read, or manipulate data on the NAS device, the NAS device provides an indication of this request to a management tool running on a remote system through the event enabling framework software. The management tool reviews the request in light of its previously established policy-based data storage management configuration and subsequently informs the NAS device, via the event enabling framework software, to either accept or not accept the user's request to store, read or modify data on the NAS device. | 06-12-2014 |
| 20140165132 | Systems and Methods for Controlling Email Access - Embodiments of the disclosure relate to proxying at least one email resource from at least one email service to at least one client device, identifying at least one resource rule associated with the email resources, and adding at least one URL to the email resources in accordance with the resource rules. | 06-12-2014 |
| 20140165133 | Method for Directing Audited Data Traffic to Specific Repositories - Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules providing sets of predefined data access elements for identifying predefined data accesses. First audit data collections for data accesses are sent to a first repository. For a data access that matches one of the rules, a second audit data collection defined by the matching rule is sent to at least a second repository designated by the matching rule. | 06-12-2014 |
| 20140165134 | AUTOMATED MULTI-LEVEL FEDERATION AND ENFORCEMENT OF INFORMATION MANAGEMENT POLICIES IN A DEVICE NETWORK - Methods, apparatus, systems, and non-transitory computer-readable media for managing a plurality of disparate computer application and data control policies on a computing device, especially a computing device connected to a computer network, are described. In one example, at least one policy distribution point is provided that includes least one policy distribution point including at least one information management policy. A plurality of policy enforcement points, including a first policy enforcement point operating at a first policy enforcement level, and a second enforcement point operating at second policy enforcement level, are also provided. A first policy element to the first policy enforcement point, and a second policy element to the second policy enforcement point, are allocated. A management compartment in computer memory in communication with said computing device including one or more computer applications, data, and metadata specified and controlled by the information management policy is also provided. | 06-12-2014 |
| 20140165135 | UNIFORMLY TRANSFORMING THE CHARACTERISTICS OF A PRODUCTION ENVIRONMENT - Embodiments of the present invention disclose a method, computer program product, and system for generating a secure sandbox environment. A computer identifies components of a production environment that utilizes sensitive information during operation. The components of the production environment can include one or more server computers, one or more storage devices, and one or more applications. The computer receives a security policy that defines what constitutes sensitive information, and in response identifies the sensitive information of the production environment. The computer modifies the sensitive information such that the production environment can utilize the sensitive information without error, and such that the sensitive information cannot be identified from the modified sensitive information. The computer generates the sandbox environment, based at least in part, on the identified components of the production environment and the modified sensitive information. | 06-12-2014 |
| 20140165136 | MANAGEMENT SERVER, TENANT PATTERN VALIDATION METHOD, AND COMPUTER SYSTEM - A management server which manages a tenant pattern being information for forming a tenant being an application system for executing a predetermined application by using computer resources within a computer system, the tenant pattern including a configuration item and an ID pool, the management server having: pattern parts information for managing the configuration item as a pattern part that forms the tenant pattern; validation rule information for storing a detail of validation processing for a composition of the tenant pattern; and the management server further comprising: a tenant pattern generation unit; a tenant designing unit for designing a composition of the tenant, and generating a configuration detail for actually building the tenant on the computer system; and a validation execution unit for executing the validation processing for the tenant pattern and the configuration detail based on the validation rule information. | 06-12-2014 |
| 20140165137 | Data Leak Prevention Systems and Methods - A data leak prevention system includes an application, having source code that is unavailable or non-modifiable, resident on a client device. A system call is emittable by the application as a result of an action, and is to take place before a data leak event can occur. The action involves a document and i) latest full contents of the document, ii) metadata of the document, or iii) a combination of the latest full contents and the metadata. A system call interceptor agent is also resident on the client device. The interceptor agent includes a system call interceptor to intercept the system call emitted by the application and to suspend the system call. The system also includes a policy decision engine to analyze at least some of i) the latest full contents, ii) the metadata, or iii) the combination, and implement a policy action based upon the analysis. | 06-12-2014 |
| 20140165138 | SECURE SOCIAL WEB ORCHESTRATION VIA A SECURITY MODEL - A method includes receiving, by a first computer, input from a first user. The method further includes creating, by the first computer, a hierarchical class tree implementing security profiles based on the input from the user. The hierarchical class tree identifies data, actions, and behaviors pertaining to content, and the security profiles restrict access and use of that user's content. The method also includes transmitting, by the first computer, a portion of the hierarchical class tree to a second computer. A corresponding apparatus is also provided. | 06-12-2014 |
| 20140165139 | Security Language Translations with Logic Resolution - Security language constructs may be translated into logic language constructs and vice versa. Logic resolution may be effected using, for example, the logic language constructs. In an example implementation, translation of a security language assertion into at least one logic language rule is described. In another example implementation, translation of a proof graph reflecting a logic language into a proof graph reflecting a security language is described. In yet another example implementation, evaluation of a logic language program using a deterministic algorithm is described. | 06-12-2014 |
| 20140165140 | SYSTEMS AND METHODS FOR EVALUATION OF EVENTS BASED ON A REFERENCE BASELINE ACCORDING TO TEMPORAL POSITION IN A SEQUENCE OF EVENTS - Systems and methods for evaluation of events are provided. A user-specific reference baseline comprising a set of temporally-ordered sequences of events. An event of a sequence of events in a current session is received. A determination is made as to whether the event at least partially matches the reference baseline using an attribute of the event and a temporal position of the event within the sequence of events in the current session. | 06-12-2014 |
| 20140173682 | AUTHENTICATION FOR SECURE WIRELESS COMMUNICATION - A method and apparatus for use in authentication for secure wireless communication is provided. A received signal is physically authenticated and higher layer processed. Physical authentication includes performing hypothesis testing using a channel impulse response (CIR) measurement of the received signal and predetermined referenced data. Higher layer processing includes validating the signal using a one-way hash chain value in the signal. Once a signal is authenticated, secure wireless communication is performed. | 06-19-2014 |
| 20140173683 | METADATA DRIVEN REAL-TIME ANALYTICS FRAMEWORK - Methods, systems, and computer program products are provided for developing application definition packages, and deploying the application definition packages at cloud services to produce real-time data analytics applications. In one implementation, a selection is received of an application definition package that defines a real-time data analytics application. The application definition package indicates an application name and includes at least one payload definition, reference data definition, and query definition. A domain name is provided for the real-time data analytics application, and a cloud service is generated that is associated with the domain name. The application definition package is applied to an application template to generate a finalized real-time data analytics package. The finalized real-time data analytics package is instantiated in the cloud service to create a network-accessible instance of the real-time data analytics application. | 06-19-2014 |
| 20140173684 | METHODS, SOFTWARE, AND DEVICES FOR AUTOMATICALLY SCORING PRIVACY PROTECTION MEASURES - Methods, software and devices for scoring privacy protection processes implemented by an organization are disclosed. Implementation metrics and evidence indicators are received from units of the organization. Implementation metrics each represent extent of implementation of one of the privacy protection processes. Evidence indicators each indicate an electronic document providing evidence of extent of implementation of one of the privacy protection processes. Each electronic document is associated with at least one of the implementation metrics for which the electronic document provides supporting evidence. For each particular privacy protection process implemented by each particular organizational unit, applicable privacy protection rules are identified and a user interface is provided to facilitate assessing compliance of that organizational unit with applicable privacy protection rules. The user interface presents applicable privacy protection rules, implementation metrics received for the particular organizational unit implementing the particular privacy protection process, and the electronic documents associated with those implementation metrics. | 06-19-2014 |
| 20140173685 | CONTROLLING MODIFICATION OF ELECTRONIC DEVICE CABLING - A cabling modification control unit controls modification of electronic device cabling with physical locks and includes a processing unit and a communication unit. The processing unit is configured to process a cable modification request and configured to generate a control signal based on the result of processing the cable modification request. The communication unit is configured to communicate the control signal to an electronic device component. The control signal is configured to control a physical lock associated with the electronic device component to permit or prevent modification of the electronic device cabling. The electronic device component includes a port configured to connect to the electronic device cabling and a physical lock that is configured to prevent connection or disconnection of the electronic device cabling to the port based on the control signal received from the modification control unit. | 06-19-2014 |
| 20140173686 | Device Communication Based On Device Trustworthiness - Techniques for assessing the trustworthiness of a target device that a user device is attempting to communicate with are described. A user device may request one or more trustworthiness attributes of a target device before exchanging data with the target device. The user device may receive the one or more trustworthiness attributes of the target device, and determine, based on the received one or more trustworthiness attributes of the target device, a set of one or more security policies to enforce on a communication channel used for exchanging data between the user device and the target device. A communication channel between the user device and the target device can then be established according to the set of one or more security policies. | 06-19-2014 |
| 20140173687 | DISTRIBUTED COMPUTING SYSTEM - A Policy Enforcement Point (PEP) enforcement module ( | 06-19-2014 |
| 20140173688 | Method and System for Providing Device-Specific Operator Data for an Automation Device in an Automation Installation - Method and system for providing device-specific operator data for an automation device in an automation installation, which automation device authenticates itself to an authentication server in the automation installation via at least one authentication credential, wherein if up-to-date device-specific operator data from the installation operator of the automation installation are available for the automation device, then the up-to-date device-specific operator data are tied to the authentication credential of the authentication device. | 06-19-2014 |
| 20140181888 | SECURE LOCAL WEB APPLICATION DATA MANAGER - Apparatus, systems and methods may provide a browser interface to detect an attempt by web content to manipulate data in a local data store. In addition, the data may be classified into a category if the data is remotely accessible. Additionally, a security policy may be applied to the data based on the category. In one example, a separator may separate the data from other data based on the category, the data may be encrypted/decrypted based on the category, and/or context information and user input may be determined to apply the security policy further based on the context information and the user input. | 06-26-2014 |
| 20140181889 | METHOD AND APARATUS FOR PRESENCE BASED RESOURCE MANAGEMENT - Methods and apparatus provide resource authorization based on a computer's presence information. Presence information may include information relating to a computer's operating environment. In some implementations, a presence detector on a computer determines presence information and provides the information to a resource manager. The computer may then generate a resource access request. A resource manager may then determine whether the resource request is authorized based, at least in part, on the presence information. The resource manager then responds to the resource access request, either granting or denying the request for resources. | 06-26-2014 |
| 20140181890 | Quantifying Risk Based on Relationships and Applying Protections Based on Business Rules - An embodiment of the invention provides a method for controlling access to a system, wherein a request to access the system and metadata of the request are received from a user, the request including a user identification. The metadata includes: information obtained from a history of prior accesses to an application access system, information obtained from a history of prior accesses to a wireless authentication system, and/or confirmation of the user identification by an entity physically proximate to the user. A database is queried with the user identification and the metadata to identify relationship data. The relationship data indicates the relationship between the individual assigned the user identification and an entity owning the system, an entity leasing the system, and/or an entity operating the system. The relationship data is input into a rules engine; and, security measure(s) are selected with the rules engine based on the relationship data. | 06-26-2014 |
| 20140181891 | HARDWARE MANAGEMENT INTERFACE - A management controller of a computing device is identified on a network and queried for attributes of the computing device. The management controller is securely implemented in hardware of the computing device and is independent of a central processing unit (CPU) of the computing device. Data is received from the management controller that identifies one or more attributes of the computing device. A security policy of the network is implemented for the computing device based on the one or more attributes. | 06-26-2014 |
| 20140181892 | HARDWARE-BASED DEVICE AUTHENTICATION - An opportunity for a computing device to participate in a secure session with a particular domain is identified. A domain identifier of the particular domain is received and a secured microcontroller of the computing device is used to identify a secured, persistent hardware identifier of the computing device stored in secured memory of the computing device. A secure identifier is derived for a pairing of the computing device and the particular domain based on the hardware identifier and domain identifier of the particular domain and the secure identifier is transmitted over a secured channel to the particular domain. The particular domain can verify identity of the computing device from the secure identifier and apply security policies to transactions involving the computing device and the particular domain based at least in part on the secure identifier. | 06-26-2014 |
| 20140181893 | HARDWARE-BASED DEVICE AUTHENTICATION - An opportunity for a computing device to participate in a secure session with a particular domain is identified. A secured microcontroller of the computing device is used to identify a secured, persistent seed corresponding to the particular domain and stored in secured memory of the computing device. A secure identifier is derived based on the seed and sent for use by the particular domain in authenticating the computing device to the particular domain for the secure session. The particular domain can further apply security policies to transactions involving the computing device and particular domain based at least in part on the secure identifier. | 06-26-2014 |
| 20140181894 | TRUSTED CONTAINER - A secure identifier is derived, using a secured microcontroller of a computing device, that is unique to a pairing of the computing device and a particular domain. Secure posture data corresponding to attributes of the computing device is identified in secured memory of the computing device. The secure identifier and security posture is sent in a secured container to a management device of the particular domain. The particular domain can utilize the information in the secured container to authenticate the computing device and determine a security task to be performed relating to interactions of the computing device with the particular domain. | 06-26-2014 |
| 20140181895 | Off campus wireless mobile browser and web filtering system - A mobile wireless safe browser receives a destination link, host, uniform resource identifier, or Internet Protocol address. Prior to requesting a resource from the destination, the safe browser transmits a query over the air to a reputation service and receives a messages enabling or disabling conventional browser request for IP address or resources at the destination host. The user is identified to a reputation service which maintains categories of websites and a policy file for each user which enables or disables access to each category . | 06-26-2014 |
| 20140181896 | System and Method for Protecting Computer Resources from Unauthorized Access Using Isolated Environment - Disclosed system and methods for protecting computer resources from unauthorized access. The system provides a library of handler functions that control access of applications to protected resources on a computer device. The system associates a security policy with the library to handler functions. The security policy specifies access rules for accessing protected resources by the applications. The system also modifies applications to access the library of handler functions instead of corresponding application program interface (API) functions of the computer device. When a handler function receives an API function call from a modified application, it may determine if the received API function call complies with the access rules. When the API function call complies with the access rules, the handler function performs the API function call from the application to the protected resources. When the API function call violates the access rules, the handler function block that API function call. | 06-26-2014 |
| 20140181897 | System and Method for Detection of Malware Using Behavior Model Scripts of Security Rating Rules - Disclosed are systems, methods and computer program products for detecting computer malware using security rating rules. In one example, the system identifies at least one problematic security rating rule that was activated during antivirus analysis of both safe and malicious programs. The system then selects a group of programs for which said problematic rule was activated. The system then identifies in the selected group of programs a plurality of only malicious programs or the plurality of only safe programs based on the problematic security rating rule and at least one different security rating rule. The system then generates a behavior model script based on the problematic security rating rule and the at least one different security rating rule and executes said behavior model script during antivirus analysis of said analyzed program to detect a computer malware in said analyzed program. | 06-26-2014 |
| 20140181898 | SYSTEM AND METHOD FOR IMPLEMENTING ADAPTIVE SECURITY ZONES - A system for managing adaptive security zones in complex business operations, comprising a rules engine adapted to receive events from a plurality of event sources and a security manager coupled to the rules engine via a data network, wherein upon receiving an event, the rules engine determines what rules, if any, are triggered by the event and, upon triggering a rule, the rules engine determines if the rule pertains to security and, if so, sends a notification message to the security manager informing it of the triggered event, and wherein the security manager, on receiving a notification message from the rules engine, automatically establishes a new security zone based at least in part on the contents of the notification message, is disclosed. | 06-26-2014 |
| 20140181899 | METHOD AND APPARATUS TO IMPLEMENT SECURITY IN A LONG TERM EVOLUTION WIRELESS DEVICE - A wireless transmit receive unit (WTRU) is configured to receive unciphered and ciphered messages. The unciphered messages include identity requests, authentication requests, non-access stratum (NAS) security mode commands and tracking area update responses. The ciphered messages may come from the NAS and a Radio Resource Controller (RRC). The messages are ciphered using security keys. | 06-26-2014 |
| 20140189775 | TECHNIQUES FOR SECURE DEBUGGING AND MONITORING - Techniques for secure debugging and monitoring are presented. An end user requests a secure token for logging information with a remote service. A secure monitoring and debugging token service provides the secure token. The remote service validates the secure token and configures itself for capturing information and reporting the captured information based on the secure token. | 07-03-2014 |
| 20140189776 | Real-Time Representation of Security-Relevant System State - A situational model representing of a state of a monitored device is described herein. The situational model is constructed with the security-relevant information in substantially real-time as execution activities of the monitored device associated with the security-relevant information are observed. The represented state may include a current state and a past state of the monitored device. Also, the situational model may be used to validate state information associated events occurring on the monitored device. Further, a remote security service may configure the monitored device, including configuring the situational model, and may build an additional situational model representing a state of a group of monitored devices. | 07-03-2014 |
| 20140189777 | POLICY-BASED SECURE CONTAINERS FOR MULTIPLE ENTERPRISE APPLICATIONS - Technologies for providing policy-based secure containers for multiple enterprise applications include a client computing device and an enterprise policy server. The client computing device sends device attribute information and a request for access to an enterprise application to the enterprise policy server. The enterprise policy server determines a device trust level based on the device attribute information and a data sensitivity level based on the enterprise application, and sends a security policy to the client computing device based on the device trust level and the data sensitivity level. The client computing device references or creates a secure container for the security policy, adds the enterprise application to the secure container, and enforces the security policy while executing the enterprise application in the secure container. Multiple enterprise applications may be added to each secure container. Other embodiments are described and claimed. | 07-03-2014 |
| 20140189778 | WEB APPLICATION CONTAINER FOR CLIENT-LEVEL RUNTIME CONTROL - Technologies for establishing client-level web application runtime control using a computing device include receiving application code for a browser-based application from a web server and generating machine-executable code and an access control map for the application code. The computing device receives application security information associated with the application code from local and/or remote security applications and performs a security assessment of the application code based on the application security information and the access control map. Further, the computing device establishes a runtime security policy for the browser-based application and enforces that policy. | 07-03-2014 |
| 20140189779 | QUERY SYSTEM AND METHOD TO DETERMINE AUTHENTICATIN CAPABILITIES - A system, apparatus, method, and machine readable medium are described for determining the authentication capabilities. For example, one embodiment of a method comprises: receiving a policy identifying a set of acceptable authentication capabilities; determining a set of client authentication capabilities; and filtering the set of acceptable authentication capabilities based on the determined set of client authentication capabilities to arrive at a filtered set of one or more authentication capabilities for authenticating a user of the client. | 07-03-2014 |
| 20140189780 | Method and Apparatus for Limiting Digital Content Distribution Inside Defined Real-world Geographic Area(s) - A method for limiting digital content distribution inside defined real-world geographic area(s) is disclosed. In one embodiment, the method is realized by adding additional distribution policy for geographical control to digital content's metadata, requesting the receiver to acquire and provide its current location, checking receiver's current location against the geographic control distribution policy, and distributing the content if the distribution policy is satisfied. | 07-03-2014 |
| 20140189781 | MOBILE ENTERPRISE SERVER AND CLIENT DEVICE INTERACTION - A system includes an application server that hosts a plurality of enterprise applications and stores enterprise data associated with each of the enterprise applications. A client device executes a client application that can provide access to each of the enterprise applications. The client application includes a memory protection engine that allocates a first memory location for the enterprise data transmitted to the client device so the enterprise data is accessible to each of the plurality of enterprise applications through the client application. A second allocated memory location is allocated for non-enterprise data. A mobile enterprise server transmits the enterprise data to the client device. | 07-03-2014 |
| 20140189782 | RESOURCE PROTECTION ON UN-TRUSTED DEVICES - Authenticating a user to a first service to allow the user to access a resource provided by the first service. The resource is a protected resource requiring a general purpose credential (e.g. a user name and/or password) to access the resource. The method includes receiving at a second service, from the device, an ad-hoc credential. The ad-hoc credential is a credential that is particular to the device. The ad-hoc credential can be used to authenticate both the user and the device, but cannot be directly used to as authentication at the first service for the user to access the resource. The method further includes, at the second service, substituting the general purpose credential for the ad-hoc credential and forwarding the general purpose credential to the first service. As such the first service can provide the resource to the user at the device. | 07-03-2014 |
| 20140189783 | POLICY-BASED DEVELOPMENT AND RUNTIME CONTROL OF MOBILE APPLICATIONS - A method, process, and associated systems for policy-based development and runtime control of mobile applications. Security objects that describe or enforce security policies are embedded into the source code of an enhanced application while the application is being developed. When a user attempts to launch the enhanced application on a mobile device, the security objects are updated to match a latest valid version of the objects stored on an enterprise server. The security objects may be further updated at other times. Global security policies, which affect the entire enterprise and which may deny the application permission to launch, are enforced by a global security policy stored within one of the updated security objects. If the application does run, application-specific security policies contained in the updated security objects modify application behavior at runtime in order to enforce application-specific security policies. | 07-03-2014 |
| 20140189784 | SYSTEMS AND METHODS FOR ENFORCING DATA-LOSS-PREVENTION POLICIES USING MOBILE SENSORS - A computer-implemented method for enforcing data-loss-prevention policies using mobile sensors may include (1) detecting an attempt by a user to access sensitive data on a mobile computing device, (2) collecting, via at least one sensor of the mobile computing device, sensor data that indicates an environment in which the user is attempting to access the sensitive data, (3) determining, based at least in part on the sensor data, a privacy level of the environment, and (4) restricting, based at least in part on the privacy level of the environment, the attempt by the user to access the sensitive data according to a DLP policy. Various other methods, systems, and computer-readable media are also disclosed. | 07-03-2014 |
| 20140189785 | SOCIAL AND PROXIMITY BASED ACCESS CONTROL FOR MOBILE APPLICATIONS - Methods and systems for proximity-based access control include determining whether a distance from a first mobile device to each of one or more safe mobile devices falls below a threshold distance; determining whether a number of safe mobile devices within the threshold distance exceeds a safe gathering threshold with a processor; and activating a safe gathering policy in accordance with the safe gathering threshold that decreases a security level in the first mobile device. | 07-03-2014 |
| 20140189786 | SOCIAL AND PROXIMITY BASED ACCESS CONTROL FOR MOBILE APPLICATIONS - Systems for proximity-based access control include a proximity module configured to determine whether a distance from a first mobile device to each of one or more safe mobile devices falls below a threshold distance; a policy engine comprising a processor configured to determine whether a number of safe mobile devices within the threshold distance exceeds a safe gathering threshold; and a security module configured to activate a safe gathering policy in accordance with the safe gathering threshold that decreases a security level in the first mobile device. | 07-03-2014 |
| 20140189787 | EVALUATION SYSTEMS AND METHODS FOR COORDINATING SOFTWARE AGENTS - A device, method, computer program product, and network subsystem are described for associating a first mobile agent with a first security policy and a second mobile agent with a second security policy or for providing a first agent with code for responding to situational information about the first agent and about a second agent and for evaluating a received message at least in response to an indication of the first security policy and to an indication of the second security policy or for deploying the first agent. | 07-03-2014 |
| 20140189788 | Security Architecture For A Process Control Platform Executing Applications - A security component within a supervisory process control and manufacturing information system comprising a set of user roles corresponding to different types of users within the information system, a set of security groups defining a set of security permissions with regard to a set of objects, wherein each security group includes an access definition relating the security permissions to at least one of the set of user roles, and a set of user accounts assigned to at least one of the defined roles thereby indirectly defining access rights with regard to the set of objects having restricted access within the system. The security permissions within the supervisory process control and manufacturing information system are assigned at an object attribute level. | 07-03-2014 |
| 20140196103 | GENERATING ROLE-BASED ACCESS CONTROL POLICIES BASED ON DISCOVERED RISK-AVERSE ROLES - Generating role-based access control policies is provided. A user-permission relation is generated by extracting users and permissions assigned to each of the users from a stored access control policy. A user-attribute relation is generated by mapping the users to attributes describing the users. A permission-attribute relation is generated by mapping the permissions to attributes describing the permissions. The set of risk-averse roles, assignment of the set of risk-averse roles to the users, and assignment of the permissions to the set of risk-averse roles are determined based on applying a risk-optimization function to the generated user-permission relation, the generated user-attribute relation, and the generated permission-attribute relation. A role-based access control policy that minimizes a risk profile of the set of risk-averse roles, the assignment of the set of risk-averse roles to the users, and the assignment of the permissions to the set of risk-averse roles is generated. | 07-10-2014 |
| 20140196104 | GENERATING ROLE-BASED ACCESS CONTROL POLICIES BASED ON DISCOVERED RISK-AVERSE ROLES - Generating role-based access control policies is provided. A user-permission relation is generated by extracting users and permissions assigned to each of the users from a stored access control policy. A user-attribute relation is generated by mapping the users to attributes describing the users. A permission-attribute relation is generated by mapping the permissions to attributes describing the permissions. The set of risk-averse roles, assignment of the set of risk-averse roles to the users, and assignment of the permissions to the set of risk-averse roles are determined based on applying a risk-optimization function to the generated user-permission relation, the generated user-attribute relation, and the generated permission-attribute relation. A role-based access control policy that minimizes a risk profile of the set of risk-averse roles, the assignment of the set of risk-averse roles to the users, and the assignment of the permissions to the set of risk-averse roles is generated. | 07-10-2014 |
| 20140196105 | CLOUD SYSTEM WITH ATTACK PROTECTION MECHANISM AND PROTECTION METHOD USING FOR THE SAME - A cloud system includes a security center server, a monitoring server, and a host. The host is deployed by the monitoring server after booting to install a detecting procedure and execute a local security policy therein. The host provides a self-monitoring operation through the detecting procedure and replies to the monitoring server when any monitoring data therein exceeds a threshold value according to the local security policy. The monitoring server judges whether the host is attacked or not, and notifies the security center server when the host is judged to be attacked. After receiving the notification, the security center server analyzes attack types, and generates a new security policy according to analyzed results. Finally, the security center server redeploys the host by the new generated security policy, so as to update the local security policy in the host, and protects the host from the attack. | 07-10-2014 |
| 20140196106 | Location-Based Security Rules - Location based security rules are provided for preventing unauthorized access to a device, application, system, content, and/or network, etc. The location-based security rules enable a user, computing device, system, etc. to access the requested item or information when the user provides proper identification information. The proper identification information is based in part on the location of the user and/or the user's access request. | 07-10-2014 |
| 20140196107 | SECURE DIGITAL COMMUNICATIONS - Policies are used when performing a transaction between a first and a second device, the first device having an established trusted communication relation with a first trusted device and the second device having an established trusted communication relation with a second trusted device, and the first and the second trusted device each having an established trusted communication relation with a third trusted device. A policy defines a set of constructs for creating rules to control the boundaries of a transaction. The policy defines role definition stipulating what interacting identities must have been validated as for the transaction to occur. The policy also defines a set of digest method algorithms or data referral methods to be used in the transaction. | 07-10-2014 |
| 20140196108 | SECURITY POLICY ENFORCEMENT - A method of operating a network message interceptor for enforcing a security policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second endpoints, the network including transport layer security, and the security policy identifying at least one valid security standards for communication over the network, the method comprising the steps of: intercepting a handshake message transmitted over the network between the first and second endpoints; extracting from the handshake message an identification of a security standard selected for the communication between the first and second endpoints; determining a validity status of the identified security standard based on the security policy; and preventing communication between the first and second endpoints based on a negatively determined validity status of the identified security standard. | 07-10-2014 |
| 20140201803 | METHOD AND APPARATUS FOR WIDGET COMPATABILITY AND TRANSFER - An approach is provided for utilizing widgets compatible with multiple platforms. A request is received to transmit a widget associated with at first canvas to a second canvas. The first canvas and the second canvas include a respective runtime environment. A compatibility of the widget with the runtime environment of the second canvas is determined. Transmission of the widget is caused, at least in part, based, at least in part, on the determination. | 07-17-2014 |
| 20140201804 | INFORMATION SHARING - Systems and methods for the sharing of information between organizations are disclosed. Policies that govern the permissions for the sharing of information are represented as Boolean functions such as Binary Decision Diagrams. | 07-17-2014 |
| 20140201805 | MANAGING SENSITIVE CONTENT - A method, system or computer usable program product for automatically removing sensitive content from a display responsive to removal of user physical proximity from a computer peripheral including utilizing a predefined policy stored in persistent memory for monitoring user interaction with a computer peripheral for a criterion, wherein the criterion is a removal of user contact with the computer peripheral, and responsive to detecting the criterion with a processor, performing a removal action related to displaying sensitive content according to the predefined policy. | 07-17-2014 |
| 20140201806 | RUNTIME RISK DETECTION BASED ON USER, APPLICATION, AND SYSTEM ACTION SEQUENCE CORRELATION - A method for assessing runtime risk for an application or device includes: storing, in a rules database, a plurality of rules, wherein each rule identifies an action sequence; storing, in a policy database, a plurality of assessment policies, wherein each assessment policy includes at least one rule of the plurality of rules; identifying, using at least one assessment policy, a runtime risk for an application or device, wherein the identified runtime risk identifies and predicts a specific type of threat; and identifying, by a processing device, a behavior score for the application or device based on the identified runtime risk, wherein the action sequence is a sequence of at least two performed actions, and each performed action is at least one of: a user action, an application action, and a system action. | 07-17-2014 |
| 20140201807 | SYSTEMS AND METHODS FOR ENFORCING SECURITY IN MOBILE COMPUTING - Methods and systems described herein relate to enhancing security on a device by configuring one or more software functions in a trusted zone of a processor using object firewalls, IPC mechanisms, and/or a policy engine. An inter-process communication mechanism and inter-process communication bus enable secure inter-process communication between inter-process communication applications within the trusted zone and inter-process communication applications external to the trusted zone. Adapting, filtering, blocking, redirecting, or otherwise modifying inter-process communications is enabled by the inter-process communications mechanism. Modifications may be controlled by a policy engine within the trusted zone. | 07-17-2014 |
| 20140201808 | NETWORK SYSTEM, MOBILE COMMUNICATION DEVICE AND PROGRAM - Leakage of information stored in a mobile communication device via a network is prevented. To this end, a mobile communication device that together with an authentication server forms part of a network system is equipped with: a functional unit configured to detect a change in information on the physical location of the device itself and/or information on the location of the device itself on a network; a functional unit configured to, upon detection of the change, transmit to the authentication server the information on the location of the device itself and/or the information on the location of the device itself on the network; and a functional unit configured to receive from the authentication server a communication control policy corresponding to the information on the location of the device itself and/or the information on the location of the device itself on the network, and apply the communication control policy to the device itself. | 07-17-2014 |
| 20140208381 | Analyzing Usage Information of an Information Management System - In an information management system, activity data is collected and analyzed for patterns. The information management system may be policy based. Activity data may be organized as entries including information on user, application, machine, action, object or document, time, and location. When checking for patterns in the activity or historical data, techniques may include inferencing, frequency checking, location and distance checking, and relationship checking, and any combination of these. Analyzing the activity data may include comparing like types or categories of information for two or more entries. | 07-24-2014 |
| 20140215548 | COMMUNICATION SESSION TERMINATION RANKINGS AND PROTOCOLS - A method of handling a plurality of session requests at an access manager may include assigning a rank to each of a plurality of agents. Each of the plurality of agents may forward requests for protected resources to the access manager for authentication and/or authorization, and the access manager may establish a plurality of sessions. The method may also include establishing a first session that is associated with a first agent in the plurality of agents that is assigned a first rank, a first user device, and/or a user credential. The method may additionally include receiving a request to establish a second session that is associated with a second agent in the plurality of agents that is assigned a second rank, a second user device, and/or the user credential. The method may further include determining whether the second session should be established. | 07-31-2014 |
| 20140215549 | METHOD AND APPARATUS FOR POLICY CRITERIA GENERATION - Methods, apparatuses, and computer program products are described herein that are configured to generate criteria that defines instances in which a policy is to be applied or otherwise activated. In some example embodiments, a method is provided that comprises receiving an indication of a selected field of one or more fields that are applicable to a criteria for a policy. The method of this embodiment may also include receiving an indication of an operation selection and a specified value related to the selected field. The method of this embodiment may also include generating a criterion that modifies the criteria for the policy. | 07-31-2014 |
| 20140215550 | SYSTEM AND METHOD OF ENHANCING SECURITY OF A WIRELESS DEVICE THROUGH USAGE PATTERN DETECTION - A method of identifying a user of a device having a security policy and including a touch sensitive input device. The method includes receiving data corresponding to use of the touch sensitive input device by the user and determining from the received data at least one feature. Based on the at least one feature and a signature associated with an identifiable user, the method determines a likelihood that the user is the identifiable user and modifies, based on the likelihood, the security policy on the device. | 07-31-2014 |
| 20140215551 | CONTROLLING ACCESS TO SHARED CONTENT IN AN ONLINE CONTENT MANAGEMENT SYSTEM - Systems and methods for controlling access to shared content in an online content management system, include receiving a request to access a content item from a requester, wherein the content item is stored in a synchronized online content management system. The example method then includes determining that the requester is in an approved list of requestors and granting access to the content item. In one variation, the request to access the content item includes activation of a shared link. In another variation, the request to access the content item includes access to a shared folder in the synchronized online content management system. In a third variation, determining that the requester is in an approved list of requesters includes determining that the requester is logged into a primary and secondary account, and that the requester is in an approved list for the secondary account. | 07-31-2014 |
| 20140215552 | SMART CONTAINERS - Smart containers are disclosed. A system for managing content comprises an interface to receive an operation associated with an instance of a smart container. The smart container comprises a logical structure configure using a definition to manage associated content. The system for managing content comprises a processor configured to determine whether the operation is allowable based at least in part on a policy; and in the event that the operation is allowable, perform the operation. A memory is coupled to the processor and is configured to provide the processor with instructions. | 07-31-2014 |
| 20140215553 | INFORMATION PROCESSING SYSTEM, CONTROL METHOD THEREFOR, IMAGE PROCESSING APPARATUS, CONTROL METHOD THEREFOR, AND STORAGE MEDIUM STORING CONTROL PROGRAM THEREFOR - An information processing system that facilitates management of information security policy even for an extended application installed from exterior. A receiving unit receives security policy data in which a security policy is described. A management unit manages an extended application that can be added and deleted and that operates in an image processing apparatus. A notification unit notifies an administrator of error information about a security policy of an extended application managed by the management unit, when the extended application managed by the management unit does not comply with the security policy described in the security policy data, and when an identifier of an extended application that is extracted from the security policy data and that is excepted from applying the security policy does not match with the identifier of the extended application managed by the management unit. | 07-31-2014 |
| 20140215554 | METHOD OF CUSTOMIZING A STANDARDIZED IT POLICY - A system and method are described herein for standardizing an IT policy that is used to configure devices operating on a network. An IT policy can be generated that applies to a group of users or to one or more special users without having to define and store a new IT policy for each special user. This can be achieved by specifying global and per-user IT policy rules and merging these rules as needed to produce IT policy data. | 07-31-2014 |
| 20140215555 | Conjuring and Providing Profiles that Manage Execution of Mobile Applications - Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein. | 07-31-2014 |
| 20140223507 | CLOUD-BASED SECURITY POLICY CONFIGURATION - Systems and methods for configuring security policies based on cloud are provided. According to one embodiment, security parameters are shared on cloud by security devices. A first network appliance may fetch one or more security parameters shared by a second network appliance from a cloud account. Then the first network appliance automatically creates a security policy that controlling a connection between the first network appliance and the second network appliance based at least in part on the one or more security parameters. | 08-07-2014 |
| 20140223508 | Dynamically Constructed Capability for Enforcing Object Access Order - Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence. | 08-07-2014 |
| 20140223509 | SYSTEM AND METHOD FOR INDIRECT INTERFACE MONITORING AND PLUMB-LINING - A method is provided in one example embodiment that includes monitoring a first interface, monitoring a second interface, and taking a policy action if the second interface is not executed before the first interface. In more particular embodiments, monitoring the second interface may include walking a call stack associated with the first interface. Moreover, a program context for calling code associated with the second interface may be identified and acted upon. | 08-07-2014 |
| 20140223510 | SYSTEM AND METHOD FOR PROVIDING DIVERSE SECURE DATA COMMUNICATION PERMISSIONS TO TRUSTED APPLICATIONS ON A PORTABLE COMMUNICATION DEVICE - A system for providing first and second trusted applications diverse permission to communicate via a secure element. The system comprising first digital identifier and digital token operably associated with the first trusted application; a second digital identifier and digital token operably associated with the second trusted application. The system further includes a card services module that provides an application programming interface to the secure element supported by a secure data table including first and second sets of permissions. The card services module issues one or more commands to the secure element based on a first action requested by the first trusted application in conjunction with the presentation of the first digital token only if the one or more commands will not violate the first set of permissions. A method is also disclosed. | 08-07-2014 |
| 20140237537 | METHOD AND TECHNIQUE FOR APPLICATION AND DEVICE CONTROL IN A VIRTUALIZED ENVIRONMENT - A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a source associated with a file open or create event. The source is at least one of an application or a device being used by a guest virtual machine (GVM). The DLP manager enforces a first response rule associated with the GVM when the source is a non-approved source per a source control policy. The DLP manager enforces a second response rule when the file violates a DLP policy. | 08-21-2014 |
| 20140237538 | Input prediction in a database access control system - A local database access control system (LDACS) intelligently determines which database access requests intercepted by a database agent requires analysis by an external security device and which of those requests might be predicted not to require such processing e.g., because they do not contain database object information that needs to be validated against a security policy. Client requests that are predicted not to require such processing are then passed to the database server directly without being held by the agent and delivered externally for policy validation. In this approach, the agent does not send every intercepted request to the security device for evaluation against the one or more security policies. Rather, only those intercepted requests that are predicted to contain database object information are delivered. The security device implements an input prediction scheme to facilitate this process by sending control commands to the agent. | 08-21-2014 |
| 20140237539 | Identity Propagation - In one implementation, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols. | 08-21-2014 |
| 20140237540 | ESTABLISHING AN INTERACTIVE ENVIRONMENT FOR RENDERED DOCUMENTS - A system for identifying an electronic counterpart for a rendered document is described. The system receives an indication of a text capture operation performed from a rendered document. The indication identifies a text sequence captured as part of the text capture operation, the identified text sequence comprising fewer than nine words. In response to receiving the indication, the system uniquely identifies an electronic document from which the rendered document was rendered. | 08-21-2014 |
| 20140237541 | SCALABLE SECURITY SERVICES FOR MULTICAST IN A ROUTER HAVING INTEGRATED ZONE-BASED FIREWALL - A multicast-capable firewall allows firewall security policies to be applied to multicast traffic. The multicast-capable firewall may be integrated within a routing device, thus allowing a single device to provide both routing functionality, including multicast support, as well as firewall services. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to multicast packets. The user interface supports a syntax that allows the user to define subsets of the plurality of interfaces associated with the zones, and define a single multicast policy to be applied to multicast sessions associated with a multicast group. The multicast policy identifies common services to be applied pre-replication, and exceptions specifying additional services to be applied post-replication to copies of the multicast packets for the one or more zones. | 08-21-2014 |
| 20140237542 | REMEDIAL ACTION AGAINST MALICIOUS CODE AT A CLIENT FACILITY - Aspects of this invention may relate to a malicious application remedial action request application where a network site interaction may be requested from a client computing facility; the network site interaction from the client computing facility may be determined to be unacceptable based on an acceptance policy at a gateway facility; access to the network site from the client computing facility may be denied; information relating to the attempted interaction with the network site may be sent from the gateway facility to the client computing facility, wherein the information may indicate that the attempted interaction occurred; and the client computing facility may interpret the information relating to the attempted interaction, determine whether the attempted interaction was the result of an automatically generated request, and take remedial action in the event that the attempted interaction was the result of the automatically generated request. | 08-21-2014 |
| 20140237543 | METHOD AND APPARATUS FOR POLICY-BASED NETWORK ACCESS CONTROL WITH ARBITRARY NETWORK ACCESS CONTROL FRAMEWORKS - A method and apparatus for integrating various network access control frameworks under the control of a single policy decision point (PDP). The apparatus supports pluggable protocol terminators to interface to any number of access protocols or backend support services. The apparatus contains Trust and Identity Mediators to mediate between the protocol terminators and a canonical policy subsystem, translating attributes between framework representations, and a canonical representation using extensible data-driven dictionaries. | 08-21-2014 |
| 20140245372 | HTTP PASSWORD MEDIATOR - A method and system for password mediation including identifying an HTTP request issued by a client application executing on a client device, the HTTP request indicating an operation to be performed for a user of the client application at a destination system, obtaining user credentials using the HTTP request, requesting security information for the user with respect to the destination system, determining whether the user is allowed to perform the operation based on the security information, and upon determining that the user is allowed to perform the operation, modifying the HTTP request based on the security information and sending the modified HTTP request to the destination system. | 08-28-2014 |
| 20140245373 | DISCRETIONARY POLICY MANAGEMENT IN CLOUD-BASED ENVIRONMENT - Embodiments are disclosed for managing and providing access to a collection of digital resources. One embodiment provides a method comprising receiving a request to access a resource for a principal and determining one or more principal groups to which the principal belongs. The method further comprises obtaining resource set membership information indicating a resource set to which the resource belongs, and obtaining resource set access policy information for the resource set to which the resource belongs. The method yet further comprises determining whether the principal is allowed to access the resource based on the principal group membership information and the resource set access policy information, and, if the principal is allowed to access the resource, then permitting access to the resource by the principal. | 08-28-2014 |
| 20140245374 | Device and Method for Detection of Anomalous Behavior in a Computer Network - A device and method for providing forensic data in network activity indicative of the presence of malware. A distributed set of network-based sensors operates within an enterprise network in cooperation with a centralized analytics and correlation engine that correlates detected events across the sensors to detect malicious activity on a monitored network which may include using a multi-tiered or Rete net rule set or engine. When malicious activity is detected upon the satisfaction of a predetermined set of conditions, the invention traces the activity to a host responsible for the activity for further action. | 08-28-2014 |
| 20140245375 | DOCUMENT AUTHORITY MANAGEMENT SYSTEM, TERMINAL DEVICE, DOCUMENT AUTHORITY MANAGEMENT METHOD, AND COMPUTER-READABLE RECORDING MEDIUM - A document authority management system | 08-28-2014 |
| 20140245376 | SYSTEMS AND METHODS OF RISK BASED RULES FOR APPLICATION CONTROL - In various embodiments, an agent on a digital device may comprise a monitor module, an application identification module, a vulnerability module, a rules database, and a rule module. The monitor module may be configured to monitor a device for an instruction to execute a legitimate application. The application identification module may be configured to identify one or more attributes of the legitimate application. The vulnerability module may be configured to retrieve risk information based on the one or more attributes of the legitimate application. The risk information may be determined from known vulnerabilities of the legitimate application. The rules database may be for storing a rule associated with the risk information. The rule module may be configured to retrieve the rule from the rule database based on the risk information and to control the legitimate application based on the rule. | 08-28-2014 |
| 20140245377 | SECURE MOBILE FRAMEWORK - Systems and methods for a secure mobile framework to securely connect applications running on mobile devices to services within an enterprise are provided. Various embodiments provide mechanisms of securitizing data and communication between mobile devices and end point services accessed from a gateway of responsible authorization, authentication, anomaly detection, fraud detection, and policy management. Some embodiments provide for the integration of server and client side security mechanisms, binding of a user/application/device to an endpoint service along with multiple encryption mechanisms. For example, the secure mobile framework provides a secure container on the mobile device, secure files, a virtual file system partition, a multiple level authentication approach (e.g., to access a secure container on the mobile device and to access enterprise services), and a server side fraud detection system. | 08-28-2014 |
| 20140245378 | SECURE MOBILE FRAMEWORK - Systems and methods for a secure mobile framework to securely connect applications running on mobile devices to services within an enterprise are provided. Various embodiments provide mechanisms of securitizing data and communication between mobile devices and end point services accessed from a gateway of responsible authorization, authentication, anomaly detection, fraud detection, and policy management. Some embodiments provide for the integration of server and client side security mechanisms, binding of a user/application/device to an endpoint service along with multiple encryption mechanisms. For example, the secure mobile framework provides a secure container on the mobile device, secure files, a virtual file system partition, a multiple level authentication approach (e.g., to access a secure container on the mobile device and to access enterprise services), and a server side fraud detection system. | 08-28-2014 |
| 20140245379 | SYSTEM AND METHOD FOR ENFORCING A POLICY FOR AN AUTHENTICATOR DEVICE - A system and method including defining at least one device authentication policy; at a policy engine, initializing authentication policy processing for an authenticator device; collecting device status assessment; evaluating policy compliance of the device status assessment to an associated defined device authentication policy; and enforcing use of the authenticator device according to the policy compliance. | 08-28-2014 |
| 20140245380 | AUTOMATIC PIN CREATION USING PASSWORD - A PIN is automatically generated based on at least one rule when the user enters a password through a user device. In one example, the PIN is a truncated version of the password where each character in the truncated version is mapped onto a number. The mapping can be a truncation at the beginning or end of the password, or the mapping can be with any pattern or sequence of characters in the password. This PIN generation may be transparent to the user, such that the user may not even know the PIN was generated when the password was entered. When the user attempts to access restricted content, the user may enter the PIN instead of the password, where the user may be notified of the rule used to generate the PIN so that the user will know the PIN by knowing the password. | 08-28-2014 |
| 20140245381 | Systems and Methods for Controlling Email Access - Embodiments of the disclosure relate to proxying at least one email resource from at least one email service to at least one client device, identifying at least one resource rule associated with the email resources, and adding at least one URL to the email resources in accordance with the resource rules. | 08-28-2014 |
| 20140245382 | SYSTEM AND METHOD FOR DEVELOPING AND USING TRUSTED POLICY BASED ON A SOCIAL MODEL - A trust policy is constructed based upon a social relationship between real-world entities. The trust policy may determined based upon a social network and social network maps. The social network map provides a framework to determine social distances. The trust policy provides quick and secure access to desired or trusted nodes while providing security from entities outside the trusted sphere of nodes. The trust policy determined by the social distance may be used for various types of applications including filtering unwanted e-mail, providing secure access to resources, and accessing protected services. File sharing, referral querying, advertisement targeting, announcement targeting, access control, and various applications may be limited using the constructed trust policy. | 08-28-2014 |
| 20140250489 | Techniques for Policy Aware Service Composition - Techniques for policy-aware service composition are provided. In one aspect, a method for creating a policy-compliant service composition is provided. The method includes the following steps. One or more policy rules related to services in the service composition are created. A service composition graph is created that represents the service composition, wherein vertices of the service composition graph represent the services and directional edges of the service composition graph represent potential flows of data between the vertices. During creation of the service composition graph, it is determined whether one or more candidate services comply with the policy rules. Only those of the candidate services that comply with the policy rules are included in the service composition graph, wherein the services included in the service composition graph comprise policy-compliant services, such that the service composition graph comprises only the policy-compliant services. | 09-04-2014 |
| 20140250490 | AUTHENTICATING TO A NETWORK VIA A DEVICE-SPECIFIC ONE TIME PASSWORD - Generally, this disclosure describes a method and system for authenticating to a network via a device-specific one-time password. A method in an embodiment may include generating a first one-time password (OTP) based at least in part on a plurality of client device attributes; and providing the first OTP to an authenticator associated with a private network during a first session, wherein the authenticator is configured to authenticate the client device to at least one of the private network and protected content included in the private network for a second session following the first session based on the provided first OTPP. | 09-04-2014 |
| 20140250491 | SYSTEMS AND METHODS FOR CLOUD DATA SECURITY - Techniques for providing data security services with respect to cloud-based services are described. Examples include a security service provider (“SSP”) configured to perform or provide one or more security-related services or functions with respect to or on behalf of some other system or service. The other system or service may be, for example, a cloud-based system that provides network-accessible services. The SSP allows a user of the cloud-based service to provide and manage one or more security-related services, such as data storage, encryption, decryption, key management, and the like. By using and controlling the SSP, the user can be confident that his or her data is being securely represented and stored, even though it is being operated upon by a cloud-based service that is not under the user's control. | 09-04-2014 |
| 20140250492 | SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY - A method is described in example embodiments below that include receiving a content tag associated with transferring a file over a network connection. A session descriptor may also be received. The session descriptor and the content tag may be correlated with a network policy, which may be applied to the network connection. In some embodiments, the content tag may be received with the session descriptor. The file may be tainted by another file in some embodiments, and the content tag may be associated with other file. | 09-04-2014 |
| 20140250493 | FIREWALL METHOD AND APPARATUS FOR INDUSTRIAL SYSTEMS - Method and apparatus for use with systems including networked resources where communication between resources is via dual packet protocols wherein a first protocol includes a frame that specifies a destination device/resource and a data field and the second protocol specifies a final destination device/resource and includes a data field, where the second packets are encapsulated in the first protocol packet frames, the method including specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to the first protocol destination resource, examining a subset of the additional embedded packet information to identify one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information. | 09-04-2014 |
| 20140259089 | Security-Aware Admission Control of Requests in a Distributed System - Techniques, systems and articles of manufacture for security-aware admission control of requests in a distributed system. A method includes identifying a request dropped by a first application component in a distributed system, determining one or more actions to take with respect to the dropped request, said determining comprises identifying one or more policies of the first application component responsible for the dropped request and identifying one or more additional application components in the distributed system to be affected based on the identified one or more policies, and executing said one or more actions to control admission of one or more requests associated with the dropped request at the one or more additional application components. | 09-11-2014 |
| 20140259090 | Storage Object Distribution System with Dynamic Policy Controls - System and methods for storage object distribution using dynamic policy controls are provided. An embodiment method of updating a policy on an endpoint node includes receiving, from a key management server, an update to be applied to the policy on the endpoint node, updating, on the endpoint node, the policy without modifying applications on the endpoint node, and enforcing, on the endpoint node, the policy as updated when one of the applications requests an object stored on the endpoint node. In an embodiment, the method further includes storing, at the endpoint node, an object received from the key management server to appear as a file in a file system structure. | 09-11-2014 |
| 20140259091 | Security-Aware Admission Control of Requests in a Distributed System - Systems and articles of manufacture for security-aware admission control of requests in a distributed system include identifying a request dropped by a first application component in a distributed system, determining one or more actions to take with respect to the dropped request, said determining comprises identifying one or more policies of the first application component responsible for the dropped request and identifying one or more additional application components in the distributed system to be affected based on the identified one or more policies, and executing said one or more actions to control admission of one or more requests associated with the dropped request at the one or more additional application components. | 09-11-2014 |
| 20140259092 | ACCESS CONTROL TO FILES BASED ON SOURCE INFORMATION - The present invention is a security tool for protection of data on a mobile computing device. The security tool provides a plurality of security policies to be enforced based on source information for the data and a location associated with a network environment in which a mobile device is operating. The security tool may be either located at the mobile computing device or at the server. The security tool includes a file access module for determining whether files are visible or accessible. The file access module comprises a tag generator, an association module, and a policy enforcement module. The tag generator creates source information for the file being accessed and the policy enforcement module determines what actions, if any, can be performed on the file and under what conditions such as location and network environment, type of file and other factors. | 09-11-2014 |
| 20140259093 | SECURITY FOR NETWORK DELIVERED SERVICES - A computer-implemented method for accessing a hosted service on client devices is described. The client devices include client software that uses a remotely delivered policy to redirect network requests for hosted services to a server to enforce visibility, policy and data security for network delivered services. The method can be used in conjunction with existing VPN and proxy solutions, but provides distinct additional functionality, particularly suited to corporate needs. Policies allow entities to centralize enforcement of service-specific restrictions across networks and communication channels, e.g. only certain users can download client records from a service—irrespective of the network used to access the service. | 09-11-2014 |
| 20140259094 | SECURITY FOR NETWORK DELIVERED SERVICES - A computer-implemented method for accessing a hosted service on client devices is described. The client devices include client software that uses a remotely delivered policy to redirect network requests for hosted services to a server to enforce visibility, policy and data security for network delivered services. The method can be used in conjunction with existing VPN and proxy solutions, but provides distinct additional functionality, particularly suited to corporate needs. Policies allow entities to centralize enforcement of service-specific restrictions across networks and communication channels, e.g. only certain users can download client records from a service—irrespective of the network used to access the service. | 09-11-2014 |
| 20140259095 | METHOD OF PROVIDING CYBER SECURITY AS A SERVICE - A cyber system including a method of providing cyber security as a service is provided. The cyber system may include an integrated architecture of defensive and offensive security procedures and processes that enable enterprises to practice safe, holistic security techniques. The plurality of cyber defense procedures may include a plurality of risk-based assessment procedures, a plurality of attack-prevention procedures, a plurality of detection procedures and a plurality of response and recovery procedures. The plurality of cyber offense procedures may include a plurality of cyber weapon procedures, a plurality of cyber Intelligence, surveillance and reconnaissance procedures, a plurality of information operations target exploitation procedures and a plurality of information operations attack procedures. The cyber system may also include a plurality of overlapping processes interconnecting the plurality of cyber offense procedures and plurality of cyber defense procedures. The plurality of overlapping processes may include a change management, a configuration management, a service desk and a service-level management. The change management may be structured within an enterprise for ensuring that changes in people, facilities, technology and/or processes are smoothly and successfully implemented to achieve lasting benefits. The configuration management may establish and maintain the consistency of a product's performance, functional and physical attributes with its requirements, design and operational information throughout its life. The service desk may provide the communication needs of the users, employees and customers. Service-level management may assess the impact of change on service quality and establish performance metrics and benchmarks. | 09-11-2014 |
| 20140259096 | METHOD AND APPARATUS FOR PRIVACY POLICY MANAGEMENT - Various methods are provided for determining run-time characteristics of an application at the time of installation and/or modification. Based on the determined run time characteristics, various methods control the installation and/or modification of the application based on a user privacy profile. One example method may comprise receiving a request to modify an application. A method may further comprise determining whether a conflict is present between the application and a user privacy profile. A method may further comprise causing the determined conflict and at least one conflict resolution to be displayed in an instance in which a conflict is determined. A method additionally comprises causing a user privacy profile to be modified in an instance in which an indication of acceptance is received in response to the displayed at least one conflict resolution. | 09-11-2014 |
| 20140259097 | DETERMINATION OF ORIGINALITY OF CONTENT - Video content uploaded from a user, and received at a web-based service, is processed to compute fingerprint data. By reference to the fingerprint data, controlled content included within the received content is identified. A similarity score between the controlled content and the received content is determined. Usage rule data to be applied to the received video content is selected (e.g., based, at least in part, on the determined similarity score), and is applied in governing distribution of the received video content from the web-based service. In some arrangements, the owner of the controlled content is identified, and selection of rule data depends on the identified owner. The owner may have established multiple usage rules, and selection between them may be based, e.g., on a percentage of the controlled content that is included in the received video content. A great variety of other features and arrangements are also detailed. | 09-11-2014 |
| 20140259098 | METHOD, APPARATUS, SIGNALS AND MEDIUM FOR ENFORCING COMPLIANCE WITH A POLICY ON A CLIENT COMPUTER - A method and system for enforcing compliance with a policy on a client computer in communication with a network is disclosed. The method involves receiving a data transmission from the client computer on the network. The data transmission includes status information associated with the client computer. The data transmission is permitted to continue when the status information meets a criterion. | 09-11-2014 |
| 20140259099 | FIREWALL METHOD AND APPARATUS FOR INDUSTRIAL SYSTEMS - Methods and apparatus for controlling access in an electronic network include receiving a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet; retrieving at least one access rule based on at least one characteristic of the second protocol packet; applying the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and controlling access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome. | 09-11-2014 |
| 20140259100 | NETWORK SECURITY IDENTIFICATION METHOD, SECURITY DETECTION SERVER, AND CLIENT AND SYSTEM THEREFOR - There are provided a network security identification method, a client and system therefore. The method includes: prior to accessing network content corresponding to a uniform resource locator, judging, by a client, whether a cache stores a security state of the uniform resource locator; if the cache stores the security state of the uniform resource locator, acquiring, by the client, the security state of the uniform resource locator from the cache; if the cache does not store the security state of the uniform resource locator, sending, by the client, a request for accessing the network content corresponding to the uniform resource locator to a security detection server, and receiving the security state of the uniform resource locator returned by the security detection server; and determining, by the client according to the security state of the uniform resource locator, whether to access the network content corresponding to the uniform resource locator. | 09-11-2014 |
| 20140282813 | SECURED LOGICAL COMPONENT FOR SECURITY IN A VIRTUAL ENVIRONMENT - A system and method for providing security in a virtual environment are provided. An example system includes a link module that links a secured logical component to a logical entity including a set of virtual machines. The example system also includes a security module that identifies a set of security policies for one or more communications to the logical entity or one or more communications from the logical entity. The example system further includes a control module that controls, based on the set of security policies, the one or more communications to the logical entity or the one or more communications from the logical entity. | 09-18-2014 |
| 20140282814 | CLASSIFYING FILES ON A MOBILE COMPUTER DEVICE - A client computer extracts contextual information associated with a file that is created. The client computer generates scores for the file by utilizing the contextual information that is extracted. The client computer assigns a value to the file, based on an aggregation of the scores that are generated. The client computer monitors activities on the client computer, wherein the activities trigger an event on the client computer. The client computer determines whether the event is in violation of one or more computer security policies on a server computer, wherein the one or more computer security policies require work-related files to be deleted or encrypted. The client computer classifies the file as personal data or work-related business data. The client computer secures the file, if the file is classified as work-related business data. | 09-18-2014 |
| 20140282815 | POLICY-BASED SECURE WEB BOOT - A system, device, and method for providing policy-based secure cloud booting include a mobile computing device and a web server. The mobile computing device determines a remote boot address specifying the location of a boot resource on the web server. The mobile computing device opens a secure connection to the web server and maps the boot resource to a local firmware protocol. The mobile computing device executes the boot resource as a firmware image using the local firmware protocol. The boot resource may be a compact disc or DVD image mapped through a block I/O protocol. The boot resource may be a remote file system mapped through a file system protocol. The remote boot address may be configured using a manageability engine capable of out-of-band communication. The remote boot address may be determined based on the context of the mobile computing device, including location. Other embodiments are described and claimed. | 09-18-2014 |
| 20140282816 | NOTIFYING USERS WITHIN A PROTECTED NETWORK REGARDING EVENTS AND INFORMATION - Systems and methods are provided for notifying users within protected network about various events and information. According to one embodiment, a method includes receiving, by a filtering device, a request originated by an application running on a client device. The method further includes making a determination, by the filtering device, whether the request is to be blocked or allowed, based on the one or more policies. If the request is to be blocked, a notification is provided to a user of the client device regarding the determination by causing the application to display a predefined message. | 09-18-2014 |
| 20140282817 | DYNAMIC SECURED NETWORK IN A CLOUD ENVIRONMENT - The disclosure presents systems, methods and computer program products relating to an overlay network in a cloud environment. A management machine may manage an overlay network. Machine(s), which may be provided by cloud provider(s), may be added to or removed from the overlay network. Data relating to a machine may be gathered and configuration data may be determined, for example when the machine is being added to the overlay network. A device associated with a user authorized for the overlay network may connect to the overlay network. The overlay network may include one or more secure tunnels wherein a private IP address or public IP address may encapsulate an overlay IP address. | 09-18-2014 |
| 20140282818 | ACCESS CONTROL IN A SECURED CLOUD ENVIRONMENT - The disclosure presents systems, methods and computer program products relating to access control in a secured network. An access control policy may be indicated which at least includes a first entity being allowed to access a second entity, by way of at least one protocol via a secured network. The policy may be translated by at least one gateway or server in the secured network into firewall rule(s) to control access in the secured network. | 09-18-2014 |
| 20140282819 | METHOD, APPARATUS, SYSTEM FOR QUALIFYING CPU TRANSACTIONS WITH SECURITY ATTRIBUTES - Method, apparatus, and system for qualifying CPU transactions with security attributes. Immutable security attributes are generated for transactions initiator by a CPU or processor core that identifying the execution mode of the CPU/core being trusted or untrusted. The transactions may be targeted to an Input/Output (I/O) device or system memory via which a protected asset may be accessed. Policy enforcement logic blocks are implemented at various points in the apparatus or system that allow or deny transactions access to protected assets based on the immutable security attributes generated for the transactions. In one aspect, a multiple-level security scheme is implemented under which a mode register is updated via a first transaction to indicate the CPU/core is operating in a trusted execution mode, and security attributes are generated for a second transaction using execution mode indicia in the mode register to verify the transaction is from a trusted initiator. | 09-18-2014 |
| 20140282820 | SECURE DATA MANAGEMENT - The disclosed subject matter includes a method. The method includes determining, by a module running on a computer platform in communication with non-transitory computer readable medium having a plurality of security zones, whether an application instance is in a foreground of a user interface for the computer platform. The method further includes determining, by the module, an alert level associated with the application instance in the foreground of the user interface, wherein the alert level includes at least one of a restriction level and an access level. The method also includes providing the alert level to a user of the computer platform using a visual cue displayed on the user interface. | 09-18-2014 |
| 20140282821 | SYSTEMS AND METHODS FOR IDENTIFYING A SECURE APPLICATION WHEN CONNECTING TO A NETWORK - A computer system receives, from a user device, a request to access a resource within a network of an organization and receives access credentials associated with an application, a user and the user device. The computer system identifies an application identifier, a user identifier and a device identifier and determines whether the combination of these identifiers satisfies an access policy. If the combination of application identifier, user identifier and device identifier satisfies the access policy, then the computer system grants the application access to the resource within the network of the organization. | 09-18-2014 |
| 20140282822 | IMPLEMENTING SECURITY IN A SOCIAL APPLICATION - Implementing security in social applications includes inferring a closeness level of a connection to a user's profile of a social application based on a closeness policy and implementing a security level individualized to the connection based on the closeness level. | 09-18-2014 |
| 20140282823 | DEVICE AND RELATED METHOD FOR ESTABLISHING NETWORK POLICY BASED ON APPLICATIONS - A function is provided in a network system for adjusting network policies associated with the operation of network infrastructure devices of the network system. Network policies are established on network devices including packet forwarding devices. The network has a capability to identify computer applications associated with traffic running on the network. A network policy controller of the network is arranged to change one or more policies of one or more network devices based on computer application information acquired. The policies changed may be network policies as well as mirroring policies. An example policy to change is direct a network device to mirror traffic to an application identification appliance for the purpose of identifying applications running on the network through a plurality of mechanisms. The function may be provided in one or more devices of the network. | 09-18-2014 |
| 20140282824 | AUTOMATIC TUNING OF VIRTUAL DATA CENTER RESOURCE UTILIZATION POLICIES - A computer-implemented process receives a request to utilize one or more virtual data center (VDC) resources at a virtual data center and determines a particular service level applicable to request. Based on the particular service level and mapping information that indicates associations between VDC resource utilization policies and service levels, the process determines a particular VDC resource utilization policy corresponding to the request and causes completion of the request according to the particular VDC resource utilization policy. Another process determines that a resource utilization performance is incompatible with a requested service level and selects a new resource utilization based in part on the resource utilization performance information and mapping information. The process causes data distributed according to a prior resource utilization policy to be distributed according to the new resource utilization policy in one or more resources at a virtual data center. | 09-18-2014 |
| 20140282825 | MANAGING POLICY AND PERMISSIONS PROFILES - Systems, methods, and computer-readable storage media are provided for managing policy and permissions profiles. Individuals or organizations are permitted to author profiles utilizing a profile template and publish such authored profiles for access and adoption by others. Users are able to import desired profiles and subsequently have those imported profiles applied each time he or she accesses an application or service to which the profile pertains. User interfaces from which users may view profiles associated with them, make alterations to settings of profiles associated with them, and/or select from a plurality of profiles for a particular application or service are also provided. Still further, recommendations may be provided to users for policy and permissions profiles based upon, for instance, crowd-sourcing, profiles adopted by social network connections of a user or other users that are “like” a user, prior profile selections made by the user, and/or prior user behavior. | 09-18-2014 |
| 20140282826 | MANAGING CO-EDITING SESSIONS - A computer-implemented method, system, and/or computer program mediates a co-editing session for a document. After establishing a co-editing session for a first user and a second user to co-edit a document, a first modification of the document is received from the first user. A second modification of the document, which eliminates the first modification, is subsequently received from the second user. In response to a quantity of subsequent modifications, after the first and second modifications, exceeding a predetermined value, an action is initiated to prevent further modifications to the document. | 09-18-2014 |
| 20140282827 | METHOD AND APPARATUS FOR SECURE DATA TRANSFER PERMISSION HANDLING - A vehicle-based system includes a processor configured to receive policy table updates issued from a remote server. The processor is further configured to update a local policy table based on the updates. The processor is additionally configured to receive a request from a remote application for data access. The processor is further configured to determine, based on the local policy table, if the data access requires user consent. The processor is also configured to determine if required consent is stored in the local policy table and provide data access to the remote application based on stored required consent. | 09-18-2014 |
| 20140282828 | Data Access Sharing - Data access sharing may be provided. Requests may be received to display an data item associated with a list of data items. Upon determining whether a property of the data item is restricted by an access control policy, the property may be modified prior to rendering a display of the data item. | 09-18-2014 |
| 20140282829 | INCREMENTAL COMPLIANCE REMEDIATION - Disclosed are various embodiments for enforcing device compliance parameters by inhibiting access to devices, networks or resources. Methods may include associating a compliance rule with a client device. If the compliance rule is violated, a setting associated with the client device may be altered. The altered setting may inhibit access to the client device, a network, a client device resource and/or a network resource. For example, necessary password complexities may be increased, password lifetimes may be decreased and/or resources may be restricted based on a geofence, a time of day and/or a day of the week. | 09-18-2014 |
| 20140282830 | Firewall Packet Filtering - Mechanisms are provided for performing an operation on a received data packet. A data packet is received and a hash operation on a header field value of a header of the data packet is performed to generate a hash value. A lookup operation is performed in a hash table associated with a type of the header field value to identify a hash table entry. A bit string associated with the hash table entry is retrieved, where each bit in the bit string corresponds to a class of rules of a rule set of a firewall. A matching operation of the header field value to rules in classes of rules corresponding to bits set in the bit string is performed to select one or more search trees. Operations are performed based on rules in the classes of rules being matched by header field value of the data packet. | 09-18-2014 |
| 20140282831 | Dynamic policy-based entitlements from external data repositories - A machine-implemented method for evaluating a context-based (e.g., XACML) policy having a set of attributes formulates a search against one or more existing external repositories using a query that is dynamically-generated based on the security policy being evaluated. The approach shifts the building of a candidate set of potentially-allowable resources to the authorization engine (e.g., a Policy Decision Point (PDP)). In operation, an application calls the PDP using an entitlement request and, in response, the PDP builds the candidate set of values based on the defined security policy by generating a query to an external data repository and receiving the results of that query. This approach enables a policy-driven entitlement query at runtime. | 09-18-2014 |
| 20140282832 | METHOD, APPARATUS, SYSTEM, AND COMPUTER READABLE MEDIUM FOR PROVIDING APPARATUS SECURITY - Technologies are provided in embodiments for receiving policy information associated with at least one security exception, the security exception relating to execution of at least one program, determining an operation associated with the security exception based, at least in part, on the policy information, and causing the operation to be performed, based at least in part, on a determination that the at least one security exception occurred. | 09-18-2014 |
| 20140282833 | Methods, Systems and Machine-Readable Media For Providing Security Services - Systems, methods and machine-readable media for providing a security service are disclosed. The methods include receiving a modification of the application object code to allow the software application to transmit a request for the security service; retrieving the modified application object code corresponding to the software application from memory; receiving, via a processor, the request for the security service from the modified application object code; and providing, via the processor, the security service. The systems and machine-readable media performing operations according to the methods disclosed. | 09-18-2014 |
| 20140282834 | MANAGING EXCHANGES OF SENSITIVE DATA - A method, system or computer usable program product for managing exchanges of sensitive data including utilizing a processor to request a service across a network from an application, the service requiring a disclosure of a first set of sensitive data by the application; providing a set of certified policy commitments regarding the first set of sensitive data to the application for a determination of acceptability; and upon a positive determination, receiving the service including the disclosure of the first set of sensitive data. | 09-18-2014 |
| 20140282835 | MANAGING DATA HANDLING POLICIES - A method, computer usable program product or system for automatically sharing a set of sensitive data in accordance with a set of predetermined policy requirements including receiving across a network a set of certified policy commitments for a node; authenticating the set of certified policy commitments; utilizing a processor to automatically determine whether the set of certified policy commitments satisfies the set of predetermined policy requirements; and upon a positive determination, transmitting across the network the set of sensitive data to the node. | 09-18-2014 |
| 20140282836 | ENTERPRISE DEVICE POLICY MANAGEMENT - When receiving multiple security policy configurations from different management sources, a computer device can apply the most secure of the policy configurations to the device. If one of the policy configurations is removed from the device, a determination can be made regarding which of the remaining security policy configurations is the most secure. Once the determination is made, one of the remaining security policies that is the most secure is applied. | 09-18-2014 |
| 20140282837 | PRIVACY VERIFICATION TOOL - Systems and methods for protecting the privacy of users by controlling access to the users' data. In particular, some embodiments provide for a higher-level declarative language for expressing privacy policies which can be verified using a computer-aided verification tool. The verification tool uses the expressed privacy policies along with language-level assumptions and assertions in the verification process. For example, high-level models of the privacy policies can be reduced to a simpler verification representation (e.g., a Boolean representation) based on a set of assertions. This verification representation can then be submitted to a constraint solver (e.g., Satisfiability Modulo Theories solver) for verification. | 09-18-2014 |
| 20140282838 | MANAGING DATA HANDLING POLICIES - A method, computer usable program product or system for automatically obtaining a set of sensitive data in accordance with a set of predetermined policy commitments including sending across a network the set of certified policy commitments to a node for authentication and a determination whether the set of certified policy commitments satisfies a set of predetermined policy requirements, and upon a positive determination, receiving across the network the set of sensitive data from the node. | 09-18-2014 |
| 20140282839 | UNIFIED ENTERPRISE DEVICE ENROLLMENT - A unified enrollment client is described that allows authentication and communication with disparate enterprise management source types. A first enterprise management source type can have a corporate-based management server which is on the premises of the corporation. A second enterprise management source type can have a cloud-based management server in which a corporate server communicates through a federation gateway to a cloud-based management server. Authentication can be handled regardless of the source type through the use of a discovery request which identifies the source type so that the enrollment client knows how to tailor the authentication, if any is needed, to the particular enterprise management source. | 09-18-2014 |
| 20140282840 | MANAGING DATA HANDLING POLICIES - A method, computer usable program product or system for automatically enabling the sharing of a set of sensitive data between a first node and a second node in accordance with a set of predetermined policy requirements including providing across a network a set of certified policy commitments for a first node suitable for authentication by the second node and suitable for automatically determining whether the set of certified policy commitments satisfies the set of predetermined policy requirements by the second node, and providing a public key of a certifying authority upon request to the second node. | 09-18-2014 |
| 20140282841 | METHOD AND SYSTEM FOR MANAGING SERVICE REQUESTS IN A CONNECTED VEHICLE - A method and system for managing service requests to a vehicle connected to a portable device, including receiving at the portable device a service request from a requesting party and determining a connectivity status of the portable device. An access rule enabling processing of the request is obtained based on an identity of the requesting party and the connectivity status. The request and the access rule are redirected to a vehicle bus interface for processing the request, where the vehicle bus interface restricts access to vehicle data based on the access rule. | 09-18-2014 |
| 20140282842 | USER CENTRIC METHOD AND ADAPTOR FOR DIGITAL RIGHTS MANAGEMENT SYSTEM - A method for managing users' digital rights to documents protected by digital rights management (DRM), comprising the steps of a rights management system (RMS) server receiving a request from a user for accessing a DRM-protected document, and the RMS server executing a user centric adaptor (UCA) module to check in a UCA database under the user's identification (ID) whether one of a limited number of predetermined policies of digital rights is added to the user's ID, whereas if the user's rights to the document is not revoked by deletion of a predetermined policy under the user's ID in the UCA database, then the UCA module does not block granting the user's request. | 09-18-2014 |
| 20140282843 | CREATING AND MANAGING A NETWORK SECURITY TAG - An apparatus, computer readable medium, and method are provided in one example embodiment and include a network device, an analysis module, and a tag module. The analysis module may be configured to perform a number of actions on the network data to identify network information about the network data. The tag module may be configured to determine whether a destination for the network data is within a set of destinations; and responsive to a determination that the destination for the network data is within the set of destinations: generate a metadata tag based on the network information, associate the metadata tag with the network data, and transmit the network information and the metadata tag. | 09-18-2014 |
| 20140282844 | MANAGING DATA IN A CLOUD COMPUTING ENVIRONMENT USING MANAGEMENT METADATA - Computer-readable storage medium, apparatus and method associated with management of data elements in a cloud computing environment are disclosed herein. In embodiments, one or more computer-readable storage medium may contain instructions which when executed by a computing apparatus may facilitate a user in managing the user's data elements in a cloud computing environment. In embodiments, this may be accomplished through the use of management metadata associated with the user's data elements. Other embodiments may be described and/or claimed. | 09-18-2014 |
| 20140282845 | IMPLEMENTING SECURITY IN A SOCIAL APPLICATION - Implementing security in social applications includes inferring a closeness level of a connection to a user's profile of a social application based on a closeness policy and implementing a security level individualized to the connection based on the closeness level. | 09-18-2014 |
| 20140282846 | SECONDARY DEVICE AS KEY FOR AUTHORIZING ACCESS TO RESOURCES - A secondary device may be used to provide access to resources to a primary device. Upon receiving an authorization indication at a device, a registration key based on the authorization indication, a user identifier, and a property of the device may be created. Upon determining whether access to at least one resource is permitted according to the registration key the device may be permitted to access the at least one resource. | 09-18-2014 |
| 20140282847 | SYSTEMS AND METHODS FOR PRE-SIGNING OF DNSSEC ENABLED ZONES INTO RECORD SETS - Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security. | 09-18-2014 |
| 20140282848 | System and Method to Provide Management of Test Data at Various Lifecycle Stages - Disclosed is a method and system to provide management of test data, the management performed during at least one stage associated with lifecycle of the test data. The system comprises a processing engine, a categorization module, a privacy regulation module, a meta-data analyzer, and an output generation module. The processing engine configured to generate the test data in response to a test data request. The processing engine further comprises of the categorization module configured to categorize the test data request. The processing engine further comprises of the privacy regulation module configured to model at least one privacy regulation in accordance with a geographical location and an enterprise domain. The processing engine further comprises the meta-data analyzer configured to analyze an imported meta-data. The system further comprises of the output generation module configured to provide the test data so requested. | 09-18-2014 |
| 20140282849 | SYSTEM AND METHOD FOR TRANSPARENTLY INJECTING POLICY IN A PLATFORM AS A SERVICE INFRASTRUCTURE - A system and method for enforcing policy in a computing environment with a plurality of hosts that includes establishing a policy update specified through a namespaced addressing syntax; publishing the policy update to a set of components associated with a referenced component namespace; at a host of the set of components, authenticating the policy update; at the host, locally verifying policy compliance of an operation request by the host directed towards at least a second component; applying results of verifying the policy compliance of the operation request within a communication channel flow, which comprises routing the operational request through the communication channel to the second component if the operational request is permitted and preventing the operational request if the operational request is not permitted. | 09-18-2014 |
| 20140282850 | INDUSTRIAL NETWORK SECURITY - A private overlay network is introduced into an existing core network infrastructure to control information flow between private secure environments. Such a scheme can be used to connect a factory automation network linking operations devices to a corporate network linking various business units, with enhanced network security. Such a connection can be facilitated by introducing into the existing infrastructure a set of industrial security appliances (ISAs) that work together to create an encrypted tunnel between the two networks. The set of ISAs can be scalable to overlay differently sized core networks, to create the private overlay network. Connections to the private overlay network can be managed by the ISAs in a distributed fashion, implementing a peer-to-peer dynamic mesh policy. The industrial security system disclosed may be particularly advantageous in environments such as public utility systems, medical facilities, and energy delivery systems. | 09-18-2014 |
| 20140282851 | CONTENT AND SERVICE AGGREGATION, MANAGEMENT AND PRESENTATION SYSTEM - Techniques for facilitating discovery and usage of digital content and services include accessing a stored rights profile of a user and determining access privileges of the user to content items or services provided by various sources. Based on the access privileges of the user, multiple access options are determined to a content item or to a service available to the user. The multiple access options include access options for accessing the content item or the service from different sources. The access options are presented to a user and a selection of an access option is received from the user. Stored business rules for the source are accessed, which identify a consumption mode specified by the source for enabling users to consume content items or services provided by the source. The user is enabled to perceive the content item or receive the service in accordance with the consumption mode. | 09-18-2014 |
| 20140282852 | USER-CONTROLLED CENTRALIZED PRIVACY MARKETPLACE SYSTEM - A system for managing personal information of a user includes: a personal information database including personal information records of the user including data associated with the user, wherein a user is associated with a data policy including at least one permission for an accessing party to interact with a personal information record; and a data access module that receives and responds to requests from an accessing party, wherein a request may be one of: a read request specifying a personal information record to be read; and a write request specifying a personal information to be written to a personal information record to be written, wherein in response to a write request, the data access module responds with the a personal information record to be read, or updates the personal information record to be written in the personal information database, if permitted by the personal information record the privacy policy. | 09-18-2014 |
| 20140282853 | MOBILE INFORMATION MANAGEMENT METHODS AND SYSTEMS - A system and method are disclosed for mobile information management using a code injection approach. The method for information management of applications includes the steps of: receiving, by a computer, one or more compiled applications, and receiving, by a computer, one or more security policies, wherein each security policy indicates one or more use cases and one or more security actions associated with each use case. The method also includes the step of associating the received applications with the one or more received security policies. Additionally, the method includes the step of automatically wrapping the received applications with the associated security policy using a code injection script. | 09-18-2014 |
| 20140282854 | SYSTEM AND METHOD FOR MODELING A NETWORKING DEVICE POLICY - Implementations of the present disclosure involve a system and/or method for modeling a networking device policy or set of rules and/or transforming a networking device policy model into a set of comprehensible rules for presentation to a manager of the device. In one embodiment, the system and/or method includes converting one or more rules of the firewall device into a string of representative bits, creating a binary decision diagram from the converted rules of the firewall policy, transforming the binary decision diagram into a ternary tree diagram and analyzing the ternary tree diagram to condense the firewall policy into one or more rules comprehensible by a user of the firewall. | 09-18-2014 |
| 20140282855 | MODELING NETWORK DEVICES FOR BEHAVIOR ANALYSIS - Implementations of the present disclosure involve a system and/or method for modeling a firewall function and operation such that software based analysis and other formal analysis methods may be used with the model. In one embodiment, the system and/or method includes modeling the function of a firewall as a set of links, ingress/egress interfaces, interface switches and behaviors chained together into a spanning graph. The spanning graph may then be used in conjunction with data structures, such as a Firewall Policy Diagram, to illustrate pathways through a network for a communication packet. This system and/or method allows for the understanding of a firewall policy such that the policy can be replicated among various firewalls in the network at issue. | 09-18-2014 |
| 20140282856 | RULE OPTIMIZATION FOR CLASSIFICATION AND DETECTION - This disclosure describes methods, systems, and computer-program products for determining classification rules to use within a fraud detection system The classification rules are determined by accessing distributional data representing a distribution of historical transactional events over a multivariate observational sample space defined with respect to multiple transactional variables. Each of the transactional events is represented by data with respect to each of the variables, and the distributional data is organized with respect to multi-dimensional subspaces of the sample space. A classification rule that references at least one of the subspaces is accessed, and the rule is modified using local optimization applied using the distributional data. A pending transaction is classified based on the modified classification rule and the transactional data. | 09-18-2014 |
| 20140282857 | SYSTEMS AND METHODS TO SYNCHRONIZE DATA TO A MOBILE DEVICE BASED ON A DEVICE USAGE CONTEXT - A method, system, and computer-readable medium for synchronizing policy data on a device based on device usage context. By synchronizing policy data on the device based on device usage context, security, bandwidth and energy efficiency concerns associated with the current data synchronization art by intelligently organizing and prioritizing the updating of policy data in compliance with policy data. | 09-18-2014 |
| 20140282858 | Secure Personal Content Server - A local content server system (LCS) for creating a secure environment for digital content is disclosed, which system comprises: a communications port in communication for connecting the LCS via a network to at least one Secure Electronic Content Distributor (SECD), which SECD is capable of storing a plurality of data sets, is capable of receiving a request to transfer at least one content data set, and is capable of transmitting the at least one content data set in a secured transmission; a rewritable storage medium whereby content received from outside the LCS may be stored and retrieved; a domain processor that imposes rules and procedures for content being transferred between the LCS and devices outside the LCS; and a programmable address module which can be programmed with an identification code uniquely associated with the LCS. The LCS is provided with rules and procedures for accepting and transmitting content data. | 09-18-2014 |
| 20140282859 | TOKEN BASED MULTIFACTOR AUTHENTICATION - A multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services. During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user. During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy. | 09-18-2014 |
| 20140282860 | METHOD AND APPARATUS FOR CONFIGURING COMMUNICATION PARAMETERS ON A WIRELESS DEVICE - A method and apparatus for configuring communication parameters of a first wireless device having an established communication connection includes communicating with a wireless access point using communication parameters based on a selected first security policy; receiving information from the wireless access point regarding one or more second wireless devices connected to the wireless access point; selecting a second security policy to apply to the first wireless device based on the information received from the wireless access point; adjusting the one or more communication parameters of the first wireless device based on the second security policy; and communicating with the wireless access point using the adjusted communication parameters. | 09-18-2014 |
| 20140282861 | SYSTEM AND METHOD FOR ADAPTING AN INTERNET FILTER - A system and method for updating a filtering system which controls access to a website/page between a local area network (LAN) and an Internet. The LAN includes an Internet gateway system coupled to a workstation and configured to receive a URL request. The system controls access to the website/page associated with the URL based on one or more categories that are associated with the URL. The Internet gateway system can determine the category that is associated with the URL by referencing a master database or requesting the category from a database factory. The database factory can receive URLs from multiple Internet gateway systems. The database factory determines whether the identifier was previously categorized by the database factory and provides the category to the Internet gateway system. Once the Internet gateway system has the category, it applies rules associated with the category and user to filter access to the requested website/page. | 09-18-2014 |
| 20140282862 | Browser Device Access Proxy - In a web browser ( | 09-18-2014 |
| 20140289789 | CLOUD BASED REAL TIME APP PRIVACY DASHBOARD - A method of operating an electronic device comprises detecting access to private information stored in memory of the electronic device. The detecting is performed by a privacy management module downloadable to the electronic device as object code for execution on the electronic device and the access is performed by a client application program. The method further comprises tracking, using the privacy management module, the private information being accessed by the client application program, and reconfiguring the electronic device, using the privacy management module, to change the access to the private information by the client application program according to at least one privacy access policy stored in the electronic device. | 09-25-2014 |
| 20140289790 | SYSTEM AND METHOD FOR ADAPTIVE APPLICATION OF AUTHENTICATION POLICIES - A system, apparatus, method, and machine readable medium are described for adaptively implementing an authentication policy. For example, one embodiment of a method comprises: detecting a user of a client attempting to perform a current interaction with a relying party; and responsively identifying a first interaction class for the current interaction based on variables associated with the current interaction and implementing a set of one or more authentication rules associated with the first interaction class. | 09-25-2014 |
| 20140289791 | NETWORK-LEVEL ACCESS CONTROL MANAGEMENT FOR THE CLOUD - A cloud access manager obtains input regarding access control for at least one application deployed on a plurality of virtual machine instances in a cloud computing environment; the virtual machine instances are divided into at least first and second access zones. A cloud access manager registrar located in the cloud computing environment registers internet protocol addresses of external clients as seen from the cloud computing environment; at least some of the addresses are assigned to the clients via network address translation (NAT). Session traversal utility for NAT (STUN) is carried out to determine public internet protocol addresses assigned to the clients via NAT. The cloud access manager controls (i) access of the external clients to the plurality of virtual machine instances; and (ii) access of the plurality of virtual machine instances to each other, based on the registered internet protocol addresses, in accordance with the access zones. | 09-25-2014 |
| 20140289792 | SYSTEMS AND METHODS FOR UTILIZING UNI-DIRECTIONAL INTER-HOST COMMUNICATION IN AN AIR GAP ENVIRONMENT - A request message is generated with a trusted network entity executing trusted code on a first network layer. The request message to target a non-trusted network entity executing non-trusted code on a second network layer. The request message is transmitted from the trusted network entity to the non-trusted network entity through at least a policy enforcement entity. The policy enforcement entity applies one or more network traffic rules to enforce a unidirectional flow of traffic from the first network layer to the second network layer. A response check message is generated with the trusted network entity. The response check message to determine whether response information is available on the non-trusted network entity in response to the request message. The response check message is transmitted from the trusted network entity to the non-trusted network entity through at least the policy enforcement entity. The response check message to determine whether the response information is stored in a conceptual mailbox on the non-trusted network entity. | 09-25-2014 |
| 20140289793 | GRANULAR RISK EXPRESSION - Systems and methods for granularly expressing risk associated with computing resources of a computing system are described. A resource detail interface may be provided that includes a permission list identifying a permission to a computing resource of the computing system. A review flag of the permission is configurable at the resource detail interface in response to input received at the interface. The review flag may be set based on the input received at the resource detail interface to indicate whether review of the permission is required. A resource review interface may display a list of pending reviews of access rights, and a decision for a review may be received at the resource review interface. A review of an access right may be created in response to a determination that a computing resource permission associated with the access right requires review. | 09-25-2014 |
| 20140289794 | COMMUNICATIONS DEVICE WITH SECURE DATA PATH PROCESSING AGENTS - A network system comprising memory configured to store a device communication activity policy, and a policy verification processor configured to (a) receive a device data record over a trusted communication link between the network system and a device data record generator on a communications device, the device data record comprising information about a data communications activity by the communications device, the information configured to assist the policy verification processor in determining whether the communications device is operating or has operated in accordance with the device communication activity policy, (b) determine, based on the device data record, whether the communications device is operating or has operated in accordance with the device communication activity policy, and (c) upon determining that the communications device is not operating or has not operated in accordance with the device communication activity policy, initiate an error handling action. | 09-25-2014 |
| 20140289795 | UPDATING SYSTEM BEHAVIOR DYNAMICALLY USING FEATURE EXPRESSIONS AND FEATURE LOOPS - Behavior of an online system is modified dynamically using feature expressions and feature loops. A feature expression can be expressed as a combination of other features or feature expressions, thereby allowing specification of complex features. The sets of feature expressions and policies of an online system can be modified while the online system is running. Feature loops aggregate values of a feature expression across a plurality of actions, for example, number of occurrences of an event over a time interval. The online system evaluates a set of feature expressions in response to actions performed by users. Feature expressions are used to specify policies that determine how the online system reacts to certain types of user actions. The ability to dynamically modify the feature expressions and policies of the online system allows the online system to adapt to attacks by malicious users in a timely manner. | 09-25-2014 |
| 20140298398 | SELF-PROVISIONING ACCESS CONTROL - A processor-implemented access control method includes receiving credential and policy directory information to configure an access controller to allow self-provisioning of the access controller through periodic, automated query of the directory by the access controller; acquiring from the directory, credential and policy information for one or more individuals who may require access; storing in a local cache the acquired credential and policy information; receiving an access request to allow an individual access; comparing the access request to the credential and policy information in the cache; and when the comparison indicates a match, granting the individual access. | 10-02-2014 |
| 20140298399 | APPARATUS AND METHOD FOR DETECTING ANOMALITY SIGN IN CONTROLL SYSTEM - An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus includes an information collection module configured to collect system information, network information, security event information or transaction information in interworking with a control equipments, network equipments, security equipments or server equipments. The apparatus includes storage module that stores the information collected by the information collection module. The apparatus includes an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system. | 10-02-2014 |
| 20140298400 | PROVIDING AN ENTERPRISE APPLICATION STORE - Methods, systems, and computer-readable media for providing an application store are presented. In some embodiments, a request for a software application may be received at an application store. Subsequently, the software application may be configured, at the application store, based on a single sign-on credential. The configured software application then may be provided, by the application store, to at least one recipient device associated with the single sign-on credential. | 10-02-2014 |
| 20140298401 | PROVIDING AN ENTERPRISE APPLICATION STORE - Methods, systems, and computer-readable media for providing an application store are presented. In some embodiments, authentication credentials of an administrative user of an application store may be received at the application store. Based on validating the authentication credentials of the administrative user, a mobile service management interface may be provided via the application store. In addition, the mobile service management interface may include at least one control that is configured to allow the administrative user to define one or more policies to be applied to at least one application that is available in the application store. | 10-02-2014 |
| 20140298402 | Data Management for an Application with Multiple Operation Modes - A method and system for managing an application with multiple modes are described. A device manager that manages a mobile device may monitor the mobile device. The device manager may detect that a first type of application that runs in a managed mode (or in multiple managed modes) and an unmanaged mode is installed on the mobile device. When the application is executed on the device, the application executes in accordance with the selected application mode, e.g., based on location, user, role, industry presence, or other predefined context. | 10-02-2014 |
| 20140298403 | PROVIDING MOBILE DEVICE MANAGEMENT FUNCTIONALITIES - Methods, systems, computer-readable media, and apparatuses for providing mobile device management functionalities are presented. In various embodiments, a mobile device management agent may monitor state information associated with a mobile computing device. The monitored state information may be analyzed on the mobile computing device and/or by one or more policy management servers. In some instances, the one or more policy management servers may provide management information to the mobile computing device, and the management information may include one or more commands (which may, e.g., cause the mobile computing device to enforce one or more policies) and/or one or more policy updates. Subsequently, one or more policies may be enforced on the mobile computing device based on the monitored state information and/or based on the management information. | 10-02-2014 |
| 20140298404 | PROVIDING A MANAGED BROWSER - Methods, systems, computer-readable media, and apparatuses for providing a managed browser are presented. In various embodiments, a computing device may load a managed browser. The managed browser may, for instance, be configured to provide a managed mode in which one or more policies are applied to the managed browser, and an unmanaged mode in which such policies might not be applied and/or in which the browser might not be managed by at least one device manager agent running on the computing device. Based on device state information and/or one or more policies, the managed browser may switch between the managed mode and the unmanaged mode, and the managed browser may provide various functionalities, which may include selectively providing access to enterprise resources, based on such state information and/or the one or more policies. | 10-02-2014 |
| 20140298405 | PROVIDING A MANAGED BROWSER - Methods, systems, computer-readable media, and apparatuses for providing a managed browser are presented. In various embodiments, a computing device may load a managed browser. The managed browser may, for instance, be configured to provide a managed mode in which one or more policies are applied to the managed browser, and an unmanaged mode in which such policies might not be applied and/or in which the browser might not be managed by at least one device manager agent running on the computing device. Based on device state information and/or one or more policies, the managed browser may switch between the managed mode and the unmanaged mode, and the managed browser may provide various functionalities, which may include selectively providing access to enterprise resources, based on such state information and/or the one or more policies. | 10-02-2014 |
| 20140298406 | METHOD FOR SHARING A MEDIA COLLECTION IN A NETWORK ENVIRONMENT - In one aspect, the present disclosure provides for the accessing and playing of media files having differing associated rights such as non-DRM media files, purchased and downloaded media files, subscription download files such as tethered downloads, and subscription streamed DRM files. In one embodiment, the present disclosure provides a method and user interface for sharing a media collection among computing devices in communication via a network. In one embodiment, the disclosed method allows access and playback, from each computing device on a network, of all media files in a media collection, regardless of their associated rights. | 10-02-2014 |
| 20140298407 | FEDERATED ROLE PROVISIONING - In various embodiments, techniques for federated role provisioning are provided. A federated role definition for a resource is constructed and distributed. The federated role definition includes a role hierarchy having role assignments and constraints for dynamically resolving and binding a resource to particular ones of the role assignments. A resource may have role assignments statically bound to its identity and dynamically bound to its identity. Furthermore, some role assignments may be inherited from the role hierarchy. | 10-02-2014 |
| 20140298408 | Method For Enforcing Resource Access Control In Computer Systems - A method and system for enforcing access control to system resources and assets. Security attributes associated with devices that initiate transactions in the system are automatically generated and forwarded with transaction messages. The security attributes convey access privileges assigned to each initiator. One or more security enforcement mechanisms are implemented in the system to evaluate the security attributes against access policy requirements to access various system assets and resources, such as memory, registers, address ranges, etc. If the privileges identified by the security attributes indicate the access request is permitted, the transaction is allowed to proceed. The security attributes of the initiator scheme provides a modular, consistent secure access enforcement scheme across system designs. | 10-02-2014 |
| 20140298409 | Secure Processing of Secure Information in a Non-Secure Environment - A secured process sourcing and work management system for processing secure information in a non-secure environment is disclosed. The system permits a user, referred to herein as a customer or requestor, to submit a project, involving a human intelligence task (“HIT”), referred to as a task or task specification, to be performed with respect to secure, confidential or sensitive information, referred to herein as secure information, and have that project completed in a non-secure environment without compromising the security, confidentiality or sensitivity of the secure information. The system may be incorporated into the requestor's workflow, receiving projects therefrom and providing the results thereto. Further, a system is disclosed for implementing a processing workflow for such tasks, the system permitting, based on projects submitted by requestors, the “posting” or distribution of jobs, and subsequent management thereof, to be performed by a workforce operating in or via a non-secure-environment, while protecting the underlying security, confidentiality or sensitivity of the overall project. | 10-02-2014 |
| 20140298410 | SYSTEMS AND METHODS FOR PROXYING COOKIES FOR SSL VPN CLIENTLESS SESSIONS - The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies. | 10-02-2014 |
| 20140304761 | INTERCEPTION OF CONTROLLED FUNCTIONS - Briefly, in accordance with one embodiment of the invention, a plug-in type application may intercept called functions in order to implement one or more security or digital rights management type settings, and/or one or more policies for a given document where such functions may be restricted, prohibited, and/or otherwise controlled. Patch code may be integrated with such controlled functions to modify the behavior of the function when executed in order to comply with the security or digital rights management setting, and/or one or more policies. | 10-09-2014 |
| 20140304762 | System and Method For Distributing Rights-Protected Content - Various embodiments of a method and system for a content distribution mechanism. A content distribution mechanism is implemented to receive rights-protected content. Access to the rights-protected content is controlled according to a policy via a policy server. The distribution mechanism may receive an attempt to forward the rights-protected content to one or more recipients that do not currently have access to the rights-protected content. The distribution mechanism may hold the document and send a message requesting access rights to the rights-protected content for the recipient(s). In some embodiments, the distribution mechanism may send the message to a policy server. In other embodiments, the distribution mechanism may send the message to a policy administrator. Upon receiving acknowledgement that the recipient(s) have been granted access rights to the content, the distribution mechanism may forward the rights-protected content to the recipient(s). | 10-09-2014 |
| 20140304763 | Secure Socket Policy Files For Establishing Secure Socket Connections - Exemplary embodiments involve a computing system requesting and receiving a socket policy file from a policy file server via a secure socket connection, identifying that the security policy requires communicating with a content server via a secure socket connection, and communicating with the content server via a second secure socket connection. The socket policy file specifies a security policy governing socket connections to a content server over a transport protocol layer. Additional embodiments involve requesting a socket policy file via a non-secure socket connection, receiving (via the non-secure socket connection) a placeholder socket policy file requiring requests for socket policy files to be communicated via a secure socket connection, establishing a secure socket connection with the policy file server, and submitting a request for the socket policy file to the policy file server via the secure socket connection. | 10-09-2014 |
| 20140304764 | METHOD AND APPARATUS FOR INTEGRATING SECURITY CONTEXT IN NETWORK ROUTING DECISIONS - An apparatus identifies a request from a user device to access data on a storage server. The apparatus determines a sensitivity level of response data for a response to the request, security context of the response, and a routing action to perform for the response by applying a policy to the sensitivity level of the response data and the security context of the response. The apparatus executes the routing action for the response. | 10-09-2014 |
| 20140304765 | Identity-Based Internet Protocol Networking - A network architecture that eliminates anonymous traffic, reduces a threat surface, and enforces policies is described herein. A method based on this network architecture includes receiving, by a processor, an IP packet entering a network, inserting, by the processor, an identity-based interne protocol (IMP) shim between a header and a body of the IP packet and incorporating, by the processor, an identity of a source and a destination of the IP packet in the shim. | 10-09-2014 |
| 20140304766 | METHOD AND APPARATUS FOR PROTECTING ACCESS TO CORPORATE APPLICATIONS FROM A MOBILE DEVICE - A computer-implemented method, apparatus and computer program product for providing secure consumption of applications from mobile devices, The method comprises receiving a security policy associated with usage of an application by a user using a mobile device, the security policy comprising at least one vulnerability indication; receiving at least partial code of the application; identifying at least one JavaScript instruction in the code, the at least one JavaScript instruction associated with the security vulnerability; and adding additional JavaScript instructions to the code for handling the security vulnerability. | 10-09-2014 |
| 20140304767 | POLICY-BASED SELECTION OF REMEDIATION - Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information regarding a program-code-based operational state of a computer system is periodically sampled. A determination is made regarding whether the program-code-based operational state represents a violation of a security policy by evaluating the information with respect to multiple security policies each of with defines at least one parameter condition violation of which is potentially indicative of unauthorized activity on the computer system or manipulation of the computer system to make the computer system vulnerable to attack. When a violation exists then a remediation is identified and deployed to the computer system. The violation is based at least in part on one or more of: whether a particular process is running; the existence, version or status of a particular application; and a version, type or configuration of an operating system installed. | 10-09-2014 |
| 20140304768 | SECURITY AND PRIVACY ENHANCEMENTS FOR SECURITY DEVICES - A tamper-resistant security device, such as a subscriber identity module or equivalent, has an AKA (Authentication and Key Agreement) module for performing an AKA process with a security key stored in the device, as well as means for external communication. The tamper-resistant security device includes an application that cooperates with the AKA module and an internal interface for communications between the AKA module and the application. The application cooperating with the AKA module is preferably a security and/or privacy enhancing application. For increased security, the security device may also detect whether it is operated in its normal secure environment or a foreign less secure environment and set access rights to resident files or commands that could expose the AKA process or corresponding parameters accordingly. | 10-09-2014 |
| 20140304769 | DISTRIBUTED AUTHENTICATION, AUTHORIZATION AND ACCOUNTING - In some embodiments, computer systems, storage mediums, and methods are provided for controlling a connecting device's access to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for authentication, authorization, and accounting of connecting devices connecting to a plurality of computer networks. In other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of authentication routing data and authorization policies among a plurality of computer networks. In yet other embodiments, the provided computer systems, storage mediums, and methods may provide for the distribution of accounting among a plurality of computer networks. | 10-09-2014 |
| 20140310763 | DETERMINING SECURITY FACTORS ASSOCIATED WITH AN OPERATING ENVIRONMENT - Embodiments of the present invention disclose a method, computer program product, and system for determining security factors associated with an operating environment for a computer through a wireless network. The computer identifies one or more local computers operating within range of wireless communications to the computer through a wireless network. The computer determines a current operating environment corresponding to the one or more identified local computers. The computer determines a current security value for the current operating environment corresponding to identities and security of the identified local computers. The computer identifies data corresponding to the current operating environment, the data corresponding to a current time period of the current operating environment. The computer determines security information corresponding to the current operating environment, wherein the security information includes a familiarity of the computer to the current operating environment, and a historical security of the computer in the current operating environment. | 10-16-2014 |
| 20140310764 | METHOD AND APPARATUS FOR PROVIDING USER AUTHENTICATION AND IDENTIFICATION BASED ON GESTURES - An approach is provided for authenticating and/or identifying a user through gestures. A plurality of media data sets of a user performing a sequence of gestures are captured. The media data sets are analyzed to determine the sequence of gestures. Authentication of the user is performed based on the sequence of gestures. | 10-16-2014 |
| 20140310765 | On-Demand Security Policy Activation - On-demand activation of a security policy may be provided. Upon receiving a selection of a link, a profile identified by a security policy associated with the link may be activated and the link may be opened according to the security policy. In some embodiments, opening the link according to the security policy may comprise redirecting the opening of the link from a first application to a second application. | 10-16-2014 |
| 20140310766 | System, Method and Computer Program Product For An Authentication Management Infrastructure - A system and method for allowing a user to access enterprise resources comprising authentication devices and an authentication server. The authentication devices allow a user to enter authentication data. The authentication server is in communication with the authentication devices. The authentication server comprises a policy database storing a policy. The policy comprises guidelines including a first guideline establishes a qualification necessary for the user to access enterprise resources and a second guideline establishes a qualification necessary for the user to activate a silent signal. The authentication server is adapted to request assistance for the user if the silent signal is activated. | 10-16-2014 |
| 20140310767 | SECURITY MANAGEMENT SYSTEM, INPUT APPARATUS, SECURITY MANAGEMENT METHOD, AND RECORDING MEDIUM - A security management system managing security of plural types of client apparatuses which are mutually connected to each other via a network, includes an acquisition unit acquiring or receiving information which is used to change a security level of any of the client apparatuses; a determination unit determining a specific client apparatus whose security setting value is to be changed and a security setting value to be applied to the specific client apparatus, in response to the acquired or received information to change the security level of any of the client apparatuses, based on a definition table defining the security levels of the plural types of client apparatuses; and a notification unit notifying the specific client apparatus of the security setting value to be applied to the specific client apparatus. | 10-16-2014 |
| 20140310768 | SYSTEM AND METHOD FOR ENFORCING ROLE MEMBERSHIP REMOVAL REQUIREMENTS - System and method for enforcing role membership removal requirements are described. In one embodiment, the method includes, responsive to receipt of a removal request, performing a role evaluation of the removal request to generate a policy request; performing a policy evaluation of the policy request; generating a policy response in accordance with the policy evaluation; and enforcing the policy response. | 10-16-2014 |
| 20140310769 | TECHNIQUES FOR DELEGATION OF ACCESS PRIVILEGES - Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information. | 10-16-2014 |
| 20140310770 | SYSTEM AND METHOD FOR CREATING AND APPLYING CATEGORIZATION-BASED POLICY TO SECURE A MOBILE COMMUNICATIONS DEVICE FROM ACCESS TO CERTAIN DATA OBJECTS - A server creates categorization-based application policies and selects a specific policy to send to a mobile communications device. In one embodiment, the mobile communication device applies the categorization-based application policy received from the server to information about a data object (e.g., application) that the device wants to access (or has accessed). Based on the application of the categorization-based policy, the device may be permitted to access the data object or the device may not be permitted to access the data object. | 10-16-2014 |
| 20140317676 | UTILIZING A SOCIAL GRAPH FOR NETWORK ACCESS AND ADMISSION CONTROL - Technologies for providing access control for a network are disclosed. The method may include receiving a request from a user to access a network, receiving a plurality of data associated with the user, the plurality of data comprising a plurality of social data associated with the user's relationship to a social circle, identifying an electronic security policy based at least on the plurality of social data, and authenticating the user to the network if the electronic security policy permits authentication based at least on the plurality of social data. | 10-23-2014 |
| 20140317677 | FRAMEWORK FOR COORDINATION BETWEEN ENDPOINT SECURITY AND NETWORK SECURITY SERVICES - Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria. | 10-23-2014 |
| 20140317678 | POLICY ENFORCEMENT BY END USER REVIEW - Embodiments are disclosed that relate to enforcement of user policies in a multi-user interactive computing environment by end user review. For example, one disclosed embodiment provides, on a computing device, a method comprising receiving a notification of a current policy controversy, and sending information regarding the current policy controversy to each end user reviewer of a plurality of end user reviewers, each end user reviewer being a member of an enforcement federation of a plurality of enforcement federations. The method further comprises receiving enforcement decisions from one or more responding end user reviewers of the plurality of end user reviewers, and if the enforcement decisions received meet an enforcement threshold, then automatically enforcing a policy rule. | 10-23-2014 |
| 20140317679 | SYSTEM AND METHOD FOR CREATING SECURE APPLICATIONS - A method for generating a secure application is described herein. The method can include the steps of obtaining a target application and decomposing the target application into original files that contain predictable instructions. One or more predictable instructions in the original files may be identified. In addition, the target application may be modified to create the secure application by binding one or more intercepts to the target application. These intercepts can enable the modification of the predictable instructions in accordance with one or more policies such that the behavior of the secure application is different from the original behavior of the target application. Modification of the target application may be conducted without access to the source code of the target application. | 10-23-2014 |
| 20140317680 | SYSTEM AND METHOD FOR ENSURING COMPLIANCE WITH ORGANIZATIONAL POLICES - A method for ensuring compliance with organizational policies is described herein. The method can include the step of monitoring one or more parameters of a managed computing device for compliance with one or more policies of an organization in which the organizational policies may include limitations on the managed computing device. The method can also include the step of detecting a non-conformance event at the managed computing device with respect to at least one organizational policy. In response to the detection of the non-conformance event, the operation of the managed computing device may be restricted with respect to features or data associated with the organization. | 10-23-2014 |
| 20140317681 | CLOUD FORENSICS - The cloud forensic system provides a method and system for generating an instance from a client cloud computing environment, wherein the instance is generated without affecting the integrity of the client cloud computing environment; generating a baseline of the client cloud computing environment; benchmarking the instance based on comparison of the instance to the baseline; verifying the benchmark based on a client policy; and retiring the instance, if the benchmark is verified. | 10-23-2014 |
| 20140317682 | PLUG-IN BASED POLICY EVALUATION - A device may include an interface to send authentication information to a plug-in, where the authentication information is related to a client device. The interface may send a policy identifier to the plug-in, where the policy identifier identifies a policy, and may receive a policy result from the plug-in, where the policy result is produced using the authentication information and a policy requirement identified by the policy identifier, and where the policy result identifies whether the client device complies with the policy. | 10-23-2014 |
| 20140317683 | NETWORK SERVICES INFRASTRUCTURE SYSTEMS AND METHODS - Network services infrastructure systems and methods are disclosed. Policies for client access to a services network and network services available in the services network are enforced at client gateways. Once authenticated and authorized at a client gateway, a client of the services network may make its own network service(s) available in the services network, use network services provided by other clients of the services network, or both. The policies are centrally managed within a services network and distributed to the client gateways. Various registries which store policies, information associated with network services, and possibly other information may also be provided. | 10-23-2014 |
| 20140317684 | Security Actuator for a Dynamically Programmable Computer Network - A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with packet disposition directives. A security actuator receives flow policy directives from a number of network applications. The flow policy directives express higher-level network security policy goals, including blocking and/or redirecting network traffic. The security actuator converts a flow policy directive into one or more packet disposition directives. The packet disposition directives may include trigger rules to cause network communications to be monitored for matching trigger packets. An automated mechanism initiated by the security actuator may cause trigger packets to be forwarded to the security actuator for analysis. The security actuator may generate packet disposition directives in response to receiving the trigger packets. | 10-23-2014 |
| 20140317685 | SYSTEM AND METHOD FOR PERFORMING PARTIAL EVALUATION IN ORDER TO CONSTRUCT A SIMPLIFIED POLICY - Methods and devices for constructing a simplified attribute-based access control policy, which more faithfully reproduces not only Permit and Deny decisions but also data relating to errors and quasi-errors resulting from the evaluation. To this end, the simplified policy includes new data fields for storing intermediate results. Further, improved simplification rules allowing partial evaluation to be used in a broader range of situations. | 10-23-2014 |
| 20140325586 | METHOD AND SYSTEM FOR EVALUATING SECURITY FOR AN INTERACTIVE SERVICE OPERATION BY A MOBILE DEVICE - A method for evaluating security during an interactive service operation by a mobile communications device includes launching, by a mobile communications device, an interactive service configured to access a server over a network during an interactive service operation, and generating a security evaluation based on a plurality of trust factors related to a current state of the mobile communications device, to a security feature of the application, and/or to a security feature of the network. When the security evaluation is generated, an action is performed based on the security evaluation. | 10-30-2014 |
| 20140325587 | BIOINFORMATIC PROCESSING SYSTEMS AND METHODS - The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other bioinformatic information. Certain embodiments may facilitate policy-based governance of access to and/or use of bioinformatic information, improved interaction with and/or use of distributed bioinformatic information, parallelization of various processes involving bioinformatic information, and/or reduced user involvement in bioinformatic workflow processes, and/or the like. Further embodiments may provide for memoization processes that may persistently store final and/or intermediate results of computations performed using genomic data for use in connection with future computations. | 10-30-2014 |
| 20140325588 | SYSTEMS AND METHODS FOR NETWORK ACCESS CONTROL - Network access control systems and methods are provided herein. A method includes receiving at a network device a SYN packet from a client device over a network, determining if the client device is a trusted source for the network using the SYN packet, if the client device is a trusted resource, receiving an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device, and establishing a connection with the network for the client device. | 10-30-2014 |
| 20140325589 | Disposable Browsers and Authentication Techniques for a Secure Online User Environment - Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for secure use and retention of user credentials, as well as methods for dynamic authentication of users and integrity checking of service providers in online environments. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable browser), insulating the user from the threats associated with being online for the purposes of providing secure, policy-based interaction with online services. | 10-30-2014 |
| 20140325590 | METHOD OF ANALYZING SECURITY RULESET AND SYSTEM THEREOF - There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field. The method comprises: upon specifying atomic elements constituting an extrinsic space corresponding to the at least one extrinsic field, partitioning, by a processor, the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class; mapping, by the processor, said equivalence classes over the rule-set; and analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the rule-set. | 10-30-2014 |
| 20140325591 | RULES DRIVEN MULTIPLE PASSWORDS - A rules driven multiple passwords system is provided wherein a list of stored passwords are used in rotation over time in accordance with a set of rules or conditions managed by the system. With such an arrangement, the currently active password of a system User may automatically be changed, in accordance with the rules or conditions, to the next password in the list. The User is notified as to the newly assigned password. | 10-30-2014 |
| 20140325592 | INFORMATION MANAGEMENT METHOD AND INFORMATION MANAGEMENT SYSTEM - An information management method includes: receiving, from a manufacturer server via a network, device history information indicating a history of an operation of a device used by a first user and first anonymized user information generated by anonymizing, according to a predetermined rule, first user information including attribute information which allows identification of the first user; receiving, from a service provider server different from the manufacturer server via the network, service history information indicating a history of service used by a second user and second anonymized user information generated by anonymizing, according to the predetermined rule, second user information including attribute information which allows identification of the second user; and associating the device history information and the service history information and managing them as composite information, when the first anonymized user information and the second anonymized user information are determined to be identical or similar. | 10-30-2014 |
| 20140331272 | Location based enforcement of mobile policy - Disclosed are systems, apparatus, devices, methods, computer program products, computer media, and other implementations, including a method that includes communicating data representative of one or more location-based restrictions corresponding to a venue area to a mobile device determined to be located within the venue area, and controlling, by at least one venue server, use at the mobile device of services available at the venue area from one or more nodes associated with the venue area based, at least in part, on a determination, by the at least one venue server, of whether the mobile device complies with the location-based restrictions corresponding to the venue area. | 11-06-2014 |
| 20140331273 | CENTRALIZED MOBILE APPLICATION MANAGEMENT SYSTEM AND METHODS OF USE - An application launcher is disclosed for retrieving and permitting launch of multiple mobile applications through a single, secure authentication process, and a method of use. The method includes receiving a request to launch one or more applications through a single authentication process. The method further includes authenticating a user through an application launcher. The method further includes appending a security token to one or more applications upon authentication of the user to enable the user to launch the one or more applications through the single authentication process provided by the application launcher. | 11-06-2014 |
| 20140331274 | SECURITY SYSTEM FOR PHYSICAL OR VIRTUAL ENVIRONMENTS - Systems and methods for performing intra-zone and inter-zone security management in a network are provided. According to one embodiment, an association is formed by a network security device between a first zone including a first set of devices and a first set of security policies defining a first type of security scanning to be performed on packets originated within the first zone and between a second zone including a second set of devices and a second set of security policies defining a second type of security scanning to be performed on packets originated within the second zone. A first zone packet is received by the network security device. It is determined whether the destination is within the first zone. If so, then the first type of security scanning is performed. A second zone packet is received by the network security device. It is determined whether the destination is within the second zone. If so, then the second type of security scanning is performed. | 11-06-2014 |
| 20140331275 | CONTEXT-AWARE PERMISSION CONTROL OF HYBRID MOBILE APPLICATIONS - Controlling access to secure resources of a data processing system is provided. An input-to-output mapping of an application installed on the data processing system is generated that determines whether a secure resource in the data processing system is shared with an external entity associated with the application and under what specified conditions. It is determined whether the specified conditions exist during runtime of the application. In response to determining that the specified conditions do not exist during runtime of the application, sharing of the secure resource of the data processing system with the external entity associated with the application is prevented. In response to determining that the specified conditions do exist during runtime of the application, sharing of the secure resource of the data processing system with the external entity associated with the application is allowed. | 11-06-2014 |
| 20140331276 | METHODS AND APPARATUS TO MEASURE COMPLIANCE OF A VIRTUAL COMPUTING ENVIRONMENT - Methods, apparatus, systems and articles of manufacture are disclosed to measure compliance of a virtual computing environment. An example method disclosed herein includes determining, with a processor, a maximum surprisal value of a policy to be enforced on a computing resource in a computing environment, the maximum surprisal value corresponding to a probability of the computing resource being in-compliance with the policy without testing the computing resource with respect to the policy, determining a current surprisal value of the computing resource with respect to the policy based on knowledge of at least one condition of policy being at least one of satisfied by or inapplicable to the computing resource, and determining a compliance score of the computing resource with respect to the policy based on the maximum surprisal value of the policy and the current surprisal value of the computing resource with respect to the policy. | 11-06-2014 |
| 20140331277 | METHODS AND APPARATUS TO IDENTIFY PRIORITIES OF COMPLIANCE ASSESSMENT RESULTS OF A VIRTUAL COMPUTING ENVIRONMENT - Methods, apparatus, systems and articles of manufacture are disclosed to identify priorities of compliance assessment results of a virtual computing environment. An example method disclosed herein to identify priorities for defects includes associating, with a processor, a first defect with an asset class and a repair action, the first defect indicative of a computing resource being out of compliance with a policy, determining, with the processor, a priority for the defect based on past repair actions performed to correct past defects corresponding to the same asset class, and displaying the defect in rank order with a plurality of other defects based on the priority. | 11-06-2014 |
| 20140331278 | SYSTEMS AND METHODS FOR VERIFYING IDENTITIES - A method for authenticating the identity of a principal is provided. The method may include storing security information related to a principal which includes a plurality of guardians, as well as contact information and rating information for each. The method may include storing a security policy related to a requester, the security policy comprising a security set having verification parameters. The method may include receiving a request to authenticate the identity of the principal. The method may include selecting particular guardians based at least in part on the verification parameters. The method may include establishing communication links, using the contact information, between the principal and each of selected guardians. The method may include determining a result of each communication link authentication session, and based at least in part on the results, the rating information, and the verification parameters determining whether the principal is authenticated. | 11-06-2014 |
| 20140331279 | SECURITY ENGINE FOR A SECURE OPERATING ENVIRONMENT - The presenting invention relates to techniques for implementing a secure operating environment for the execution of applications on a computing devices (e.g., a mobile phone). In The secure operating environment may provide a trusted environment with dedicated computing resources to manage security and integrity of processing and data for the applications. The applications may be provided with a variety of security services and/or functions to meet different levels of security demanded by an application. The secure operating environment may include a security engine that enumerates and/or determines the security capabilities of the secure operating environment and the computing device, e.g., the hardware, the software, and/or the firmware of the computing device. The security engine may provide security services desired by applications by choosing from the security capabilities that are supported by the secure operating environment and the computing device. | 11-06-2014 |
| 20140331280 | Network Privilege Manager for a Dynamically Programmable Computer Network - A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. An event auditor passively monitors network traffic and provides network activity data indicative of network flows to a network privilege manager. The network privilege manager determines a current network context based on the network activity data. In response to the current network context, the network privilege manager selects a security policy and generates one or more flow policy directives in accordance with the selected policy. | 11-06-2014 |
| 20140331281 | IN-LINE FILTERING OF INSECURE OR UNWANTED MOBILE DEVICE SOFTWARE COMPONENTS OR COMMUNICATIONS - Techniques for in-line filtering of insecure or unwanted mobile components or communications (e.g., insecure or unwanted behaviors associated with applications for mobile devices (“apps”), updates for apps, communications to/from apps, operating system components/updates for mobile devices, etc.) for mobile devices are disclosed. In some embodiments, in-line filtering of apps for mobile devices includes intercepting a request for downloading an application to a mobile device; and modifying a response to the request for downloading the application to the mobile device. In some embodiments, the response includes a notification that the application cannot be downloaded due to an application risk policy violation. | 11-06-2014 |
| 20140337913 | METHOD, APPARATUS, AND SYSTEM FOR ISOLATING A TEMPORARY PARTITION ON A HOST - A method, apparatus and system enable a temporary partition on a host to be isolated. More specifically, a temporary partition may be initialized in a partitioned host, assigned its own security policy and given the necessary resources to complete a task. Thereafter, the temporary partition may be dismantled. Since the temporary partition is isolated from the remaining partitions on the host, the temporary partition may be allowed to run a “weaker” security policy than the rest of the partitions because the isolation of the temporary partition ensures that the security of the remaining partitions may remain uncompromised. | 11-13-2014 |
| 20140337914 | Policy-based automated consent - A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner's protected information (e.g., a profile) based on the owner's previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides for policy-based consent grants. | 11-13-2014 |
| 20140337915 | System And Method For Creating Unique Digital Content Compilations - A computer network implemented system includes a server application linked to a computer server, wherein the server application and the computer server are operable to enable an Internet platform that enables one or more administrative users to select digital media content items from one or more content libraries to form the digital merchandise compilations, associate one or more rules related to the consumption of the digital merchandise compilations, including the rights of users or groups of users to access, retrieve, trade, transfer or otherwise use the digital merchandise compilations, or components thereof (“consumption attributes”), and enforce the one or more consumption attributes regardless of the users or groups of users, or network-connected device(s) associated with such user or groups of users. Each digital merchandise compilation constitutes a unique media object, where the actions of the users relative to the media object is defined by the consumption attributes. | 11-13-2014 |
| 20140337916 | Evaluating Security of Data Access Statements - Techniques are provided for evaluating the security of data access statements. Specifically, in one embodiment of the claimed subject matter there is provided a technique for evaluating the security of data access statements, comprising: evaluating the criticality of multiple SQL statements contained in multiple sessions accessing a database; generating a critical item set from the multiple sessions, each element in the critical item set indicating one or more SQL statements contained in a session; extracting at least one association rule from the critical item set, each of the at least association rule indicating a sequence of SQL statements contained in a session; and calculating the criticality of each of the at least one association rule. | 11-13-2014 |
| 20140337917 | VERIFYING ACCESS-CONTROL POLICIES WITH ARITHMETIC QUANTIFIER-FREE FORM CONSTRAINTS - A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving. | 11-13-2014 |
| 20140344886 | Sensor Aware Security Policies with Embedded Controller Hardened Enforcement - An information handling system (IHS) performs security policy enforcement using security policy data maintained in an embedded controller, which operates within a privileged environment. The security policy data identifies security policies established for the IHS. The EC is directly connected to a number of sensors from which the EC receives sensor data and to at least one integrated functional device. The EC determines whether the received sensor data fulfills any trigger condition of a security policy. If the received sensor data does not fulfill any trigger condition of a security policy described by the security policy data, the EC continues to monitor sensors for updated sensor data. However, if the received sensor data fulfills any trigger condition of the security policy, the EC performs a security measure that involves enabling, disabling, or resetting one or more of the at least one integrated functional devices that can be disabled. | 11-20-2014 |
| 20140344887 | INHERITING SOCIAL NETWORK INFORMATION - Various embodiments provide for inheriting social network information from a first user to one or more other users. In various examples, rule-based criteria (e.g., origination, update frequency, access, event occurrence and/or proficiency) are utilized for allowing a first user to bestow (e.g., transfer/share/delegate) social network information (e.g., authorization, access, contact(s), document(s), video(s), file(s), image(s), post(s), blog(s), content, rule(s) and/or control) to a second user. | 11-20-2014 |
| 20140344888 | NETWORK SECURITY APPARATUS AND METHOD - A network security apparatus includes a management unit, a security policies monitoring unit, a security monitoring unit, a log security check unit, and a log transmission unit. The management unit receives network security apparatus setting information, security policies and log generation policies from the outside. The security policies monitoring unit checks whether the security policies comply with a set format. If the security policies comply with the set format, the security monitoring unit monitors whether a communication node communicates in compliance with the security policies. The log security check unit generates a monitoring log based on the log generation policies, and checks whether the monitoring log complies with a log setting format. If the monitoring log complies with the log setting format, the log transmission unit transmits the security log to the outside, thereby performing the outside network security. | 11-20-2014 |
| 20140344889 | METHOD OF OPERATING SECURITY FUNCTION AND ELECTRONIC DEVICE SUPPORTING THE SAME - A method and an electronic device are provided for operating a security function. The method includes receiving a request for activation of a security function, confirming whether a security indicator is set, and when the security indicator is set, applying the security indicator to a security function screen image, based on activation of the security function, and outputting the security function screen image to a display of the electronic device. | 11-20-2014 |
| 20140344890 | DNS-BASED CAPTIVE PORTAL WITH INTEGRATED TRANSPARENT PROXY TO PROTECT AGAINST USER DEVICE CACHING INCORRECT IP ADDRESS - A captive portal system includes a login database, a web server, and a name server. The name server receives a DNS request from a user device, queries the login database to determine whether the user device is logged in, and responds to the DNS request with the IP address of the web server as a resolved IP address of the specified domain name when the user device is not logged in. The web server accepts a connection request from the user device to the IP address of the web server, receives an HTTP request specifying a non-local target URL from the user device, queries the login database to determine whether the user device is logged in according to the source address of the user device, and acts as a transparent proxy between the user device and the non-local target URL when the user device is logged in. | 11-20-2014 |
| 20140344891 | SYSTEMS AND METHODS FOR ENHANCED CLIENT SIDE POLICY - An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause. | 11-20-2014 |
| 20140351878 | LOCATION-AWARE RATE-LIMITING METHOD FOR MITIGATION OF DENIAL-OF-SERVICE ATTACKS - A network component has a set of one or more rules, each of which has a match component and an action component. If an incoming packet maps to the match component of a rule, then the packet is handled according to the rule's action component. If the rule also includes a limit component, then if the packet maps to the rule's match component, a family history of the rule is updated, and the packet is handled according to the rule's action component only if the rule's family history satisfies the rule's limit component. | 11-27-2014 |
| 20140351879 | ELECTRONIC APPARATUS, CONTROL METHOD AND STORAGE MEDIUM - According to one embodiment, an electronic apparatus includes a multiuser function. The apparatus includes a manager and controller. The manager is configured to provide an environment for restricting a process executable by the apparatus. The controller is configured to detect a request to execute the process, and to transmit contents related to the request to the manager prior to the execution of the process. The manager is configured to transmit a determination result to the controller based on a policy applied to each user and indicative of permission or prohibition of the execution of the process. | 11-27-2014 |
| 20140351880 | Method of Seamless Policy Based Network Discovery, Selection and Switching - The present invention relates to a method for seamless policy based network discovery, selection and switching of a user equipment (UE), characterised by the steps of: retrieving existing network selection policy information for current UE location; contacting network policy control server of current UE location; performing network authentication procedure with the network policy control server; securing communication channel between the UE and the network policy control server; requesting a network selection policy information; storing the network selection policy information; extracting the network selection policy information; evaluating a first set of UE local operating environment conditions; provisioning the plurality of sets of access point security information on UE; evaluating a second set of UE local operating environment conditions; performing network switch; evaluating a third set of UE local operating environment conditions; establishing a wireless local area network (WLAN) interworking procedures; diagnosing the quality of service of connected network connection. | 11-27-2014 |
| 20140351881 | PREMISES AWARE SECURITY - Premise-based policies can be applied in the management of mobile devices and other computing devices within a system. A computing device is detected using close proximity wireless communication and location information is sent to the computing device using close proximity wireless communication. Policies applied to the computing device can be based at least in part on the location information. | 11-27-2014 |
| 20140351882 | SYSTEMS AND METHODS FOR THE RAPID DEPLOYMENT OF NETWORK SECURITY DEVICES - A configuration service comprises a deployment package and a production configuration for a network security device. One or more configuration parameters of the production configuration may be defined by an administrator of the network security device (e.g., the customer). The network security device may be preconfigured with a network address and identifier. The network security device may be configured to automatically request and apply the deployment package at deployment time by use of the preconfigured network address and identifier. The network security device may automatically request and apply the production configuration from the configuration service in response to applying the deployment package. | 11-27-2014 |
| 20140351883 | E-MAIL FIREWALL WITH POLICY-BASED CRYPTOSECURITY - An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses. | 11-27-2014 |
| 20140351884 | DATA MAPPING USING TRUST SERVICES - Embodiments are directed to mapping encryption policies to data stored in a database using a policy identifier, and to accessing data stored in a database using a policy identifier. In one scenario, a computer system receives an indication that identifies which type of encryption is to be applied when encrypting a specified portion of data stored in a database. The database has a database schema identified by a database schema identifier, where the database schema defines relationships for data stored in the database. The computer system then accesses a namespace that identifies a set of databases in which the specified portion of data is accessed in the same manner. The computer system also generates a policy identifier, which contains information including the namespace and the database schema identifier. | 11-27-2014 |
| 20140359691 | Policy enforcement using natural language processing - A term of use policy document defines permissible actions that may be implemented by a user using a computing device. A natural language processing (NLP)-based question and answer (Q&A) system is trained to understand the policy document. The device includes a management application that interacts with the Q&A system to identify a policy violation. When the user performs an action on the device, the application converts that action into an NLP query directed to the Q&A system to determine whether the action constitutes a violation. The query may be accompanied by metadata associated with the user, the device or its state. Upon receipt of the query and any associated metadata, the Q&A system determines if the user action is compliant with the policy and returns a response. Based on the response, the user's computing device may take an enforcement action, e.g., restricting or disabling functionality, or issuing a warning. | 12-04-2014 |
| 20140359692 | Techniques for Reconciling Permission Usage with Security Policy for Policy Optimization and Monitoring Continuous Compliance - In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d). | 12-04-2014 |
| 20140359693 | COORDINATED NETWORK SECURITY MANAGEMENT - A computer-implemented method, computer program product, and computer system for implementing coordinated management of network security controls. The computer system determines a plurality of managed network devices affected by coordinated security policies in a network. The computer system converts the coordinated security policies to firewall rule configuration for each of the managed network devices affected. The computer system adds the firewall rule configuration to a set of firewall rules for the each of the managed network devices affected. | 12-04-2014 |
| 20140359694 | SYSTEM AND METHOD FOR COMPUTER SYSTEM SECURITY - A system, method and computer program product that is capable of security monitoring, threat analysis and client notification for a computer system is provided. This Managed Security Service (MSS) includes a log data sensor component providing a log interceptor service. Log data is collected from server and other equipment log activity and processed using a stateful network security policy to detect security threats and generate an appropriate action. | 12-04-2014 |
| 20140359695 | Techniques for Reconciling Permission Usage with Security Policy for Policy Optimization and Monitoring Continuous Compliance - In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d). | 12-04-2014 |
| 20140359696 | INTEROPERABILITY BETWEEN AUTHORIZATION PROTOCOL AND ENFORCEMENT PROTOCOL - The disclosure comprises methods, devices and computer programs to provide interoperability between incompatible security architectures, protocols, or domains. Policy rules of an authorization protocol are applied to an access request made in an enforcement protocol, and a result of the application are produced. A decision may be made as to whether to issue/reissue an authorization of the access request based on the result of applying the policy rules to the access request. Other embodiments are also provided. | 12-04-2014 |
| 20140359697 | Active Security Defense for Software Defined Network - A method is described in which at least one access event matching a predetermined security entry detected by a SDN switch is received; a target host of the access event is determined; and a security validation module corresponding to the predetermined security entry is invoked to obtain a security validation result. | 12-04-2014 |
| 20140359698 | SYSTEM AND METHOD FOR DISTRIBUTED LOAD BALANCING WITH DISTRIBUTED DIRECT SERVER RETURN - Embodiments may include a load balancer that receives a request packet sent by a remote client to an original destination address of multiple network addresses serviced by the load balancer, and selects according to a load balancing protocol, a host computer of a plurality of host computers to process the request. The load balancer may, from among a plurality of ports on the selected host computer, select a particular port having a one-to-one association with the original destination address, the association specified by mapping information accessible to the load balancer, and send the request packet to the selected port on the selected host computer. The mapping information accessible to the selected host computer specifies a one-to-one association between the selected port and the original destination address. Sending the request packet to the selected port conveys that address to the selected server without that address being included in that packet. | 12-04-2014 |
| 20140366079 | SYSTEM AND METHOD FOR PROVIDING A SINGLE GLOBAL BORDERLESS VIRTUAL PERIMETER THROUGH DISTRIBUTED POINTS OF PRESENCE - A system and method for providing a virtual perimeter through distributed points of presence. A network system comprises one or more Perimeter Points of Presence (P/PoP) configured to provide a virtual perimeter. The one or more P/PoPs comprise a network interface component; a plurality of selectable service area systems, each of which comprises one or more selectable service area sub-systems, wherein the selectable service area systems and sub-systems can provide a customized virtual perimeter for an entity. The one or more P/PoPs are configured to receive data; process the data using at least one of the service area systems and sub-systems configured as a data processing policy for the entity; and transmit the processed data as policy compliant data from the one or more P/PoP to an end destination. | 12-11-2014 |
| 20140366080 | SYSTEMS AND METHODS FOR ENABLING AN APPLICATION MANAGEMENT SERVICE TO REMOTELY ACCESS ENTERPRISE APPLICATION STORE - A method for providing secure remote access to an enterprise application store with enterprise applications for a service running on a mobile device includes receiving an authentication request with user credentials from an access manager on the mobile device. Authentication and a valid session cookie are provided if user credentials are valid. An access token request is received and an access token is provided in response to the token request if the token request includes the valid session cookie. An access request from the service is received and access to the enterprise application store by the service is allowed if the request includes the access token. The service may then download applications or receive applications delivered via the enterprise application store. The application management service can also access a publicly available application store. | 12-11-2014 |
| 20140366081 | Systems and Methods for Application-Specific Access to Virtual Private Networks - Described herein are systems and methods utilizing application-specific access to a virtual private network (“VPN”). A method may comprise receiving, from an application executing on a device, a request for a network data flow to a private network, comparing identification information associated with the application against a set of rules stored on a memory of the device, wherein the set of rules identifies conditions for the application to be authorized to access the private network, and establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the private network. | 12-11-2014 |
| 20140366082 | OPTIMIZING RISK-BASED COMPLIANCE OF AN INFORMATION TECHNOLOGY (IT) SYSTEM - For each of a plurality of endpoints of an information technology system having a plurality of security policies, a probability of being safe of each of said endpoints is determined according to each of said security policies. Said determining takes into account probability of security compromise for a single violation of each given one of said security policies. A risk-aware compliance metric is determined for said information technology system based on each of said probabilities of being safe for each of said endpoints and each of said policies. At least one of an operation and a remediation is carried out on said information technology system based on said risk-aware compliance metric. Techniques for optimizing risk-aware compliance are also provided. | 12-11-2014 |
| 20140366083 | AUTHENTICATION POLICY USAGE FOR AUTHENTICATING A USER - A method and system for authenticating a user. A first server of at least two servers receive input authentication information from the user. The first server ascertains that the user is authorized to access a federated computing environment that comprises at least two servers, which includes the first server determining that the received input authentication information conforms to at least one rule of an authentication policy of a second server having a highest relative priority among servers of the at least two servers whose authentication policy's at least one rule, in an authentication policy table within the first server, is conformed to by the received input authentication information. | 12-11-2014 |
| 20140366084 | MANAGEMENT SYSTEM, MANAGEMENT METHOD, AND NON-TRANSITORY STORAGE MEDIUM - There is provided a management system ( | 12-11-2014 |
| 20140366085 | METHOD AND SYSTEM FOR RAPID ACCREDITATION/RE-ACCREDITATION OF AGILE IT ENVIRONMENTS, FOR EXAMPLE SERVICE ORIENTED ARCHITECTURE (SOA) - A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed. | 12-11-2014 |
| 20140366086 | DETERMINING SECURITY FACTORS ASSOCIATED WITH AN OPERATING ENVIRONMENT - Embodiments of the present invention disclose a method, computer program product, and system for determining security factors associated with an operating environment for a computer through a wireless network. The computer identifies one or more local computers operating within range of wireless communications to the computer through a wireless network. The computer determines a current operating environment corresponding to the one or more identified local computers. The computer determines a current security value for the current operating environment corresponding to identities and security of the identified local computers. The computer identifies data corresponding to the current operating environment, the data corresponding to a current time period of the current operating environment. The computer determines security information corresponding to the current operating environment, wherein the security information includes a familiarity of the computer to the current operating environment, and a historical security of the computer in the current operating environment. | 12-11-2014 |
| 20140366087 | DATA TRANSFER FOR NETWORK INTERACTION FRAUDULENCE DETECTION - Transferring metadata is disclosed. Information about a network interaction is processed to generate metadata describing the network interaction. Based on the metadata it is determined whether the metadata is to be transferred to an aggregator. In the event that the metadata is to be transferred, one or more aggregators are determined to which the metadata is to be transferred. The metadata is transferred to the one or more aggregators. | 12-11-2014 |
| 20140366088 | SYSTEMS AND METHODS FOR PASSING NETWORK TRAFFIC CONTENT - A method for transmitting content data includes receiving content data, and passing at least a portion of the content data based on a size of the received content data. A method for transmitting content data includes receiving content data, and passing at least a portion of the content data based on a prescribed rate. A method for transmitting content data includes receiving content data, and passing at least a portion of the content data before performing policy enforcement on the content data. | 12-11-2014 |
| 20140366089 | METHOD, APPARATUS, SIGNALS, AND MEDIUM FOR MANAGING TRANSFER OF DATA IN A DATA NETWORK - A method and apparatus for managing a transfer of data in a data network identifies data associated with a communication session between a first node and a second node in the data network. Further processing of the communication session occurs when a portion of the communication session meets a criterion and the communication session is permitted to continue when the portion of the communication session does not meet the criterion. | 12-11-2014 |
| 20140373087 | Automatic Code and Data Separation of Web Application - Aspects of the subject disclosure are directed towards detecting instances within a web application where code and data are not separated, e.g., inline code in the application. One or more implementations automatically transform the web application into a transformed version where code and data are clearly separated, e.g., inline code is moved into external files. The transformation protects against a large class of cross-site scripting attacks. | 12-18-2014 |
| 20140373088 | SYSTEM AND METHODS FOR ANALYZING AND MODIFYING PASSWORDS - A system for analyzing and modifying passwords in a manner that provides a user with a strong and usable/memorable password. The user would propose a password that has relevance and can be remembered. The invention would evaluate the password to ascertain its strength. The evaluation is based on a probabilistic password cracking system that is trained on sets of revealed passwords and that can generate password guesses in highest probability order. If the user's proposed password is strong enough, the proposed password is accepted. If the user's proposed password is not strong enough, the system will reject it. If the proposed password is rejected, the system modifies the password and suggests one or more stronger passwords. The modified passwords would have limited modifications to the proposed password. Thus, the user has a tested strong and memorable password. | 12-18-2014 |
| 20140373089 | APPROVAL OF CONTENT UPDATES - A method, computer program product, and system is described. An indication of a problem regarding a content item is received, the content item being subject to a workflow including an approval protocol. A request for an emergency exception to the workflow with respect to an update to the content item is received, the update being associated with the problem. Permission for circumvention of one or more aspects of the approval protocol with respect to the update is provided, in response to receiving the request for the emergency exception. | 12-18-2014 |
| 20140373090 | SYSTEMS AND METHODS FOR PROVIDING A SMART GROUP - The present invention is directed towards systems and methods for establishing and applying a policy group to control a user's access to an identified resource. A policy group representing an aggregate of one or more access configurations for a user to access one or more identified resources may be established via a policy manager. The policy group may include a login point component representing an entry point to access the identified resource. The login point may be configured via the policy manager to specify a uniform resource locator for the entry point. One or more authentication and authorization methods may be selected for the login point component. The device may receive a request to access the uniform resource locator. The device may initiate the policy group for evaluation. The device may initiate, with the user, one or more authentication and authorization methods specified by the login point component. | 12-18-2014 |
| 20140373091 | Distributed Network Security Using a Logical Multi-Dimensional Label-Based Policy Model - A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS's changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS. Responsive to determining that the currently-relevant updated actor-sets are identical to the previously-sent actor-sets, no further action is taken. | 12-18-2014 |
| 20140380402 | POLICY ENFORCEMENT DELAYS - Policies are used to control access to resources. Requests to change a set of policies may be fulfillable, at least in some circumstances, only if the requests are submitted such that the requested changes would become effective at a time in the future that is in compliance with a requirement for delayed enforcement. The requirement for delayed enforcement may be encoded in a policy in the set of policies. | 12-25-2014 |
| 20140380403 | SECURE ACCESS ENFORCEMENT PROXY - Efficient architecture for a secure access enforcement proxy is described. The proxy interfaces with multiple subsystems and multiple shared resources. The proxy identifies an original transaction command being sent from one of the subsystems to one of the shared resources, identifies a policy corresponding to the subsystem, performs an action pertaining to the original transaction command based on the policy, and sends a response to the subsystem based on the action. | 12-25-2014 |
| 20140380404 | AUTOMATIC DATA PROTECTION IN A COMPUTER SYSTEM - Techniques are provided for a data security system that includes two mappings: a first mapping that maps a security policy to sensitive type and a second mapping that maps the sensitive type to one or more data sets. The sensitive type indicates a class of sensitive data. Example data sets include columns, tables, tablespaces, files, and directories in a file system. Because a security policy is not tightly coupled to a target data set, the security policy becomes data-agnostic, portable, and reusable. Also, a security policy may be objectless in that, at some point in time, the security policy is not associated with any data set. A security policy may also be multifunctional in that the security policy may include multiple security features or requirements. A security policy may also be exhaustive in that all necessary security requirements prescribed for a data set can be included in the security policy. | 12-25-2014 |
| 20140380405 | FLEXIBLE POLICY ARBITRATION CONTROL SUITE - A policy arbitration system manages the fundamental communications and isolation between executable components and shared system resources of a computing device, and controls the use of the shared resources by the executable components. Some versions of the policy arbitration system operate on a virtualized mobile computing device to dynamically compile and implement policy rules that are issued periodically by multiple different independent execution environments that are running on the computing device. Semi-dynamic policy changes allow for context enabled policy changes that enforce the desired system and component “purpose” while simultaneously denying the “anti-purpose”. | 12-25-2014 |
| 20140380406 | POLYMORPHIC VIRTUAL APPLIANCE RULE SET - A domain manager system as disclosed herein can control the selective activation of multiple independently-operable execution environments or domains on a computing device in accordance with one or more policies. In some embodiments, activation of a domain may at least temporarily transform a general purpose computing device into a specific purpose computing device or “appliance” by disabling use of one or more shared system resources by other domains. | 12-25-2014 |
| 20140380407 | ROLE BASED SEARCH - The disclosure relates to accessing information, and more specifically to accessing information wherein the information is protected by access rules. In particular, the invention relates to a search system comprising integrated access request routines. The disclosure also relates to a search system and to a corresponding computer program. | 12-25-2014 |
| 20140380408 | Trusted infrastructure support systems, methods and techniques for secure electronic commerce, electronic transactions and rights management - An integrated, modular array of administrative and support services are provided for electronic commerce and electronic rights and transaction management. These administrative and support services supply a secure foundation for conducting transaction-related capabilities over electronic networks, and can also be adapted to the specific needs of electronic commerce value chains. In one embodiment a Distributed Commerce Utility having a secure, programmable, distributed architecture provides these administrative and support services. The Distributed Commerce Utility may comprise a number of Commerce Utility Systems. These Commerce Utility Systems provide a web of infrastructure support available to, and reusable by, the entire electronic community and/or many of its participants. Different support functions can be collected together in hierarchical and/or networked relationships to suit various business models or other objectives. Modular support functions can be combined in different arrays to form different Commerce Utility Systems for different design implementations and purposes. | 12-25-2014 |
| 20140380409 | NETWORK DEVICE MANAGEMENT APPARATUS, NETWORK DEVICE MANAGEMENT METHOD, AND PROGRAM FOR EXECUTING NETWORK DEVICE MANAGEMENT METHOD - This network device management apparatus includes an acquisition unit that acquires management information that shows a management condition of network device; a decision-making unit that decides a security policy based on management information; and a delivery unit that delivers a security policy to network device that is compatible with security policy settings. | 12-25-2014 |
| 20140380410 | SYSTEMS AND METHODS FOR HTTP CALLOUTS FOR POLICIES - A method of identifying an action of a policy in association with communications between a client and one or more servers includes determining, by an intermediary, a policy action based on using a callout based policy. In one aspect, an intermediary receives communications between a client and one or more servers. The intermediary identifies a policy for the communications, the policy specifying a request and a server to communicate the request. Responsive to the policy, the intermediary transmits the request to the server. Based on the server response to the request, the intermediary determines an action of the policy. In another aspect, a system for the present method includes a an intermediary and a policy engine for identifying a policy to specify a request and a destination server. Responsive to a server response to the request, the intermediary determines an action of the policy. | 12-25-2014 |
| 20140380411 | TECHNIQUES FOR WORKLOAD SPAWNING - Techniques for spawning workloads are provided. A single repository is read once to obtain an image for a workload or files and resources for the image. The read operation spawns multiple, and in some cases, concurrent write operations, to instantiate the workload over a network as multiple occurrences or instances of the workload in multiple processing environments. | 12-25-2014 |
| 20140380412 | COMPLIANCE-BASED ADAPTATIONS IN MANAGED VIRTUAL SYSTEMS - Techniques are disclosed for controlling and managing virtual machines and other such virtual systems. VM execution approval is based on compliance with policies controlling various aspects of VM. The techniques can be employed to benefit all virtual environments, such as virtual machines, virtual appliances, and virtual applications. For ease of discussion herein, assume that a virtual machine (VM) represents each of these environments. In one particular embodiment, a systems management partition (SMP) is created inside the VM to provide a persistent and resilient storage for management information (e.g., logical and physical VM metadata). The SMP can also be used as a staging area for installing additional content or agentry on the VM when the VM is executed. Remote storage of management information can also be used. The VM management information can then be made available for pre-execution processing, including policy-based compliance testing. | 12-25-2014 |
| 20140380413 | MOBILE APPLICATION SECURITY ASSESSMENT - The security of mobile applications may be assessed and used to enhance the security of mobile devices. In one example, a method may include determining security scores of one or more mobile applications, the security scores defining a level of security risk corresponding to the one or more mobile applications. The method may further include receiving a policy relating to mobile applications that are permitted to be used by the mobile device, the policy including a threshold security score value; and receiving the requested security scores. The method may further include restricting use of selected ones of the one or more mobile applications when a security score corresponding to the one or more mobile applications is below the threshold security score value. | 12-25-2014 |
| 20140380414 | METHOD AND SYSTEM FOR APPLICATION-BASED POLICY MONITORING AND ENFORCEMENT ON A MOBILE DEVICE - A method and system for application-based monitoring and enforcement of security, privacy, performance and/or other policies on a mobile device includes incorporating monitoring and policy enforcement code into a previously un-monitored software application package that is installable on a mobile device, and executing the monitoring and policy enforcement code during normal use of the software application by a user of the mobile device. | 12-25-2014 |
| 20140380415 | Method and Device for Synchronizing Network Data Flow Detection Status - A method and a device for synchronizing network data flow detection status are provided. The method includes: a status synchronizing server receives a first request sent by a first security device node, where the first request carries a first flow entry of a first data flow that is currently detected by the first security device node; determines first network data flow detection status corresponding to the first flow entry; sends a first response to the first security device node, where the first response carries the first network data flow detection status. A security device node requests previous network data flow detection status of a data flow from a status synchronizing server so as to synchronize network data flow detection status, thereby allowing the security device node to detect a network attack in a more accurate way and improving network system security. | 12-25-2014 |
| 20150020147 | AUTHORIZATION POLICY FOR GROUP-CENTRIC SECURE INFORMATION SHARING - In the present specification, a methodology for incremental security policy specification at varying levels of abstraction is disclosed. The method maintains strict equivalence with respect to authorization state and is based on the group-centric secure information sharing (g-SIS) domain, which is known in the art. A g-SIS authorization policy is specified statelessly, in that it focuses solely on specifying the precise conditions under which authorization can hold in the system while only considering the history of actions that have occurred. The policy supports join, leave, add, and remove operations, which may have either strict or liberal semantics. The stateful application policy is then specified using linear temporal logic. The stateful specification is authorization equivalent to the stateless specification, and may enforce well-formedness constraints. | 01-15-2015 |
| 20150020148 | Identity Based Connected Services - Embodiments of the disclosure are directed towards a system and method for enabling an identity based connected service employing a “bound to identity” application usage model. The identity based connected service supports network access for the computing devices based on network connectivity associated with a device application. The system and method use the network access associated with the device application to communicate application state changes in a manner such that any instance of the device application executing on any of the computing devices associated with the same end-user identity remain coherent and consistent. The system and method authenticates an instance of the device application with a single authentication of the device application to an associated resource server. | 01-15-2015 |
| 20150020149 | ADAPTIVE IDENTITY RIGHTS MANAGEMENT SYSTEM FOR REGULATORY COMPLIANCE AND PRIVACY PROTECTION - Some embodiments are directed to managing transactions in a computer system, which receives information indicating a first node has at least one right with regard to a second node such that the first node is associated with the second node. An identity network is created, based, on the association between the first node and the second node, representing undirected ties between a plurality of nodes, the plurality of nodes including at least the first and second node. Using the identity network, a rights network is created representing directed ties between the plurality of nodes based, at least in part, on the undirected ties of the identity network and the at least one right the first node has with regard to the second node. The rights network is used to determine whether a transaction initiated by the first node is permissible based, at least in part, on the rights network. | 01-15-2015 |
| 20150020150 | MANAGEMENT APPARATUS, CONTROL METHOD THEREOF, AND STORAGE MEDIUM - A management server is provided that manages a plurality of image forming apparatuses including an image forming apparatus compliant with a setting management function that enables an operation of security information, and an image forming apparatus non-compliant with the setting management function. The management server receives security information from the image forming apparatus, and determines whether the security information includes a change. When the image forming apparatus that is a transmission source of the security information including the change is non-compliant with the setting management function, the management server outputs a notice indicating that the security information including the change as a notice, whereas when the image forming apparatus is compliant with the setting management function, the management server outputs a notice indicating that the security information including the change as a warning. | 01-15-2015 |
| 20150020151 | SYSTEMS AND METHODS FOR TRUSTED SHARING - A content distribution system for controlling access of digital content that is shared with indirect contacts receives from a publisher of digital content, a specification of a sharing policy for sharing by a first user to indirect contacts to be identified at the time of distribution. The sharing policy can identify a number of shares, a number of indirect contacts, acceptable web domains, or acceptable geographic regions. The system receives a request from the first user to access the content. The first user is a contact of the publisher identified by the publisher. The system authorizes the first user to access the content and receives from the first user a request to share the content with a second user that is a contact of the first user and an indirect contact of the publisher. The system authorizes, in accordance with the sharing policy, the second user to access the content. | 01-15-2015 |
| 20150020152 | SECURITY SYSTEM AND METHOD FOR PROTECTING A VEHICLE ELECTRONIC SYSTEM - Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals. | 01-15-2015 |
| 20150020153 | COLLABORATIVE MEDIA PRESENTATION SERVICE WITH USAGE RIGHTS ENFORCEMENT - An online collaborative media presentation service is provided. Users of the online service can create highly customized profiles that contain personal profile information and information on media files and other topics of interest. Users can upload media files to a media server associated with the online service without preapproval from content owners. The rights of content owners are preserved by using a digital rights management service to identify uploaded media files. The media server submits uploaded media files to the digital rights management service to determine whether streaming of the media files is permissible. If streaming is not permitted, the media server can block an uploaded file. If streaming is permitted, the media server can make the media file available for streaming. When streaming media to users, the media server displays targeted advertisements and other related content to users. The related content adds value for the online service. | 01-15-2015 |
| 20150026755 | ENTERPRISE COLLABORATION CONTENT GOVERNANCE FRAMEWORK - The present disclosure describes methods, systems, and computer program products for providing enterprise collaboration content governance. One computer-implemented method includes receiving a content creation request associated with particular content and a context, transmitting the particular content and context for validation of the content creation request. comparing, by operation of a computer, at least one rule and at least one pattern to the transmitted content and context to generate a rule result, determining at least one action result based on the generated rule result, and performing at least one application action based on the determined at least one action result. | 01-22-2015 |
| 20150026756 | COORDINATION OF MULTIPATH TRAFFIC - In one implementation, traffic in a mobile network is directed across multiple paths to a single cloud server or security server (e.g., a security as a service). The mobile device detects a cloud connector through a primary connection based on an attachment or connection via a first interface of a mobile device. The mobile device sends a request to the cloud connector for an identification of a cloud security server associated with the cloud connector. After receiving the identification of the cloud security server, the mobile device directs one or more subsequent data flows or subflows for a second interface or another interface of the mobile device to the cloud server or security server. The second data flow and the second interface are associated with another network that is external to the enterprise network and trusted network connection or not associated with the enterprise network and the trusted network connection. | 01-22-2015 |
| 20150026757 | Web Caching with Security as a Service - In one implementation, Web-Cache deployed in the Enterprise premises and cloud-based SecaaS are combined such that similar identity-based polices are enforced on both the SecaaS and content delivered from the Web-Cache. This identity-based policy implementation outside the network using SecaaS and within the network for web-cached content provides consistent identity-based security while still providing content to end-users with high performance. Content inspected and/or modified by SecaaS may be cached in the enterprise premises so that requests for content from an origin server decreases, freeing Internet bandwidth and reducing access time. Local caching of streaming content may decrease latency while local implementation of identity-based policy continues to limit the streamed content as appropriate. Local implementation of identity-based policy may reduce the load on SecaaS. Rather than using content delivery networks provided by a service provider for web-content, a cache server within the enterprise is used. | 01-22-2015 |
| 20150026758 | Methods To Achieve Modem-Assisted-Service-Classification Functionality in a Device with Multiple Subscriptions - Various embodiments provide methods performed by an modem-assisted-service-classification (MASC) client application operating on a multi-SIM computing device for implementing MASC functionality for two or more subscriptions. In various embodiments, the MASC client may implement MASC functionality by associating MASC policies for one or more access point names (APNs) with a specific subscription and by applying those policies to applications associated with those one or more APNs while that specific subscription is in active communication with its network. Thus, by managing a mapping of subscriptions, APNs/networks, and applications, the MASC client may enable implementation of MASC functionality for a multi-SIM computing device. | 01-22-2015 |
| 20150026759 | METHOD OF ENFORCING CONTROL OF ACCESS BY A DEVICE TO A SECURE ELEMENT, AND CORRESPONDING SECURE ELEMENT - A method of enforcing control of access by a hosting device to a secure element, and a secure element are described. The method includes steps performed by the secure element: receiving a request for retrieving at least one access rule controlling access to at least one application of the secure element, from access rules stored in the secure element; outputting at least one access rule retrieved from the stored access rules, wherein an access rule controlling access to an application of the secure element is retrieved by searching only in access rules stored in a security domain to which the application belongs in the secure element, or an access rule controlling access to an application of the secure element is stored only in a security domain to which the application belongs in the secure element. | 01-22-2015 |
| 20150026760 | System and Method for Policy-Based Confidentiality Management - A system and method for policy-based confidentiality management provides comprehensive, fluid management of information security and ethical walls. It streamlines processes for securing confidential information without creating productivity barriers, provides interfaces to securely support processes of each major audience in a professional service organization across multiple systems and allows a Risk Team to create policy types for different scenarios and identify systems affected by the policies. It supports standard policy types and those for lateral hires, ITAR, data privacy, price sensitivity, trade secrets, and conflicts of interest and provides two-stage review to prevent incorrect policy application. User interfaces allow granting, denying, and requesting access. Reports sort information governance policies by user/group, client/engagement, or policy type. The system prevents both service desk and other professionals from violating risk management policies in the first place and provides a common user experience, whether a wall has an information barrier or is confidential. | 01-22-2015 |
| 20150026761 | SECURITY, FRAUD DETECTION, AND FRAUD MITIGATION IN DEVICE-ASSISTED SERVICES SYSTEMS - A device having: an application program that assists the device in accessing a data service over a wireless access network, an application credential associated with the application program, and a policy to be applied when the application program initiates or attempts to initiate communication over the wireless access network. The device also has one or more agents that detect an attempted installation of update software on the device, the update software purporting to be a modification, update, or replacement of the application program; obtain an update-software credential associated with the update software; obtain the application credential; allow the update software to be installed if the update-software credential matches the application credential; and interact with the application program to arrange a setting of the application program, the setting configured to assist in applying the policy when the application program initiates or attempts to initiate communication over the wireless access network. | 01-22-2015 |
| 20150026762 | SYSTEM AND METHOD FOR ENFORCING SECURITY POLICIES IN A VIRTUAL ENVIRONMENT - A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary. | 01-22-2015 |
| 20150026763 | EDUCATING USERS AND ENFORCING DATA DISSEMINATION POLICIES - An authoring component determines the sensitivity of an authored document and generates a user interface conveying contextual educational information about data dissemination policies that apply to the document. The user interface also provides user input mechanisms that allow the user to provide inputs affect the enforcement of a given data dissemination policy on the document. | 01-22-2015 |
| 20150026764 | DETECTING, ENFORCING AND CONTROLLING ACCESS PRIVILEGES BASED ON SANDBOX USAGE - Systems and methods may provide for receiving web content and detecting an access control attribute associated with the web content. Additionally, the access control attribute may be monitored for a disablement condition. In one example, the disablement condition may be detected, an access policy may be determined in response to the disablement condition, and the access policy may be implemented. Other embodiments are described and claimed. | 01-22-2015 |
| 20150026765 | DYNAMIC PROVISIONING OF PROTECTION SOFTWARE IN A HOST INTRUSION PREVENTION SYSTEM - Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer. | 01-22-2015 |
| 20150026766 | Mitigating a Denial-of-Service Attack in a Cloud-Based Proxy Service - A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped. | 01-22-2015 |
| 20150026767 | SYSTEMS AND METHODS FOR IMPLEMENTING COMPUTER SECURITY - A computing device includes a security control module to monitor and control security of the operating system and security of one or more applications executing within the operating system. The security control module transmits to a remote security server a policy identifier, which identifies a security policy that applies to the operating system and to the applications. The security control module receives from the remote security server a unique cryptographic key. The security control module periodically retrieves from the security server a set of commands selected by the remote security server according to the security policy and current conditions. The security control module executes each command. Each command either modifies execution of an executable program or process, collects information, or performs an action that modifies data associated with the operating system, data associated with the security control module, or data associated with the one or more applications. | 01-22-2015 |
| 20150033282 | Decoupling Hardware and Software Components of Network Security Devices to Provide Security Software as a Service in a Distributed Computing Environment - Concepts and technologies are disclosed herein for decoupling hardware and software components of network security devices to provide security software as a service in a distributed computing environment. A computer system includes a processor that can execute computer-executable instructions to perform various operations. The processor can perform operations to provide security services to one or more customer platforms. The operations can include receiving a network security software component from a security service provider, and deploying the network security software component within a distributed computing environment so that the network security software component can be executed by a computing resource of the distributed computing environment to provide a security service to the customer platform(s). The network security software component includes a software component that has been decoupled from a hardware component of a network security device by the security service provider. | 01-29-2015 |
| 20150033283 | System and Method for Securing Documents Prior to Transmission - A system and method for securing documents attached to emails is disclosed. The system and method apply security rules to an email as it is being composed to ensure that the security policies have been expressed prior to the email being sent. The security program hooks in to the message object model so that as the message is modified, the security rules are applied to each modification. | 01-29-2015 |
| 20150033284 | DIGITAL MULTIMEDIA BROADCASTING APPARATUS AND METHOD FOR MULTIPLE-DRM SERVICE - A method for receiving contents using a mobile terminal according to the present invention is provided. The method includes generating a security channel connected to system being in charge of a service and content protection (SCP) client through an agent downloaded and installed in a mobile terminal; downloading and installing one or multiple SCP client software of different kind from the system through the security channel generated by the agent; and playing back the service or content provided in protected state by a content provider among the one or multiple SCP client software of different kind by driving the decodable SCP client software. | 01-29-2015 |
| 20150033285 | NON-INTRUSIVE METHOD AND APPARATUS FOR AUTOMATICALLY DISPATCHING SECURITY RULES IN CLOUD ENVIRONMENT - The present invention relates to a non-intrusive method and apparatus for automatically dispatching security rules in a cloud environment. The method comprises: forming a composition application model of an application in the cloud environment, said composition application model including at least types of various servers for deploying said application; generating a topology model of said various servers in the cloud environment; automatically generating security rules to be adopted by the server-side firewalls of respective servers based on the application context of said application, said composition application model and said topology model; and dispatching said security rules to each server-side firewall based on said composition application model and topology model. | 01-29-2015 |
| 20150033286 | AUTHENTICATION POLICY ORCHESTRATION FOR A USER DEVICE - A system and method for authentication policy orchestration may include a user device, a client device, and a server. The server may include a network interface configured to be communicatively coupled to a network. The server may further include a processor configured to obtain, from a client device via the network, a transaction request for a transaction, determine an authorization requirement for the transaction request based, at least in part, on a plurality of authorization policies, individual ones of the plurality of authorization policies being separately configurable by at least one of a relying party and an authorizing party, and complete the transaction based on the authorization requirement having been met. | 01-29-2015 |
| 20150033287 | ANTI-VULNERABILITY SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided for displaying, via at least one user interface, a plurality of techniques of different technique types including a first technique for setting or modifying a policy for mitigating a first occurrence, and a second technique for dropping packets in connection with at least one networked device for mitigating the first occurrence. Based on user input selecting the first technique for setting or modifying the policy for mitigating the first occurrence, the first technique is automatically applied for setting or modifying the policy for mitigating the first occurrence. Based on the user input selecting the second technique for dropping packets in connection with the at least one networked device for mitigating the first occurrence, the second technique is applied for dropping packets in connection with the at least one networked device for mitigating the first occurrence. | 01-29-2015 |
| 20150033288 | Detecting Behavioral Patterns and Anomalies Using Activity Data - Activity data is analyzed or evaluated to detect behavioral patterns and anomalies. When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task. This activity data may be collected in an information management system, which may be policy based. Notification may be by way e-mail, report, pop-up message, or system message. Some tasks to perform upon detection may include implementing a policy in the information management system, disallowing a user from connecting to the system, and restricting a user from being allowed to perform certain actions. To detect a pattern, activity data may be compared to a previously defined or generated activity profile. | 01-29-2015 |
| 20150040179 | Mobile Device Connection Control for Synchronization and Remote Data Access - Attempts by computing devices to access centralized data are managed according to device classification level rules. A request to access centralized data is received from an unclassified computing device. The unclassified computing device is classified into a specific one of the defined classes, based at least partially on information concerning the computing device read from the received request. Where a definition of the unclassified computing device has already been assigned to a specific class, the unclassified computing device is classified accordingly. Otherwise, the unclassified computing device is compared to multiple classified computing devices, and the unclassified computing device is classified according to the one that is most similar. Responsive to the classification of the computing device, the received request to access centralized data is governed according to a device classification level rule which specifies access policy for computing devices of the defined class. | 02-05-2015 |
| 20150040180 | INFORMATION FIREWALL - A data-firewall system blocks sensitive data from becoming available outside a protected space. During operation, the system can obtain an interest from a requesting entity. The requesting entity can include, for example, a software application running on a local computer, a computing device of an Enterprise environment, or a computing node of a computer cluster. Also, the interest can include a location-independent structured name associated one or more data items. When the system obtains the data associated with the location-independent structured name, the system proceeds to obtain a policy associated with the data, and to determine a context for the interest. Then, if the system determines that the requesting entity is within a protected space, as determined based on the policy and the context, the system forwards the data to the requesting entity. | 02-05-2015 |
| 20150040181 | MANAGING CONFIGURATIONS OF COMPUTING TERMINALS - Disclosed is a system for configuring a terminal by intercepting requests, such as Input/Output (IO) requests or registry requests, evaluating rules based on the intercepted requests during runtime, and performing actions based on the rule evaluations, such as passing the request through, redirecting the request, modifying the request, hiding resources, or performing other actions. The system can be implemented in one or more of the terminal's file system filter drivers and registry filter drivers. | 02-05-2015 |
| 20150040182 | SYSTEMS AND METHODS FOR ENFORCING SOFTWARE LICENSE COMPLIANCE WITH VIRTUAL MACHINES - A virtualization system supports secure, controlled execution of application programs within virtual machines. The virtual machine encapsulates a virtual hardware platform and guest operating system executable with respect to the virtual hardware platform to provide a program execution space within the virtual machine. An application program, requiring license control data to enable execution of the application program, is provided within the program execution space for execution within the virtual machine. A data store providing storage of encrypted policy control information and the license control data is provided external to the virtual machine. The data store is accessed through a virtualization system including a policy controller that is selectively responsive to a request received from the virtual machine to retrieve the license control data dependent on an evaluation of the encrypted policy control information. | 02-05-2015 |
| 20150040183 | NETWORK POLICY IMPLEMENTATION FOR A MULTI-VIRTUAL MACHINE APPLIANCE WITHIN A VIRTUALIZATION ENVIRONMENT - A networking policy implementation for a multi-virtual machine appliance that includes a method for selecting a network implementation by applying a network policy to existing network configurations within a virtualization environment of a computing device. A control program that executes within the virtualization environment, receives an event notification generated by a virtual machine in response to a lifecycle event. The control program, in response to receiving the notification, invokes a policy engine that applies a network policy to existing network configurations of the virtualization environment. This network policy can correspond to the virtual machine or to a network object connected to virtual interface objects of the virtual machine. The policy engine then identifies an existing network configuration that has attributes which satisfy the network policy, and selects a network implementation that satisfies the network policy and the network configuration. | 02-05-2015 |
| 20150040184 | Digital Enveloping for Digital Right Management and Re-broadcasting - Data files with digital envelops are used (1) for embedded identifiers for digital right management (DRM), and (2) as means delivering additional data or new information via repeated re-broadcasting process by many broadcasting service providers. The new DRM applications offer additional privacy and survivability while data is in storage and/or transported on cloud. Wavefront multiplexing/demultiplexing process (WF muxing/demuxing) embodying an architecture that utilizes multi-dimensional waveforms has found applications in data storage and transport on cloud. Multiple data sets are preprocessed by WF muxing before stored/transported. WF muxed data is aggregated data from multiple data sets that have been “customized processed” and disassembled into any scalable number of sets of processed data, with each set being stored on a storage site. The original data is reassembled via WF demuxing after retrieving a lesser but scalable number of WF muxed data sets. A customized set of WF muxing on multiple digital files as inputs including at least a data message file and a selected digital envelop file, is configured to guarantee at least one of the multiple outputs comprising a weighted sum of all inputs with an appearance to human natural sensors substantially identical to the appearance of the selected digital envelop in a same image, video or audio format. The output file is the file with enveloped or embedded messages. The embedded message may be reconstituted by a corresponding WF demuxing processor at destination with the known a priori information of the original digital envelope. In short, digital enveloping/de-enveloping can be implemented via WF muxing and demuxing formulations. WF muxed data featured enhanced privacy and redundancy in data transport and storage on cloud. On the other hand, data enveloping is in a different application domain from most of WF muxing applications as far as redundancy is concerned. Enveloped data is intended only for limited receivers who has access to associated digital enveloped data files with enhanced privacy for no or minimized redundancy. | 02-05-2015 |
| 20150046969 | ADJUSTING MULTI-FACTOR AUTHENTICATION USING CONTEXT AND PRE-REGISTRATION OF OBJECTS - A system and method and computer program product for user authentication that uses information about a user's context or context of their personal device(s) to dynamically modify that user's authentication or login requirements to an application in a computer or mobile device. The system is configured to run methods that detect and make use of a user's context that includes: a current environment or personal context, and uses this capability to enable variable strength authentication when attempting to log in or enter another application or resource. In one embodiment, the system implements methods to dynamically adjust the authentication challenge as a differential of all accumulated user contexts (e.g., providing a shorter password or pin-code). | 02-12-2015 |
| 20150046970 | IMAGE PROCESSING APPARATUS THAT CONFIGURES SETTINGS OF INFORMATION SECURITY POLICY, METHOD OF CONTROLLING THE SAME, PROGRAM, AND STORAGE MEDIUM - An image processing apparatus which enables a user to change the user mode while maintaining the state compliant with the information security policy. A network communication section receives security policy data in which information security policy is described from an external apparatus. A CPU identifies an operation mode of the image processing apparatus based on the received security policy. The CPU configures the identified operation mode such that the information security policy is satisfied. | 02-12-2015 |
| 20150046971 | METHOD AND SYSTEM FOR ACCESS CONTROL IN CLOUD COMPUTING SERVICE - Provided is a method and system for assigning a suitable right to a user through a security policy based access control in a computing service. A collaborative service server may authenticate a user through a cloud service server, and may issue an access token including user authentication information and user right information. The cloud service server may compare information associated with the access token and an access control list and may determine whether to authorize an access of the user to the service based on the comparison result. | 02-12-2015 |
| 20150046972 | RETROSPECTIVE POLICY SAFETY NET - These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. | 02-12-2015 |
| 20150046973 | Access control in data processing system - A policy data structure defines predetermined authorizations, each relating to authorization of at least one user to access at least one resource as well as to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. If the structure does not define an authorization for a request to access a resource, it is determined whether the structure defines a dynamic access requirement determinative for the request, and if so, whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one request, after determining whether to grant the request, a dynamic authorization relating to authorization to access the resource within the request is added to the structure. | 02-12-2015 |
| 20150046974 | METHOD AND APPARATUS FOR SPECIFYING TIME-VARYING INTELLIGENT SERVICE-ORIENTED MODEL - A method and an apparatus for specifying a time-varying, intelligent service-oriented model are provided. A method implemented in a computer infrastructure having computer executable code embodied on a computer readable storage medium having programming instructions, includes defining information of a service which is to be provided to one or more users having access to a system storing the defined information. The method further includes defining policies associated with the defined information to allow and deny access to selected portions of the defined information, and exposing to a user of the one or more users the selected portions of the defined information based on the defined policies allowing access to the selected portions of the defined information. | 02-12-2015 |
| 20150052575 | Steering Traffic Among Multiple Network Services Using a Centralized Dispatcher - A network service dispatcher is provided that transparently navigates network traffic through network service appliances utilizing sub-session connection information generated in accordance with policies pertaining to a client-server session. The network service dispatcher intercepts a first data packet of a new session between two computer systems and generates sub-session connection information that navigates the data packet through one or more network service appliances in a manner transparent to the client or server. In turn, the network service dispatcher utilizes the sub-session connection information to navigate subsequent forward or reverse data packets in the session without performing a policy-based search for each data packet. | 02-19-2015 |
| 20150052576 | NETWORK SYSTEM, CONTROLLER AND PACKET AUTHENTICATING METHOD - A controller managing a switch receives from the switch, a notice of an unknown packet sent from an access source host that is used by a plurality of users having different authorities. The controller inquires authentication data of a packet transmission user to the access source host. The controller inquires the permission or refusal of access to the access destination host based on the authentication data. When the access is permitted, the controller instructs the switch to register a flow entry of transfer of the packet. When the access is refused, the controller instructs the switch to register a flow entry of discard of the packet. | 02-19-2015 |
| 20150052577 | Deploying Policies and Allowing Off-Line Policy Evaluations - In an information management system, policies are deployed to targets and targets can evaluate the policies whether they are connected or disconnected to the system. The policies may be transferred to the target, which may be a device or user. Relevant policies may be transferred while not relevant policies are not. The policies may have policy abstractions. | 02-19-2015 |
| 20150058912 | METHOD AND APPARATUS FOR SECURING COMPUTER INTERFACES - The present invention relates to methods and apparatuses for securing otherwise unsecured internal and external computer communications. According to one aspect, the invention relates to methods and apparatuses for implementing device gatekeeping. According to another aspect the invention relates to methods and apparatuses for encrypting and decrypting data sent over an external or internal interface. According to another aspect, the invention relates to methods and apparatuses for implementing device snooping, in which some or all traffic passing between a host and a connected device is captured into memory and analyzed in real time by system software. In embodiments, the software can also act upon analyzed information. According to certain additional aspects, the security functions performed by methods and apparatuses according to the invention can be logically transparent to the upstream host and/or to the downstream device. | 02-26-2015 |
| 20150058913 | Context Awareness during First Negotiation of Secure Key Exchange - Techniques are presented for establishing context awareness during first negotiation of secure key exchange. These techniques may be embodied as a method, apparatus or instructions in a computer-readable storage media. At a first network device, a message is received from a second network device as part of an initial exchange of information of a secure key exchange, the message containing information indicating one or more secure key exchange policies acceptable to the second network device and defining one or more associated security parameters. The message further contains context-specific information identifying a context of the second network device. The first network device selects a secure key exchange policy for communicating with the second network device based upon the context-specific information and sends a response message to the second network device containing the selected secure key exchange policy. If the context was understood, the response message also includes context-specific information. | 02-26-2015 |
| 20150058914 | INTEGRATED NETWORK INTRUSION DETECTION - Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion. | 02-26-2015 |
| 20150058915 | ELECTRONIC DEVICE AND METHOD FOR UNLOCKING OBJECTS OF ELECTRONIC DEVICE - In a method for unlocking an object of an electronic device, an unlocking rule is preset to unlock the object. After movement signals are received from a touch screen of the electronic device, a quantity of segments displayed on the touch screen generated by the movement signals and a quantity of areas of the touch screen partitioned by the obtained segments are obtained. When a touch signal on one area of the obtained areas is received, a sequence number of the area from which the touch signal is received is calculated. The object of the electronic device is unlocked when the object is authorized to be unlocked according to the preset unlocking rule, the quantity of the obtained segments, the quantity of the obtained areas, and the sequence number of the area from which the touch signal is received. | 02-26-2015 |
| 20150058916 | DETECTING ENCRYPTED TUNNELING TRAFFIC - Techniques for detecting encrypted tunneling traffic are disclosed. In some embodiments, detecting encrypted tunneling traffic includes monitoring encrypted network communications between a client and a remote server, in which the encrypted network communications are encrypted using a first protocol (e.g., Secure Shell (SSH) protocol or another protocol for encrypted network communications); and determining if the client sends a request to create a tunnel using the first protocol with the remote server. In some embodiments, detecting encrypted tunneling traffic further includes performing an action in response to determining that the client sent a request to create a tunnel using the first protocol with the remote server. | 02-26-2015 |
| 20150058917 | CLOUD-BASED SECURITY POLICY CONFIGURATION - Systems and methods for configuring security policies based on security parameters stored in a public or private cloud infrastructure are provided. According to one embodiment, a first network appliance logs into a cloud account. One or more security parameters of the first network appliance are synchronized, by the first network appliance, with corresponding security parameters shared by a second network appliance to the cloud account. A security policy that controls a connection between the first network appliance and the second network appliance is automatically created, by the first network appliance, based at least in part on the one or more security parameters. | 02-26-2015 |
| 20150058918 | SECURE END-TO-END PERMITTING SYSTEM FOR DEVICE OPERATIONS - A permitting system for controlling devices in a system includes a permit issuing agent that receives a command to be sent to a device. Based upon at least one attribute of the command, the permit issuing agent identifies one or more business logic modules that is pertinent to the command. Each business logic module has a respectively different set of business rules associated with it. Each identified business logic module determines whether the command complies with the business rules associated with that module. If the command is determined to comply with the business rules of all of the identified business logic modules, the agent issues a permit for the command, and the permit is sent to the device for execution of the command. | 02-26-2015 |
| 20150058919 | SYSTEM AND METHOD TO CONTROL SENDING OF UNSOLICITED COMMUNICATIONS - A system and method to control sending of unsolicited communications over a network is provided. Typically, the network is the Internet and the system defines a SPAM prevention tool for users of an on-line service, such as an on-line bidding service. Users may contact an intended recipient with a contact form, which is forwarded to the recipient's e-mail address by an on-line service provider. A link accessible from a Web site allows recipients of unsolicited e-mail to complain to the on-line service provider. Sanctions are implemented against the sender of unsolicited e-mail based on the frequency of complaints. When the complaint level against a sender reaches a certain threshold, the sender is unable to use the contact form for a predetermined time period. | 02-26-2015 |
| 20150058920 | METHOD AND APPARATUS FOR PROVIDING DISTRIBUTED POLICY MANAGEMENT - An approach is provided for distributed policy management and enforcement. A policy manager determines one or more domains of an information system. The one or more domains are associated at least in part with respective subsets of one or more resources of the information system. The policy manager also determines one or more respective access policies local to the one or more domains. The one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof. At least one of the one or more respective access policies is configured to operate independently of other ones of the one or more respective schemas. | 02-26-2015 |
| 20150058921 | APPLICATION ACCELERATION AS A SERVICE SYSTEM AND METHOD - Disclosed are systems and methods to provide application acceleration as a service. In one embodiment, a system includes a head office to serve an enterprise application comprised of a collaborative document. The system also includes a branch office to request the collaborative document from the head office. The enterprise application may also include a computed document and/or a static document. In addition, the system also includes a set of Point of Presence (POP) locations between the head office and the branch office to communicate the collaborative document, the computed document and the static document on behalf of the head office from a closest POP location to the head office to a closest POP location to the branch office and then onward to the branch office. | 02-26-2015 |
| 20150058922 | METHOD AND APPARATUS FOR CONTROLLING NETWORK DEVICE - The present invention relates to the field of communications and discloses a method and an apparatus for controlling a network device. An open service platform intercepts an instruction packet sent to a network device, identifies authority of the instruction packet and judges whether the instruction packet is in conflict with a previous instruction, and sends the instruction packet to the network device if the instruction packet has the authority and is not in conflict with the previous instruction. The method and apparatus can ensure correct and lawful control caused by the instruction packet on the network device. | 02-26-2015 |
| 20150058923 | Secure web container for a secure online user environment - Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for invocation of a secure web container which may display data representative of a requesting party's application at a user's machine. The secure web container is invoked upon receipt of an API call from the requesting party. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable web container), insulating the user and requesting parties from the threats associated with being online for the purposes of providing secure, policy-based interaction with a requesting party's online services. | 02-26-2015 |
| 20150058924 | Security Model for a Layout Engine and Scripting Engine - Various embodiments provide an interface between a Web browser's layout engine and a scripting engine. The interface enables objects from the layout engine to be recognized by a memory manager in the scripting engine and interact in a streamlined, efficient manner. In accordance with one or more embodiments, the interface allows browser layout engine objects to be created as objects that are native to the scripting engine. Alternately or additionally, in some embodiments, the native objects are further configured to proxy functionality between the layout engine and the scripting engine. | 02-26-2015 |
| 20150067759 | SYSTEM AND METHOD FOR IMPLEMENTING DATA MIGRATION WHILE PRESERVING SECURITY POLICIES OF A SOURCE FILER - A data migration system in which security policies of a source file system are preserved, in an environment in which clients actively issue communications for the source filer while data is migrated to a destination file system. | 03-05-2015 |
| 20150067760 | CONFORMING PASSWORDS TO A PASSWORD POLICY - An apparatus, program product, and method are disclosed for receiving a password entered by a user, the password not conforming to one or more requirements of a password policy, manipulating the password to create one or more compliant passwords conforming to the one or more requirements of the password policy, and presenting a list of the one or more compliant passwords to the user wherein a compliant password is selectable by the user. | 03-05-2015 |
| 20150067761 | MANAGING SECURITY AND COMPLIANCE OF VOLATILE SYSTEMS - An inventory manager optimizes the security and maintenance of a plurality of virtual machines and their workloads in a cloud environment and has: an inventory database, a workload compliance history of scanning workloads database, and a workload category database including security rules and compliance policies relating to workload category in a repository. The inventory manager identifies changes to characteristics of the workload of the plurality of virtual machines; alters the inventory database stored in the repository and maintained by the inventory manager, based on the identified changes to the characteristics of the workload of the plurality of virtual machines; and initiates security rules and compliance policies of the workload category database based on the identified changes to the characteristics of the workload of the plurality of virtual machines through a security tools program. | 03-05-2015 |
| 20150067762 | METHOD AND SYSTEM FOR CONFIGURING SMART HOME GATEWAY FIREWALL - A secured smart home system having (a) a smart-home gateway with a firewall protection; (b) plurality of appliances connected to the gateway and located at a secured side of the firewall; and (c) a remote environment classification server located at a non-secured side of the firewall, for providing a firewall policy to the gateway. The gateway submits a list of the appliances to the remote environment classification server, and the classification server provides in response the firewall policy to the gateway. | 03-05-2015 |
| 20150067763 | HARDWARE AND SOFTWARE EXECUTION PROFILING - Technologies for assembling an execution profile of an event are disclosed. The technologies may include monitoring the event for a branch instruction, generating a callback to a security module upon execution of the branch instruction, filtering the callback according to a plurality of event identifiers, and validating a code segment associated with the branch instruction, the code segment including code executed before the branch instruction and code executed after the branch instruction. | 03-05-2015 |
| 20150067764 | WHITELIST-BASED NETWORK SWITCH - A whitelist-based network switch defines a whitelist and a handling rule based on an access control list, security policies, etc., and monitors and blocks network traffic based on the whitelist and the handling rule. The whitelist-based network switch includes a whitelist monitoring unit for storing a whitelist including permitted communication rules, monitoring one or more packets input through a plurality of switch interfaces based on the whitelist, and permitting communication of each packet conforming to the whitelist, and a whitelist management unit for updating the whitelist and transmitting an updated whitelist to the whitelist monitoring unit. | 03-05-2015 |
| 20150067765 | METHOD AND SYSTEM FOR UPDATING MEDIA LISTS IN PORTABLE MEDIA DEVICES - A method and apparatus for updating a media list or a media list collection of a portable media player device is disclosed herein. In various embodiments, the updates are generated by a proxy or a third party server, based at least in part on data gathered for media preferences for a user of the portable media play device and one or more other users of one or more portable media player devices. In various embodiments, the method is practiced respecting the access rights of the media files (if access rights are required). Other embodiments may also be described and claimed. | 03-05-2015 |
| 20150067766 | APPLICATION SERVICE MANAGEMENT DEVICE AND APPLICATION SERVICE MANAGEMENT METHOD - An application service management method includes: assigning permission of the application service items comprised in an application cluster to the users of the user group. Verifying an identity of the user in response to a login operation of the user via a terminal device, and determining the user group that the user belonged to, the corresponding application cluster, and application service items that the user with the permission to use, after verifying the user is a legal user. Requesting an application service provider to execute an application service item when one permitted user of the user group generates an execution operation on the application service item. In addition, obtaining an application execution interface from the application service provider and displaying the obtained application execution interface on the terminal device of the user. | 03-05-2015 |
| 20150067767 | INFORMATION PROCESSING APPARATUS THAT DISTRIBUTES SETTINGS COMPLIANT WITH SECURITY POLICY AND CONTROL METHOD THEREFOR, IMAGE PROCESSING APPARATUS AND CONTROL METHOD THEREFOR, INFORMATION PROCESSING SYSTEM AND CONTROL METHOD THEREFOR, AND STORAGE MEDIUM - An information processing apparatus that makes it possible to save time and effort expended by an administrator on distribution of settings compliant with a security policy. Whether or not an application installed in the image processing apparatus to which setting values compliant with a security policy are to be distributed can be set to the settings is determined. When it is determined that the application cannot be set to the settings, whether or not the application can be set to the settings by updating thereof is determined. When the determination result indicates that the settings can be set by updating the application, the application is updated, and the settings are distributed to the image processing apparatus. | 03-05-2015 |
| 20150067768 | ZONE POLICY ADMINISTRATION FOR ENTITY TRACKING AND PRIVACY ASSURANCE - The present invention includes entity tracking, privacy assurance, and zone policy administration technologies allowing for the creation of zone policies, including the definition of zones and managed entities, the zone policies including rules that apply to the managed entities within or in relation to the zones, and privacy policies assuring privacy of sensitive data. The technologies also provide for the definition of sensors, rule event objects, and default event objects, and for the establishment of associations between rules and managed entities, sensors, and rule event objects so as to create zone policies. Event objects may generate zone policy events or actions upon compliance with or violation of various rules of zone policy. Managed entities are defined as entities associated with mobile devices capable of location tracking and communication with zone policy servers. Entities may be persons, vehicles, animals, or any other object for which tracking and zone policy administration is of value. Zone policy may include privacy policy that may restrict access to or set access conditions for data or information. Privacy policies may be used to ensure individual managed entities and their data remain anonymous to a desired degree and that sensitive data is appropriately protected. | 03-05-2015 |
| 20150067769 | Providing Virtualized Private Network Tunnels - Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects. | 03-05-2015 |
| 20150067770 | INTER-DOMAIN REPLICATION OF SERVICE INFORMATION - An automated conversion of service information that includes endpoint addresses of service providers and security policies between independent enterprise information technology (IT) management domains is performed using a federated gateway within each of the independent enterprise IT management domains that bridges the independent enterprise IT management domains. The automated conversion of the service information allows at least one service consumer application executing within a first independent enterprise IT management domain to use a local service definition format to access at least one remote service provider application with a remote service interface defined using a different remote service definition format for execution in a second independent enterprise IT management domain. Service provider application endpoint translation is dynamically performed, in response to at least one service request for the at least one remote service provider application, using the federated gateway within each of the independent enterprise IT management domains that bridges the independent enterprise IT management domains. | 03-05-2015 |
| 20150074741 | METHOD AND SYSTEM FOR EXTENDING NETWORK RESOURCES CAMPUS-WIDE BASED ON USER ROLE AND LOCATION - A method, system, and computer readable medium is disclosed which utilizes the LISP control plane to increase communications and access to enterprise resources in a network with multiple subnetworks, such as a university setting. As a result, the various embodiments of the present invention provide a routing and services dimension to enterprise discovery protocol traffic, such as Apple Bonjour traffic. A LISP instance ID, which is carried in the LISP header, is used to associate one or more end user devices with specific enterprise resources in a particular subnetwork or a service domain, wherein these resources may be accessed by the end user device even if the end user device migrates to another subnetwork. Another embodiment of the invention limits routing services advertisements from enterprise services to a subset of end user devices associated with particular user EIDs by using L2-LISP multicast techniques. | 03-12-2015 |
| 20150074742 | World-Driven Access Control - Functionality is described herein for managing the behavior of one or more applications, such as augmented reality applications and/or other environment-sensing applications. The functionality defines permission information in a world-driven manner, which means that the functionality uses a trusted mechanism to identify cues in the sensed environment, and then maps those cues to permission information. The functionality then uses the permission information to govern the operation of one or more applications. | 03-12-2015 |
| 20150074743 | EXTENSIBLE MULTI-TENANT CLOUD-MANAGEMENT SYSTEM AND METHODS FOR EXTENDING FUNCTIONALITIES AND SERVICES PROVIDED BY A MULTI-TENANT CLOUD-MANAGMENT SYSTEM - The current document is directed to an interface and authorization service that allows users of a cloud-director management subsystem of distributed, multi-tenant, virtual data centers to extend the services and functionalities provided by the cloud-director management subsystem. A cloud application programming interface (“API”) entrypoint represents a request/response RESTful interface to services and functionalities provided by the cloud-director management subsystem as well as to service extensions provided by users. The cloud API entrypoint includes a service-extension interface and an authorization-service management interface. The cloud-director management subsystem provides the authorization service to service extensions that allow the service extensions to obtain, from the authorization service, an indication of whether or not a request directed to the service extension through the cloud API entrypoint is authorized. | 03-12-2015 |
| 20150074744 | APPARATUS, SYSTEMS, AND METHODS FOR MANAGING DATA SECURITY - Disclosed embodiments of a data protection mechanism can provide secure data management. In particular, the disclosed embodiments provide secure data management mechanisms that can control transfer of data items so that contents of protected data items are not accessible to non-authorized parties. For example, the disclosed system can prevent an application from storing a protected file using a new file name. As another example, the disclosed system can prevent an application from sending a protected file to another computing device over a communication network. | 03-12-2015 |
| 20150074745 | MOBILE COMMUNICATION DEVICE AND METHOD OF OPERATING THEREOF - A mobile communication device is provided. The mobile communication device includes a first trusted platform module, a second trusted platform module, a processor, and a storage medium. The storage medium includes instructions that cause the processor to establish a root of trust for a first persona and a second persona, wherein the first persona includes a first operating system and a first trusted execution environment, and the second persona includes a second operating system and a second trusted execution environment. The instructions also cause the processor to store measurements defining the root of trust for the first persona in the first trusted platform module, store measurements defining the root of trust for the second persona in the second trusted platform module, and load the first persona and the second persona using the roots of trust for the first and second personas. | 03-12-2015 |
| 20150074746 | World-Driven Access Control Using Trusted Certificates - Functionality is described herein for receiving events which characterize features in an environment, and for identifying at least one policy based on the events. The functionality consults a certificate, associated with the policy, to determine whether the policy is valid. If valid, the functionality uses the policy to govern the behavior of at least one application, such as by controlling the application's consumption of events. A trusted passport authority may be employed to generate the certificates. Each certificate may: (1) identify that it originated from the trusted passport authority; (2) contain context information which describes a context in which the policy is intended to be applied within an environment; and/or (3) contain machine-readable content that, when executed, carries out at least one aspect of the policy. | 03-12-2015 |
| 20150074747 | METADATA-DRIVEN AUDIT REPORTING SYSTEM THAT APPLIES DATA SECURITY TO AUDIT DATA - A system is provided that reports audit data. The system defines metadata that defines security conditions for a business object. The system further receives a request from a user to retrieve audit data contained within a database table, where the audit data includes a history of modifications to an attribute of the business object. The system further retrieves the audit data from the first database table. The system further applies the security conditions to the audit data based on the metadata. The system further displays the audit data within a user interface when the security conditions are satisfied. | 03-12-2015 |
| 20150074748 | CONTENT MONITORING AND HOST COMPLIANCE EVALUATION - Evaluating content is disclosed. Evaluating includes determining a host policy associated with one or more host policy rules, wherein the host policy specifies one or more conditions under which the content may be hosted, automatically assessing compliance with the one or more host policy rules based at least in part on a context associated with the use of the content, and combining the compliance assessments to make a compliance evaluation. | 03-12-2015 |
| 20150074749 | REMOTE ASSET MANAGEMENT SERVICES FOR INDUSTRIAL ASSETS - A remote asset server allows an industrial asset (e.g., a controller, motor drive, etc.) to be remotely and securely monitored and managed by an owner of the industrial asset as well as other relevant entities, such as original equipment manufacturers (OEMs). The remote asset server acts as a network infrastructure device that regulates access to the industrial asset by different entities in accordance with security policies defined by an end user. These defined security policies are implemented in a cloud platform as role-specific portals by a connectivity broker, the portals serving as secure connection pipelines to the industrial asset via the remote asset server. Using this architecture, an end user can define which aspects of an industrial asset are allowed to be remotely viewed, accessed, or modified by outside entities such as OEMs or system integrators. | 03-12-2015 |
| 20150074750 | INTEGRATING SECURITY POLICY AND EVENT MANAGEMENT - A plurality of security events is detected in a computing system, each security event based on at least one policy in a plurality of security policies. Respective interactive graphical representations are presented in a graphical user interface (GUI) of either or both of the security events or security policies. The representations include interactive graphical elements representing the respective security events or security policies. User selection of a particular event element via the interactive GUI causes a subset of the security policies to be identified, each security policy in the subset serving as a basis for at least one particular security event represented by the particular event element. User selection of a particular policy element via the interactive GUI causes a subset of the security policies to be identified, each security event in the subset based at least in part on a particular security policy represented by the particular policy element. | 03-12-2015 |
| 20150074751 | SYSTEMS AND METHODS FOR FINE GRAIN POLICY DRIVEN CLIENTLESS SSL VPN ACCESS - The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server. | 03-12-2015 |
| 20150074752 | System and Method for Secure Control of Resources of Wireless Mobile Communication Devices - Systems and methods for secure control of a wireless mobile communication device are disclosed. Each of a plurality of domains includes at least one wireless mobile communication device asset. When a request to perform an operation affecting at least one of the assets is received, it is determined whether the request is permitted by the domain that includes the at least one affected asset, by determining whether the entity with which the request originated has a trust relationship with the domain, for example. The operation is completed where it is permitted by the domain. Wireless mobile communication device assets include software applications, persistent data, communication pipes, and configuration data, properties or user or subscriber profiles. | 03-12-2015 |
| 20150074753 | INTEGRATING POLICIES FROM A PLURALITY OF DISPARATE MANAGEMENT AGENTS - Described herein are embodiments for managing policies of a mobile device. In embodiments, a mobile device receives policy containers from a plurality of disparate management agents. Each policy container has one or more policies. Each policy corresponds to a particular category that governs various aspects of the device. The policies described herein may be device wide policies corresponding to various features on the device. The policies may also be data specific policies which dictate how data is stored on and transferred to and from the device. Once the policies are received, a determination is made as to which policy in each category is the most secure policy. The most secure policy for each category is merged to create a global policy that is applied to the mobile device. | 03-12-2015 |
| 20150074754 | CERTIFICATE MANAGEMENT METHOD BASED ON CONNECTIVITY AND POLICY - Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By associating the existing certificate store structure and key store structure with a mode of operation, certificates and keys can be assigned to one space among plural spaces. Furthermore, management (viewing/importation/deletion) of certificates associated with specific modes of operation may be controlled based on the presence or absence of a mobile device administration server and the status (enabled/disabled) of an IT policy. | 03-12-2015 |
| 20150074755 | METHOD AND SYSTEM FOR MAPPING BETWEEN CONNECTIVITY REQUESTS AND A SECURITY RULE SET - A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa. | 03-12-2015 |
| 20150074756 | SIGNATURE RULE PROCESSING METHOD, SERVER, AND INTRUSION PREVENTION SYSTEM - A signature rule processing method, a server, and an intrusion prevention system is provided. The method includes: performing, by a cloud server, correlation analysis on signature rule usage status information of each security device connected to the cloud server and a latest signature rule set published by the cloud server, to obtain a most active threat signature rule identification list, and sending, by the cloud server, update information to each security device to update a signature rule after generating the update information according to the most active threat signature rule identification list. The present invention is applicable to the field of network security systems. | 03-12-2015 |
| 20150082370 | SYSTEM AND METHOD FOR COMPACT FORM EXHAUSTIVE ANALYSIS OF SECURITY POLICIES - A system is described that analyzes and validates network security policies associated with network devices. The system includes a compiler and a security policy analysis and validation tool. The compiler encodes a security policy associated with a network device into a predicate expressed in bit-vector logic and generates a bit-vector formula based on the predicate. The tool receives the bit-vector formula and applies a Satisfiability Modulo Theories (SMT) solver thereto to identify and enumerate solutions to the bit-vector formula. The enumerated solutions provide information about the validity of the first security policy. The solutions may be compactly enumerated in a as product of intervals or a product of unions of intervals. | 03-19-2015 |
| 20150082371 | Multi-Persona Devices and Management - A method of installing an application on a device configured with a plurality of personas is disclosed. The method includes receiving an indication to engage a first persona of the plurality of personas. The method further includes causing an indication of the first persona to be displayed. The method further includes receiving, via an interface associated with the first persona, an indication to install a first application. The method further includes causing the first application to be installed. The method further includes causing the installed first application to be associated with the first persona. | 03-19-2015 |
| 20150082372 | PRIVILEGED ACCOUNT PLUG-IN FRAMEWORK - STEP-UP VALIDATION - Techniques for managing privileged accounts via a privileged access management service are provided. In some examples, the service may be configured with a plug-in framework for accessing secure resources. In some aspects, plug-in code for implementing a workflow that includes step-up validation associated with a user attempting to access at least one secure resource may be received. Access to the at least one secure resource may be provided when the user is authenticated with respect to the service. In some examples, a request to access a second secure resource may be received. Additionally, in some examples, the workflow to perform the step-up validation may be implemented at least in response to the request to access the second secure resource. The workflow implemented based at least in part on an attribute associated with the request. | 03-19-2015 |
| 20150082373 | PRIVILEGED ACCOUNT PLUG-IN FRAMEWORK - USAGE POLICIES - Techniques for managing privileged accounts via a privileged access management service are provided. In some examples, the service may be configured with a plug-in framework for accessing secure resources. In some aspects, a log-in request that includes authentication information and corresponds to the service may be received. Session access to at least one secure resource may be provided when a user is authenticated. In some examples, a request to perform an action associated with the secure resource may be received during the session. Additionally, in some examples, the plug-in framework may be implemented to determine whether the user is allowed to perform the action. Further, performance of the action may be allowed or denied during the session based on the determination. | 03-19-2015 |
| 20150082374 | METHOD AND SYSTEM FOR SELECTIVE APPLICATION OF DEVICE POLICIES - A method and system for selective application of device policies are described herein. The method can include the step of receiving one or more policies from a messaging server in which the policies are intended to be indiscriminately applied to a computing device. Out of the received policies, one or more container policies that are to be applied to a container of the computing device can be identified. The identified container policies can be applied to the container such that the identified container policies may be prevented from being indiscriminately applied to the computing device. | 03-19-2015 |
| 20150082375 | A SYSTEM FOR ENFORCING AN ACCESS POLICY FOR CONTENT ITEM CONSUMPTION - Enforcing a global access policy, comprising a global access rule for a user's devices, for consumption of a content item. The user's devices advantageously comprise a set-top box, a tablet and a gateway. The gateway is configured to split the global access rule into local access rules for the set-top box and the tablet so that independent consumption of the content item by the set-top box and the tablet according to the respective local access rules does not violate the global access rule; and to send the local access rules to a first and a second enforcement point, which are configured to receive a request to access the content item from a user device; and allow or inhibit access to the content item depending on whether or not access to the content item is authorized by the local access rule for the user device from which the request was received. | 03-19-2015 |
| 20150082376 | SENDING OUT-OF-BAND NOTIFICATIONS - Out-of-band notifications are used to inform users of clients of security policy enforcement actions, such as enforcement of a data loss prevention (DLP) policy. Code for instantiating a notification agent at a client used by a user is inserted into network traffic inbound to the client. Outbound network traffic sent from the client to a server is monitored for compliance with one or more security policies. If it is determined that the network traffic violates a security policy, an enforcement action is taken. An out-of-band notification message describing the enforcement action is inserted into a response to the outbound network traffic and sent to the client. The notification agent at the client receives the notification message and presents the message to the user. | 03-19-2015 |
| 20150082377 | GENERATION OF ATTRIBUTE BASED ACCESS CONTROL POLICY FROM EXISTING AUTHORIZATION SYSTEM - Attributes relevant to at least one existing authorization system are identified. Noise removal from identified attributes of the at least one existing authorization system is performed. An attribute based access control (ABAC) policy is generated from remaining identified attributes to derive logical rules that grant or deny access. | 03-19-2015 |
| 20150082378 | SYSTEM AND METHOD FOR ENABLING SCALABLE ISOLATION CONTEXTS IN A PLATFORM - A system and method for operating a computing platform that includes distributing a job within an isolation context to a computing platform, which includes receiving a deployment request that includes a set of isolation context rules; transferring a job instance update as specified by the deployment request to a machine of the computing platform; and at the machine, instantiating the job instance within an isolation context and configuring the set of isolation context rules as a set of resource quotas and networking rules of the isolation context; and enforcing the set of resource quotas and networking rules during operation of the job instance within the computing platform. | 03-19-2015 |
| 20150082379 | PAGE DISPLAY METHOD, APPARATUS AND TERMINAL - The embodiments of the disclosure provide a page display method and apparatus, belonging to the field of terminals. The method comprises monitoring the page browsing mode of a browser while running the browser; determining a changed page browsing mode, if the page browsing mode of the browser is changed; and displaying a tips button on the current page of the browser, if the changed page browsing mode is a specified mode. The apparatus comprises a monitoring module, a determining module, and a displaying module. Thereby, the tips-making process while switching modes is simplified. The tips button is displayed on a specific location to remind users, without breaking the continuous browsing via the browser, so that non-trace switch can be achieved when the browser changes its page browsing mode. | 03-19-2015 |
| 20150089566 | ESCALATION SECURITY METHOD FOR USE IN SOFTWARE DEFINED NETWORKS - A method for performing an escalation security policy in a software defined network (SDN) includes receiving at least one attack indication performed against at least one destination server; upon determination that an attack is being performed against the at least one destination server, for each client sending traffic to the at least one destination server: determining a risk state for a user of the each client; obtaining an escalation security policy respective of the determined risk state of the user, wherein the escalation security policy defines a sequence of at least one challenge action for challenging the each client, an order and at least one condition for execution of the sequence of at least one challenge action; and causing network elements of the SDN to divert incoming traffic from the each client to security servers connected to the SDN and configured to perform the at least one challenge action. | 03-26-2015 |
| 20150089567 | AUTOMATED PRODUCTION OF CERTIFICATION CONTROLS BY TRANSLATING FRAMEWORK CONTROLS - A compliance application automatically produces certification controls by translating framework controls. The framework controls are common certification controls used in production of the certification. The application retrieves framework controls including metadata from a compliance framework data store. Metadata of the framework controls map the framework controls to the certification. In addition, the application retrieves certification parity data associated with the metadata. Certification controls are produced based on the framework controls and the certification parity data. A view of the certification including the certification controls is provided to a customer requesting the certification. | 03-26-2015 |
| 20150089568 | DEVICE IDENTIFICATION SCORING - Device identification scoring systems and methods may be provided that can increase the reliability and security of communications between devices and service providers. Users may select and configure additional identification factors that are unique and convenient for them. These factors, along with additional environmental variables, feed into a trust score computation that weights the trustworthiness of the device context requesting communication with a service provider. Service providers rely on the trust score rather than enforce a specific identification routine themselves. A combination of identification factors selected by the user can be aggregated together to produce a trust score high enough to gain access to a given online service provider. A threshold of identification risk may be required to access a service or account provided by the online service provider. | 03-26-2015 |
| 20150089569 | BUNDLED AUTHORIZATION REQUESTS - A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access. | 03-26-2015 |
| 20150089570 | CONFIGURABLE ADAPTIVE ACCESS MANAGER CALLOUTS - A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access. | 03-26-2015 |
| 20150089571 | PLUGGABLE AUTHORIZATION POLICIES - A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access. | 03-26-2015 |
| 20150089572 | System for Supervising the Security of an Architecture - A method is provided for supervising security of an architecture having a plurality of interconnected clouds. A cloud includes a plurality of resources and a security supervisor. The plurality of resources forms in the cloud a plurality of groups of resources associated respectively with a security domain. A security controller supervises the resources of the domain, and a plurality of physical machines contains the resources of the plurality of clouds. The method includes: receiving a security event by a security controller of a first cloud, originating from a first resource associated with a first security domain; dispatching said security event to the security supervisor of the first cloud; and dispatching by the security supervisor of the first cloud a security order in reaction to the security event to at least one second security controller of the first cloud and dispatching the security order by the second security controller to a second resource supervised by the second controller. | 03-26-2015 |
| 20150089573 | INFORMATION PROCESSING APPARATUS AND METHOD FOR CONTROLLING THE SAME, AND NON-TRANSITORY COMPUTER-READABLE MEDIUM - An information processing apparatus comprises: a providing unit configured to provide an interface via which a policy version of a security policy for restricting an operation of an application is inquired about, the security policy being set in the information processing apparatus; and an installing unit configured to install an application that has declarative information in which a policy version is described, wherein the installing unit inquires about the policy version set in the information processing apparatus via the interface provided by the providing unit, compares the policy version that is obtained in response to the inquiry with the policy version described in the declarative information of the application, and restricts an operation of the installed application based on a comparison result. | 03-26-2015 |
| 20150089574 | Columnar Table Data Protection - Shuffling data stored in columnar tables improves data storage security, particularly when used in conjunction with other security operations, such as tokenization and cryptography. A data table is accessed, and pointer values of at least one column of the accessed table are shuffled, generating a protected table. An index table mapping index values to the shuffled pointer values is generated, allowing a user with access to both the protected table and the index table to generate the original table. Without both tables, users are only able to see either the shuffled data or the index values. Example shuffling methods include, but are not limited to, random shuffling, grouped shuffling, sorting by column value, and sorting by index value. | 03-26-2015 |
| 20150089575 | AUTHORIZATION POLICY OBJECTS SHARABLE ACROSS APPLICATIONS, PERSISTENCE MODEL, AND APPLICATION-LEVEL DECISION-COMBINING ALGORITHM - A global policy store, in which policies applicable to multiple applications in an enterprise environment can be stored, can be stored in association with that environment. An application-level policy combining algorithm can be associated with a specific application to resolve conflicts between the results of evaluating policies that pertain to that application's resources. A persistent model is defined for an Extensible Access Control Markup Language (XACML) target definition. | 03-26-2015 |
| 20150089576 | SYSTEMS AND METHODS FOR ADAPTIVE APPLICATION AND PRIVACY PRESERVING INTERNET OF THINGS - The present invention provides system and method for adaptive application and privacy preserving internet of things. The system comprises of at least one configured IoT device(s) (A) for receiving, processing, filtering, storing and transferring limited information to at least one receiving IoT device(s) (R1, R2, . . . , Rn), at least one inputting IoT device(s) (ID1, ID2, . . . IDn) for transferring information to said IoT device(s) (A), at least one memory unit (M) for storing processed information in said configured IoT device (A), at least one communication interface (C) for communication between IoT device(s), at least one receiving IoT device(s) (R1, R2, . . . Rn) to receive processed information from said configured IoT device (A) as per the information flow policies (P) thereby limiting the type and amount of private information that can be supplied or leaked to the public from one IoT device irrespective of the application running on the IoT device. | 03-26-2015 |
| 20150089577 | SYSTEM AND METHOD FOR UPDATING DOWNLOADED APPLICATIONS USING MANAGED CONTAINER - A managed container may be configured to manage enterprise applications, manage enterprise information stored on a device, manage a protected storage area used by the managed container to store and reference the enterprise applications during execution, and manage a database storing enterprise rules related to management of the enterprise applications and the enterprise information. The managed container may communicate with an application gateway server to control download and update of the enterprise applications, the enterprise information, and the enterprise rules. The application gateway server may be coupled to a backend enterprise application. At least one of the enterprise applications may be configured to execute in conjunction with the backend enterprise application according to at least one of the enterprise rules, and is configured to, according to another one of the enterprise rules, manage the enterprise information associated with the backend enterprise application. | 03-26-2015 |
| 20150089578 | MITIGATING POLICY VIOLATIONS THROUGH TEXTUAL REDACTION - A method of applying a policy comprises receiving a text and applying the policy to the text. If the policy is violated, the method further comprises redacting the text; reapplying the policy to the redacted text. In response to a result of reapplying the policy to the redacted text action is taken as determined by the policy. | 03-26-2015 |
| 20150089579 | WEB-BASED SINGLE SIGN-ON WITH FORM-FILL PROXY APPLICATION - Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently. | 03-26-2015 |
| 20150089580 | WEB-BASED SINGLE SIGN-ON LOGON MANAGER - Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently. | 03-26-2015 |
| 20150089581 | APPLICATION SERVER FOR DELIVERING APPLETS TO CLIENT COMPUTING DEVICES IN A DISTRIBUTED ENVIRONMENT - An applet server accepts requests for applets from client computers. A request specifies the format in which an applet is to be delivered to the requesting client computer. The applet server has a cache used to store applets for distribution to client computers. If the specified form of the requested applet is available in the cache, the applet server transmits the applet to the requesting client. If the applet is not available in the cache, the server will attempt to build the applet from local resources (program code modules and compilers) and transformer programs (verifiers and optimizers). If the applet server is able to build the requested applet, it will transmit the applet to the requesting client computer. If the applet server is unable to build the requested applet, it will pass the request to another applet server on the network for fulfillment of the request. | 03-26-2015 |
| 20150089582 | Cloud Based Firewall System And Service - A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN. | 03-26-2015 |
| 20150089583 | SYSTEM AND METHOD FOR SECURING VIRTUALIZED NETWORKS - A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device receives a current network policy of the dynamic virtualized network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy. In addition, each of the one or more second network policy network elements adds an additional policy on how network traffic is processed in the dynamic virtualized network by a port of one of the plurality of network access devices. The device further applies the network security policy to each network access device that is affected by the network security policy. | 03-26-2015 |
| 20150089584 | Inspecting Code and Reducing Code Size Associated to a Target - Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target's profile. A code component may be a policy of an information management system. | 03-26-2015 |
| 20150095968 | Flexible Role Based Authorization Model - Systems and methods described herein relate to role-based authorization systems which allow customization of role templates as well as the ability, using roles, for one user to act on behalf of another user. | 04-02-2015 |
| 20150095969 | SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION - Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliances. | 04-02-2015 |
| 20150095970 | MOBILE DEVICE MANAGEMENT AS A SIMPLIFIED ONLINE SOFTWARE SERVICE - Technology is disclosed for implementing a mobile device management service. The technology includes a first computing device behind a first firewall, for providing device management as a software as a service that is configured to (a) receive one or more policies from an entity, the entity managing a second server computing device that is behind a second firewall, wherein the first firewall and the second firewall are different firewalls, further wherein at least one of the received policies is indicated to pertain to a group of mobile computing devices; and (b) upon receiving a communication from a mobile computing device belonging to the group of mobile computing devices, transmit to the mobile computing device the received policy pertaining to the group of mobile computing devices, wherein the received policy specifies a condition for future communications between the mobile computing device and the second server computing device. | 04-02-2015 |
| 20150095971 | AUTHENTICATION IN COMPUTER NETWORKS - Trusted and/or secure communication in transactions between objects or users in a computer network, which do not require imposition of an overseeing authority or system, but wherein security measures are agreed between the parties, leading to a legally enforceable agreement, the process of agreement comprising the formation of a relationship between the first and second objects, by exchanging preferably identity data with the other to a mutually satisfactory degree, the identity data including reference identity data, and the network optionally including one or more audit mechanisms for providing independent verification of the reference items, agreeing data safeguarding procedures to be carried out, and providing a configuration file which regulates transactions between the users and which specifies the conditions under which communication transactions may take place between the users, the degree of identity data to be exchanged, the identity reference data required, and the type and amount of data safeguarding employed. | 04-02-2015 |
| 20150095972 | SECURE VIRTUAL FILE MANAGEMENT SYSTEM - Virtual file management is disclosed. Managed content from multiple separate storage domains is organized into a virtual file system that maintains with respect to each of at least a subset of said separate storage domains information of storage domain specific file system primitives to perform primitive operations with respect to content stored in that storage domain. Policies are determined that apply to the managed content. Each policy indicates primitive operations permitted to be performed with respect to the managed content. Information comprising the virtual file system and the policies is provided to a client application on a mobile device. The client application is configured to provide access to the managed content in the virtual file system in a manner at least in part indicated in the policies, including by allowing the permitted primitive operations to be performed using said storage domain specific file system primitives. | 04-02-2015 |
| 20150095973 | CLOUD DATABASE LOCKDOWN - Techniques are described herein for locking down a cloud database. In an embodiment, each respective database cloud service of a plurality of database cloud services is associated with a different respective database schema of a plurality of database schemas within a database. For each respective database cloud service of the plurality of database cloud services, the respective database cloud service is prevented from accessing the plurality of database schemas except for the respective database schema that is associated with the respective database cloud service. | 04-02-2015 |
| 20150095974 | WIRELESS COMMUNICATION METHOD IN ESL (ELECTRONIC SHELF LABEL) SYSTEM - Embodiments of the invention provide a wireless communication method in an ESL system including selecting any rows and columns in a matrix table to input each value of the selected rows and columns and values of intersecting points of the rows and the columns to matrix security fields of a data frame, respectively, wirelessly transmitting the frame from a tag to a gateway or from the gateway to the tag, receiving the transmitted frame and using a matrix value written in the matrix security fields, respectively, to retrieve the values of the intersecting points; discriminating whether the values of the retrieved intersecting point are equal to the values of the intersecting points written in the matrix security field of the received frame, and when two values are equal to each other in the discrimination, determining a received frame as a normal frame and analyzing the remaining field of the frame. | 04-02-2015 |
| 20150095975 | Configuring and Providing Profiles that Manage Execution of Mobile Applications - Various aspects of the disclosure relate to configuring and providing policies that manage execution of mobile applications. In some embodiments, a user interface may be generated that allows an IT administrator or other operator to set, change and/or add to policy settings. The policy settings can be formatted into a policy file and be made available for download to a mobile device, such as via an application store or to be pushed to the mobile device as part of a data push service. The mobile device, based on the various settings included in the policy file, may perform various actions to enforce the security constraints that are represented by the policy. The various settings that can be included in a policy are numerous and some examples and variations thereof are described in connection with the example embodiments discussed herein. | 04-02-2015 |
| 20150095976 | VIRTUAL ACCESS TO NETWORK SERVICES - Methods, systems, and computer readable storage media for providing virtual access to network services. A virtual storage layer contains reference objects configured to reference network services stored in a network computing environment. Network clients access the reference objects through a resource interface based on a resource identifier associated with the virtual storage layer. Initiation of the virtual service by a network client invokes the service in a native computing environment of the service. | 04-02-2015 |
| 20150095977 | METHOD AND DEVICE FOR PROCESSING CHARGING DATA - Disclosed are methods and devices for processing charging data. A method comprises: obtaining charging data; obtaining a data fragment definition of the charging data; segmenting the charging data into a plurality of data fragments according to the data fragment definition; converting the plurality of data fragments into a plurality of corresponding target data fragments according to anonymization conversion rules respectively corresponding to the plurality of data fragments, and configuring a charging rule for each of the target data fragments, wherein the charging rule for each respective target data fragment is the same as the charging rule for the data fragment from which the target data fragment is converted; and assembling the plurality of target data fragments to obtain anonymized target data. The disclosed methods and devices not only enable the anonymization of the charging data, but also enable the target data after anonymization to be used for charging service processing. | 04-02-2015 |
| 20150101007 | SYSTEMS AND METHODS FOR DEVICE CONFIGURATION AND ACTIVATION WITH AUTOMATED PRIVACY LAW COMPLIANCE - A dual-path out-of-box experience for automating a quick, simple and restricted configuration, or a full configuration, of a device. The simple configuration allows a user to operate the device to access restricted applications and device resources. The full configuration includes performing, by an international privacy law analysis module, processes for determining applicable privacy law based on a user's location information, and for showing compliance with applicable privacy law. Processes include obtaining a user's consent to the terms of a privacy policy, and verifying a user's authority to consent to the terms of the privacy policy. | 04-09-2015 |
| 20150101008 | Reputation System in a Default Network - A system and a method are disclosed for computing a reputation score for user profiles of a social network according to actions taken by user profiles of the social network. The reputation score may be based on interactions of a user profile with a content item or based on interactions of user profiles with other user profiles. Actions may be weighted differently in calculating a reputation score as a sum of products of action counts and actions weights. Reputation scores calculated may be used to rank user profiles and to determine reputation levels for user profiles based on exceeding a threshold in reputation score or reputation ranking. | 04-09-2015 |
| 20150101009 | METHOD FOR PROVIDING ACCESS OF AN USER END DEVICE TO A SERVICE PROVIDED BY AN APPLICATION FUNCTION WITHIN A NETWORK STRUCTURE AND A NETWORK STRUCTURE - For allowing a simple and reliable differentiation of UEs behind a GW from an AF side a method for providing access of an User End device (UE) to a service provided by an Application Function (AF) within a network structure is claimed, wherein the UE is authenticated by a Gateway (GW) to which the UE is attached and which provides access to the AF via a Broadband Access Network (BB Access Network). The method is characterized in that the GW informs a state database (SDB) on service flow requests to or from the authenticated UE towards the AF, that the GW additionally sends NAT (Network Address Translation) or NAPT (Network Address and Port Translation) binding information of a respective NAT or NAPT binding created by the GW regarding the authenticated UE and a respective service flow request to the SDB and that the SDB sends the NAT or NAPT binding information or an UE identifier to the AF, so that the AF—after having received the service flow request from the GW—can correlate the authenticated UE with the service flow request. Further an according network structure is claimed, preferably for carrying out the above mentioned method. | 04-09-2015 |
| 20150101010 | MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS - A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis. | 04-09-2015 |
| 20150101011 | ANTI-MALWARE MOBILE CONTENT DATA MANAGEMENT APPARATUS AND METHOD - There is provided an anti-malware mobile content data management apparatus, for use in managing content data within an input electronic file containing content data to be sent over a wireless network comprising at least one mobile device being served by the wireless network, comprising at least one tokeniser to tokenise the content data contained within the input electronic file into a tagged generic representation of the content data, a content management engine to apply a predetermined content management policy to the tagged generic representation of the content data to form content-managed tagged generic content data and a validator to create validated content-managed content data by being arranged to ensure the content-managed content data represented in the content-managed tagged generic representation conforms to any predefined limits and rules applied to each form of content data appearing in the content data of the input electronic file, wherein an output of the validator is operably coupled to the wireless network, and arranged to provide a substitute output electronic file derived from the validated content-managed content data. There is also provides an anti-malware mobile content data management method, wireless network and mobile device. | 04-09-2015 |
| 20150101012 | SYSTEM AND METHOD FOR ENCRYPTION KEY MANAGEMENT, FEDERATION AND DISTRIBUTION - Systems and methods are described for orchestrating a security object, including, for example, defining and storing a plurality of policies in a database coupled to a policy engine and receiving, by the policy engine, the security object and at least one object attribute associated with the security object. In addition, the policy engine determines the acceptability of the security object based, at least in part, on the at least one object attribute and at least one of the plurality of policies corresponding to the at least one object attribute. The security object to at least one communication device associated with the policy engine is distributed when the security object is determined to be acceptable. The at least one communication device establishes communication based, at least in part, on the security object. | 04-09-2015 |
| 20150101013 | ENCRYPTED PEER-TO-PEER DETECTION - Encrypted peer-to-peer detection is provided. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a first client to determine whether the first client is executing a peer-to-peer application; and generating network traffic that emulates peer-to-peer network traffic sent from the peer-to-peer application executing on the first client to a second client after detecting unknown network traffic sent from the first client to the second client. In some embodiments, encrypted peer-to-peer detection includes monitoring network traffic from a client to determine that the client is sending a request for information for a peer-to-peer application executing on the client; and generating a network traffic response to the client that emulates peer-to-peer network traffic. | 04-09-2015 |
| 20150101014 | PROVISIONING AUTHORIZATION CLAIMS USING ATTRIBUTE-BASED ACCESS-CONTROL POLICIES - Disclosed are methods and devices for provisioning authorization claims, which are enforced to control access of users to objects (resources) in a computer system, and which are to be equivalent to an attribute-based access control (ABAC) policy. A policy converter according to the invention includes a policy processor processing the policy by partial evaluation against attribute values of the users, objects or permission levels in the system and outputting simplified policies, which are subject to reverse evaluation in a reverse policy evaluator, whereby users, objects and permission levels to be associated by way of a single authorization claim are obtained. Responsible for the defining of the authorization claim and its distribution in the computer system are an authorization claim generator and an authorization claim distribution interface. The invention may be so configured as to return a single authorization claim for each combination of an object and a permission level. | 04-09-2015 |
| 20150101015 | MASTER SECURITY POLICY SERVER - A master policy server manages security polices for client computers through a network of local policy servers. Each local policy server is responsible for the security policies on a group of clients and maintains a data store containing the security policies and security information pertaining to the clients. Periodically, the master policy server and the local policy server synchronize, at which time the master policy server replicates updated policies to the local policy servers and the local policy servers upload client security statistics to the master policy server for consolidation into a global status. | 04-09-2015 |
| 20150106867 | SECURITY INFORMATION AND EVENT MANAGEMENT - Systems and methods for conducting correlation analysis for security events with assets attributes of a network by a SIEM device to enable more efficient reporting are provided. According to one embodiment, when a SIEM device obtains a security event, a risk level of the security event is calculated based on at least a correlation of the security event with one or more asset attributes of a network that is managed by the SIEM device. When the risk level meets a predetermined or configurable threshold, the SIEM device causes the security event to be reported to an administrator of the network. | 04-16-2015 |
| 20150106868 | SUPERVISORY CONTROLS USING CONTEXTUAL AWARENESS - Methods and systems for supervisory control using contextual awareness on an information handling system may involve receiving policy rules and selection of endorsed activities for supervised users from a primary user. When a supervised user attempts to perform activities on an information handling system, access to the activities may include restricting access until a time budget for endorsed activities has been satisfied. The policy rules may depend upon a usage context for a supervised user, such as location, other users nearby, activity history, user behavior, and/or user physical activity. | 04-16-2015 |
| 20150106869 | METHOD AND SYSTEM FOR DISTRIBUTING SECRETS - Secrets data representing one or more secrets required to access associated resources is provided along with secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of the secrets. When a requesting virtual asset submits secrets request data, virtual asset profile data associated with the requesting virtual asset is obtained. The requesting virtual asset profile data is then analyzed using at least one of the secrets distribution factors to authenticate the requesting virtual asset. The requesting virtual asset profile data is then analyzed using one or more of secrets distribution factors to determine what secrets the requesting virtual asset legitimately needs. Authorized secrets data for the requesting virtual asset representing one or more authorized secrets is then generated. The requesting virtual asset is then provided access to the authorized secrets data. | 04-16-2015 |
| 20150106870 | ANOMALY DETECTION ON WEB CLIENT - Embodiments for anomaly detection on a web client are generally described herein. A processor on the web client is monitored, where a web browser is installed on the web client, with the web browser arranged to render a web page, the web page including content originating from a plurality of origins. A request from the web page to store data on the web client is intercepted, with the request originating from a particular origin of the plurality of origins. The request is analyzed and approved or denied based on the particular origin. | 04-16-2015 |
| 20150106871 | SYSTEM AND METHOD FOR CONTROLLING ACCESS TO SECURITY ENGINE OF MOBILE TERMINAL - Provided is a system for controlling access to a security engine of a mobile terminal including a basic operating system and a security engine in which an app ID and user authentication information are transmitted to the security engine in order to execute a reliable app installed in the basic operating system and use a security function of the security engine, and the security engine performs authentication of whether an app is the reliable app or whether a user executing the reliable app is an owner of the mobile terminal based on the app ID transmitted from the basic operating system and the user authentication information and then permits access to the security engine. | 04-16-2015 |
| 20150106872 | METHOD OF INSTRUCTION LOCATION RANDOMIZATION (ILR) AND RELATED SYSTEM - A method and system for relocating executable instructions to arbitrary locations are disclosed. The instruction relocation may be arbitrary or random, and may operate on groups of instructions or individual instructions. Such relocation may be achieved through hardware or software, and may use a virtual machine, software dynamic translators, interpreters, or emulators. Instruction relocation may use or produce a specification governing how to relocate the desired instructions. Randomizing the location of instructions provides defenses against a variety of security attacks. The disclosed embodiments provide many advantages over other instruction relocation techniques, such as low runtime overhead, no required user interaction, applicability post-deployment, and the ability to operate on arbitrary executable programs. | 04-16-2015 |
| 20150106873 | Systems And Methods For Implementing Modular Computer System Security Solutions - In some embodiments, an apparatus includes a control chain generation module is configured to receive, from a control database, a security guideline control to be implemented with respect to a hardware asset. The control chain generation module is configured to select, based on requirements to satisfy the security guideline and attributes of the hardware asset, a security implementation control. The control chain generation module is configured to select a control assessor to monitor the compliance of the hardware asset with the security guideline and is configured to define a control chain including the security guideline control, the security implementation control, and the control assessor. The control chain generation module is configured to send an instruction to apply the control chain to the hardware asset such that the control assessor monitors the hardware asset for compliance with the security guideline. | 04-16-2015 |
| 20150106874 | MASTER SECURITY POLICY SERVER - A master policy server manages security polices for client computers through a network of local policy servers. Each local policy server is responsible for the security policies on a group of clients and maintains a data store containing the security policies and security information pertaining to the clients. Periodically, the master policy server and the local policy server synchronize, at which time the master policy server replicates updated policies to the local policy servers and the local policy servers upload client security statistics to the master policy server for consolidation into a global status. | 04-16-2015 |
| 20150106875 | SYSTEM AND METHOD FOR DATA MINING AND SECURITY POLICY MANAGEMENT - A method is provided in one example and includes generating a query for a database for information stored in the database. The information relates to data discovered through a capture system. The method further includes generating an Online Analytical Processing (OLAP) element to represent information received from the query. A rule based on the OLAP element is generated and the rule affects data management for one or more documents that satisfy the rule. In more specific embodiments, the method further includes generating a capture rule that defines items the capture system should capture. The method also includes generating a discovery rule that defines objects the capture system should register. In still other embodiments, the method includes developing a policy based on the rule, where the policy identifies how one or more documents are permitted to traverse a network. | 04-16-2015 |
| 20150106876 | ANTI-CYBER HACKING DEFENSE SYSTEM - Systems, devices, and methods for performing rate limiting on a received packet based on logged packet information and rules list determination where for each packet from a set of one or more packets, packet information is logged in a data store by comparing the received packet with previously received packets. Determining if the received packet is part of an established connection or if the received packet is part of a new connection and if determined that the packet is of an established connection, then performing a set of rules on a subset of packets, if however it is determined that the packet is of a new connection, then performing the set of rules on all the received packets. Additionally, determining whether the packet is part of a created rules list and if the packet is determined to be part of a created rules list, then bypassing filtering for the packet; if however the packet is determined to not be part of a created rules list, then assigning escalating time-based IP traffic blocks against the packet. | 04-16-2015 |
| 20150113587 | Integrity Checking of a Client Device in a Networked Computer Environment - Integrity checking a remote client includes generating integrity services configured to perform integrity checks on the client when executed thereon, and downloading a set of the generated services to the client. The integrity checking also includes receiving respective integrity check results from the downloaded services and performing respective integrity tests on each downloaded service based in part on the integrity check results received from that service. The integrity checking further includes replacing the set of downloaded services with a new set of services that perform same integrity tests as the replaced set of downloaded services if any downloaded service fails the respective integrity test performed thereon. | 04-23-2015 |
| 20150113588 | Firewall Limiting with Third-Party Traffic Classification - A PCP-aware firewall or other firewall validating a media session using third-party authorization receives more information than just the results of cryptographic token validation. The intent for each media stream of a media session is received from the Authorization Server. The intent may be used to compare to the received traffic of the media session. If the traffic is different than the intended traffic, then the exception to permit the firewall may be closed. | 04-23-2015 |
| 20150113589 | AUTHENTICATION SERVER ENHANCEMENTS - A set of authentication server configuration rules are implemented. The authentication server configuration rules utilize regular-expression based commands. A running log of commands entered by every user is maintained for each command is run by the at least one authentication server. A configuration diff command is run each time a session ends. A set of actions of an authentication-server administrator on the authentication server is tracked. The set of actions of the authentication-server administrator is stored in a log. The log includes a username of the authentication-server administrator who generated the log and a time source and a time zone associated of a location of the set of actions. A hash algorithm is run on the log. A portable document format (PDF) formatted the of the log is generated. A list of usernames is generated from a set logs that filled a user-authentication process required to access the authentication server. | 04-23-2015 |
| 20150113590 | DYNAMIC ENFORCEMENT OF PRIVACY SETTINGS BY A SOCIAL NETWORKING SYSTEM ON INFORMATION SHARED WITH AN EXTERNAL SYSTEM - An external system (such as a website) that interacts with users communicates with a social networking system to access information about the users, who may also be users of the social networking system. If a privacy setting is changed in the social networking system, and the change applies to information that has been shared with an external system, the change is enforced at the external system. For example, the external system may be notified that the information is invalid and must be deleted, or the external system may periodically request the information so that changes to the privacy settings are eventually experienced at the external systems. When an external system again needs the information, whether expired naturally or actively invalidated by the social network, the external system sends a new request for the information, which is subject to the (possibly revised) privacy settings. | 04-23-2015 |
| 20150113591 | METHOD, SERVER AND TERMINAL DEVICE FOR ESTABLISHING COMMUNICATION SESSION - The disclosed embodiments provide a method, a server, and a terminal device for establishing a communication session. The method includes: receiving a communication session request sent from a first user via a terminal device; obtaining a communication session target for the first user, a second user, by matching for the first user; and sending an identifier of the second user to the terminal device to establish a communication session between the first user and the second user, wherein the identifier is used for the terminal device to distinguish the communication session target of the first user, and is hidden from the first user. | 04-23-2015 |
| 20150121446 | ACCESSING PROTECTED CONTENT FOR ARCHIVING - According to one embodiment of the present invention, a system for accessing protected content includes a first computing device with at least one processor. The system determines one or more users associated with information required to access content of a protected document based on a set of rules. A request is generated and sent to at least one second computing device associated with the one or more determined users to retrieve and utilize the required information to access the content of the protected document. Embodiments of the present invention further include a method and computer program product for accessing protected content in substantially the same manner described above. | 04-30-2015 |
| 20150121447 | METHOD AND APPARATUS FOR OPTIMIZING HYPERTEXT TRANSFER PROTOCOL (HTTP) UNIFORM RESOURCE LOCATOR (URL) FILTERING - A method for handling hyper-text transfer protocol (“HTTP”) requests from client devices is disclosed. The method comprises receiving an HTTP request from a client device to connect to a destination server. It further comprises extracting a plurality of HTTP headers from the HTTP request using a gateway device in accordance with a user defined configuration to create a subset of the request. Next, it comprises forwarding the subset to an external security device from the gateway device to perform URL policy processing using the request. Finally, it comprises based on a received result of the URL policy processing, transmitting the client request to the destination server. | 04-30-2015 |
| 20150121448 | MOBILE AND DESKTOP COMMON VIEW OBJECT - In a computing system environment for viewing, accessing, and executing computing resources on one or more computing devices of a user, methods and apparatus include creating an object configured to provide at least one navigational aid for display on at least one of the computing devices. The object allows a user to view, navigate to, and access the computing resource. The object further includes one or more computing policies defining access rights for the computing resource and a listing of one or more other computing resources required for loading and/or executing the computing resource. Other computing resources necessary for loading and/or executing the computing resource are held separate from the object, thus providing information needed to execute the computing resource to the user while abstracting methods and resources required to build and use the computing resource. | 04-30-2015 |
| 20150121449 | AGENT ASSISTED MALICIOUS APPLICATION BLOCKING IN A NETWORK ENVIRONMENT - Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score. | 04-30-2015 |
| 20150121450 | METHOD AND SYSTEM FOR DEFENDING AGAINST MALWARE AND METHOD FOR UPDATING FILTERING TABLE THEREOF - A method and a system for defending against malware and a method for updating a filtering table thereof are provided. The method for defending against malware includes: receiving a network packet by an electronic device, which stores a filtering table; determining whether the network packet conforms to a specific filtering rule of the filtering table by the electronic device; if the network packet conforms to the specific filtering rule, performing a specific operation on the network packet by the electronic device according to the specific filtering rule; and if the network packet does not conform to the specific filtering rule, uploading characteristic information of the network packet to a malware analyzing device by the electronic device. | 04-30-2015 |
| 20150121451 | Distance-Modified Security And Content Sharing - In one aspect of the invention, a system for sharing resources in an ad-hoc peer-to-peer network is presented. The ad-hoc peer-to-peer network includes a host device that is associated with a resource. A security application of the host device allows the user of the host device to share the resource with other devices in the network. The security application also allows the user to establish access policies for certain known devices within the network. An access policy established for a known device specifies what rights the known device has with respect to accessing the resource. The access policy has the characteristics of inheritance. Thus, when a device requests to access the resource, the security application of the host device determines an access policy for the device based on access policies of one or more of the known devices. | 04-30-2015 |
| 20150121452 | SECURITY DESIGN DEVICE AND SECURITY DESIGN METHOD - The invention provides a security design device that, even when a core configuration element implementing a security function has become unusable, enables maintenance of security that existed before the loss of the core configuration element. The security design device: in correspondence with a configuration change of a first configuration element, extracts a security requirement model; and if the first configuration element is the core configuration element, for a second configuration element for which the security function was implemented by means of the first configuration element, generates the security requirement model without using the first configuration element, said security requirement model implementing the same security function as when the first configuration is used. | 04-30-2015 |
| 20150121453 | SYSTEM AND METHOD FOR NEW DATABASE PERMITTING - The design and implementation of databases within enterprises is a crucial process, but is often resource intensive and often times unnecessary as existing databases may be utilized to serve the same goals. Tracking existing databases and assessing the design specifications of proposed databases is a complex decision making process. Disclosed is a system and computer-based method for systematically controlling the approval, creation and modification of databases. The system provides a policy for enterprise governance control for database proliferation and a tool for comparing database requests to and against existing database assets. | 04-30-2015 |
| 20150128204 | METHOD AND SYSTEM FOR AUTOMATICALLY MANAGING SECURE COMMUNICATIONS IN MULTIPLE COMMUNICATIONS JURISDICTION ZONES - Communications and data security policy data for two or more communications jurisdiction zones is obtained that includes data indicating allowed protocols for the respective communications jurisdiction zones. Data indicating a desired exchange of data between a first resource in a first communications jurisdiction zone and a second resource in a second communications jurisdiction zone is received/obtained. The first communications jurisdiction zone communications and data security policy data and the second communications jurisdiction zone policy data is automatically obtained and analyzed to determine an allowed type of secure communications security level for the desired exchange of data that complies with both the first communications jurisdiction zone communications and data security policy data and the second communications jurisdiction zone policy data. A communications channel, including the allowed type of secure communications security level, is automatically establishing between the first resource and the second resource. | 05-07-2015 |
| 20150128205 | METHODS AND SYSTEMS FOR SECURE NETWORK CONNECTIONS - Context information associated with a mobile communications device and a network connection for the mobile communications device is collected. A security policy is applied to determine whether the security offered by the network connection is appropriate for the context. If the security offered by the network connection is not appropriate for the context, the network connection may be made more secure, less secure, or a different network connection having an appropriate level of security may be used for the data associated with the context. | 05-07-2015 |
| 20150128206 | Early Filtering of Events Using a Kernel-Based Filter - A method for providing early filtering of events using a kernel-based filter, comprising the steps of: a) providing a driver for the kernel level that acts as a kernel filtering process, wherein said driver is configured to match events that occur at the kernel level according to predefined rules; and b) upon finding a match, acting according to the definition of the matched rule in order to allow the event, disallow said event or forward the content of said event for further processing. | 05-07-2015 |
| 20150128207 | METHOD AND SYSTEM FOR AUTOMATICALLY MANAGING SECRETS IN MULTIPLE DATA SECURITY JURISDICTION ZONES - Data security jurisdiction zones are identified and data security policy data for the data security jurisdiction zones is obtained. The data security policy data for the data security jurisdiction zones is then automatically analyzed to determine allowed secrets data with respect to each of the identified data security jurisdiction zones. The allowed secrets data with respect to each of the data security jurisdiction zones is then automatically obtained and provided to resources in the respective data security jurisdiction zones, either from a central secrets data store or from an allowed secrets data store associated with each data security jurisdiction zone. | 05-07-2015 |
| 20150128208 | APPARATUS AND METHOD FOR DYNAMICALLY CONTROLLING SECURITY IN COMPUTING DEVICE WITH PLURALITY OF SECURITY MODULES - Provided are an apparatus and method for dynamically controlling security of a computing device provided with a plurality of security modules. The apparatus includes a security policy storage unit configured to store a security policy that is set according to at least one of a state of the computing device and a characteristic of an application program executed on the computing device, and a dynamic calling control unit configured to recognize that a security function is called by the application program, and determine one of the plurality of security modules whose security function is to be called according to the set security policy. | 05-07-2015 |
| 20150128209 | MANDATORY PROTECTION CONTROL IN VIRTUAL MACHINES - A method and system for authenticating a user to provide access to a secure application configured on a mobile device are disclosed. The method includes receiving an input from the user. The input is associated with a plurality of parameters. The method includes extracting a biometric pattern based on the input. The biometric pattern may be generated from the plurality of parameters associated with the input. The method may include comparing the biometric pattern with a plurality of reference patterns. The plurality of reference patterns are pre-defined by an owner of the mobile device. Furthermore, the method may include authenticating the user when the biometric pattern matches a reference pattern associated with the secure application from the plurality of reference patterns. Moreover, the method includes allowing the user to access the secure application, based on the authentication. | 05-07-2015 |
| 20150128210 | PROVISIONING USER PERMISSIONS ATTRIBUTE-BASED ACCESS-CONTROL POLICIES - An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy. | 05-07-2015 |
| 20150128211 | AUTOMATED GENERATION OF ACCESS CONTROL RULES FOR USE IN A DISTRIBUTED NETWORK MANAGEMENT SYSTEM THAT USES A LABEL-BASED POLICY MODEL - An access control rule authorizing communication between a plurality of managed servers within an administrative domain is determined. Communication information describing past communication between the plurality of managed servers is obtained. A subset of managed servers from the plurality of managed servers is identified by grouping the plurality of managed servers based on the obtained communication information. A group-level label set is determined to associate with the subset of managed servers. Role labels are determined for managed servers in the subset of managed servers. A managed server is associated with one role label. Based on the group-level label set and the role labels, an access control rule is generated authorizing communication between a first managed server of the subset of managed servers and a second managed server. The access control rule is stored as part of an administrative domain-wide management policy. | 05-07-2015 |
| 20150128212 | Determining, Without Using a Network, Whether a Firewall Will Block a Particular Network Packet - A determination is made regarding whether a firewall will block a network packet. The network packet indicates a set of one or more characteristics. A test packet is generated that indicates the set of characteristics. The test packet is sent to the firewall without using a network. A test result is received from the firewall. The test result is stored. | 05-07-2015 |
| 20150128213 | POLICY ENFORCEMENT - In a communications network, policies are applied to electronic mail messages by determining a plurality of routes for electronic mail messages, each route being defined by at least one sender and at least one recipient, and determining a policy to be applied to electronic mail messages on each route. At least one tag is associated with each of a plurality of servers in the communications network, and at least one of the tags is associated with each of the plurality of routes. Each of the plurality of servers identifies the or each route that is associated with a tag that is associated with the server, and then applies the respective policy to electronic mail messages on the or each identified route. This allows policy to be defined on the basis of the role of the server and the policy features that it supports. | 05-07-2015 |
| 20150128214 | POLICY DIRECTED SECURITY-CENTRIC MODEL DRIVEN ARCHITECTURE TO SECURE CLIENT AND CLOUD HOSTED WEB SERVICE ENABLED PROCESSES - A policy directed, security-centric model driven architecture is described to secure internal web services, such as those implementing service-oriented architecture (SOA), and external web services such as those hosted on a cloud computing platform. A distributed data dictionary hosted across multiple dictionary engines and operating in conjunction with web security services are used to embed security profiles in web services messages and to validate messages that contain such security profiles. | 05-07-2015 |
| 20150135253 | SOURCE REQUEST MONITORING - A method includes establishing an IP address whitelist including an acceptable IP address, establishing a resource whitelist including an acceptable resource request, establishing a resource blacklist including an indicator of a malicious resource request, and analyzing a resource request. Analyzing the resource request includes determining if a requestor IP address of the resource request is in the IP address whitelist, determining if the requested resource is in the resource whitelist, and determining if the requested resource is in the resource blacklist. A whitelist violation review is initiated, responsive to determining the requestor IP address is not in the IP address whitelist and the requested resource is not in the resource whitelist. A blacklist violation review is initiated, responsive to determining the requested resource is in the resource blacklist and the requestor IP address is not in the IP address whitelist and the requested resource is not in the resource whitelist. | 05-14-2015 |
| 20150135254 | APPARATUS, METHOD, AND SYSTEM FOR HARDWARE-BASED FILTERING IN A CROSS-DOMAIN INFRASTRUCTURE - An apparatus for hardware-based filtering in a multi-level secure cross-domain infrastructure includes a programmable logic device that includes a filter engine in communication with a first security module. An interface module of the filter engine is configured to receive a message from the first security module. The received message being sent to a second security module, which has a different security classification than the first security module. A filter module of the filter engine is configured to filter the message data according to a message rule, which defines a data compliance requirement associated with the security classification of the second security module. A routing module is configured to provide the message to the second security module in response to the message data complying with the message rule. | 05-14-2015 |
| 20150135255 | CLIENT-CONFIGURABLE SECURITY OPTIONS FOR DATA STREAMS - A configuration request comprising a security option selected for a particular data stream is received. Nodes of a plurality of functional categories, such as a data ingestion category and a data retrieval category are to be configured for the stream. The security option indicates a security profile of a resource to be used for nodes of at least one functional category. In accordance with the configuration request, a node of a first functional category is configured at a resource with a first security profile, and configuration of a node of a second functional category is initiated at a different resource with a different security profile. | 05-14-2015 |
| 20150135256 | Disambiguating conflicting content filter rules - A content filtering mechanism is enhanced to resolve conflicts in filtering rules (e.g., those created by a whitelist, on the one hand, and a blacklist, on the other hand). Preferably, a conflict between or among content filtering rules is resolved by selecting among conflicting rules based on a notion of “risk” associated with the rules. According to this risk-based approach, when two or more rules conflict with one another, the particular rule whose risk value has a predetermined relationship (e.g., aligns most closely) with a risk level associated with the application (applying the rules) then takes precedence. By selecting among conflicting rules based on risk, the potential or actual conflicts are disambiguated, with the result being that the content is filtered appropriately. | 05-14-2015 |
| 20150135257 | SINGLE SET OF CREDENTIALS FOR ACCESSING MULTIPLE COMPUTING RESOURCE SERVICES - A user may utilize a set of credentials to access, through a managed directory service, one or more services provided by a computing resource service provider. The managed directory service may be configured to identify one or more policies applicable to the user. These policies may define the level of access to the one or more services provided by the computing resource service provider. Based at least in part on these policies, the managed directory service may transmit a request to an identity management system to obtain a set of temporary credentials that may be used to enable the user to access the one or more services. Accordingly, the managed directory service may be configured to enable the user, based at least in part on the policies and the set of temporary credentials, to access an interface, which can be used to access the one or more services. | 05-14-2015 |
| 20150135258 | MECHANISM FOR FACILITATING DYNAMIC CONTEXT-BASED ACCESS CONTROL OF RESOURCES - A mechanism is described for facilitating context-based access control of resources for according to one embodiment. A method of embodiments, as described herein, includes receiving a first request to access a resource of a plurality of resources. The first request may be associated with one or more contexts corresponding to a user placing the first request at a computing device. The method may further include evaluating the one or more contexts. The evaluation of the one or more contexts may include matching the one or more contexts with one or more access policies associated with the requested resource. The method may further include accepting the first request if the one or more contexts satisfy at least one of the access policies. | 05-14-2015 |
| 20150135259 | PROXY DEVICE FOR A NETWORK OF DEVICES - A proxy device for a network of devices may include memory, a device status module, a data intercept module, a network interface, and an emulation module. The memory may be configured to store an emulation policy for emulating a device in a network, where the policy includes a status criterion that indicates a status of the device for which the policy applies. The device status module may be configured to monitor the status of the device. The data intercept module may be configured to intercept action requests directed to the device. The network interface may be configured to forward the intercepted action requests to the device when the status of the device fails to satisfy the status criterion. The emulation module may be configured to emulate the device, and respond to the action request without accessing the device, when the status of the device satisfies the status criterion. | 05-14-2015 |
| 20150135260 | HIERARCHICAL MANAGEMENT OF DEVICES - A system for hierarchical management of devices may include memory and a processor. The processor may configure first devices of a first network with device operating policies to perform operations based at least on attributes of the first devices, where the operating policies prevent device interference. The processor may discover a second network of second devices managed by a second management entity and may negotiate with the second management entity to determine a primary management entity for the networks. The processor may receive device operating policies and attributes of the second devices when the second management entity is not the primary management entity. The processor may provide an adjusted device operating policy for a second device to the second management entity when the second device causes interference with a first device, the adjusted second device operating policy being based at least on attributes of the second device. | 05-14-2015 |
| 20150135261 | RELATIONSHIP BASED INFORMATION SHARING CONTROL SYSTEM AND METHOD OF USE - User-to-user (U2U) relationship-based access control has become the most prevalent approach for modeling access control in online social networks (OSNs), where authorization is typically made by tracking the existence of a U2U relationship of particular type and/or depth between the accessing user and the resource owner. However, today's OSN applications allow various user activities that cannot be controlled by using U2U relationships alone. Disclosed herein is a relationship-based access control model for OSNs that incorporates not only U2U relationships but also user-to-resource (U2R) and resource-to-resource (R2R) relationships. Furthermore, while most access control approaches for OSNs only focus on controlling users' normal usage activities, disclosed herein is a model that also captures controls on users' administrative activities. Authorization policies are defined in terms of patterns of relationship paths on social graph and the hopcount limits of these paths. | 05-14-2015 |
| 20150135262 | DETECTION AND PREVENTION FOR MALICIOUS THREATS - A method of identifying one or more malicious threats in a computing device. The device comprises monitoring a plurality of events occurring on a computing device in run time, a plurality of processes executed on the computing device in run time, and a plurality of host activities of the computing device in run time, identifying a compliance of at least some of the plurality of events, the plurality of processes, and the plurality of host activities with a plurality of rules, generating a rule compliance status dataset generated according to the compliance, identifying a match between the rule compliance status dataset and at least one of a plurality of reference profiles each indicative of a computing device operation under a malicious threat activity, and detecting a malicious threat according to the match. | 05-14-2015 |
| 20150135263 | FIELD SELECTION FOR PATTERN DISCOVERY - Fields are determined for pattern discovery in event data. Cardinality and repetitiveness statistics are determined for fields of event data. A set of the fields are selected based on the cardinality and repetitiveness for the fields. The fields may be included in a pattern discovery profile. | 05-14-2015 |
| 20150135264 | METHOD AND SYSTEM FOR PREVENTION OF MALWARE INFECTIONS - A system and method for prevention of malware infections, the system comprising: a secured server configured to authenticate a user and issue an identifier (ID) uniquely associated with the user, to receive a user input and to send commands based on the received input; a protection module configured to validate transmissions from the secured server, to reconstruct commands based on the commands sent from the secured server, and send the reconstructed commands comprising the unique user ID and a rendering processor configured to receive the reconstructed command from the protection module, to execute the reconstructed command, to acquire data from another machine based on the reconstructed command and to generate an image to represent the acquired data, the image comprising a stamp relating the image to the unique ID, wherein the protection module is placed in a transmission channel connecting between the secured server and the rendering processor. | 05-14-2015 |
| 20150135265 | AUTOMATIC NETWORK FIREWALL POLICY DETERMINATION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for identifying a first business tool and a second business tool, accessing security policy templates for the first and second business tools, compiling a security policy script by combining the security policy templates including identifying and resolving conflicting security policies, and monitoring network traffic of the first and second business tools based on the security policy script. | 05-14-2015 |
| 20150135266 | COMPROMISED INSIDER HONEY POTS USING REVERSE HONEY TOKENS - According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received. | 05-14-2015 |
| 20150143451 | Safety in Downloadable Applications for Onboard Computers - A method for providing safety for downloadable applications on an onboard computer in a safety critical environment includes installing an application on the onboard computer, where the application is signed by a trusted signing entity, associating a usage policy with the signed application in a safety permissions manifest, where the usage policy at least includes rules for actions allowed for the signed application under certain environmental conditions in the safety critical environment, monitoring the environmental conditions, receiving a request to perform an action from the signed application, determining whether performance of the action is permissible, where the determining is based on least on the associated usage policy and the monitored environmental conditions, and permitting/preventing the performance based on the determining. Related apparatus and methods are also described. | 05-21-2015 |
| 20150143452 | SYSTEM AND METHOD FOR RETROFITTING APPLICATION CODE - Disclosed is a system and method for retrofitting defensive technology that transforms potentially dangerous computer programs into safe programs. The present disclosure involves applying software rewriting and/or randomization algorithms to monitored application launches and/or API calls. The present disclosure provides systems and methods for understanding and manipulating how untrusted software will behave upon execution, thereby thwarting any chance the untrusted software could launch and/or institute a weaponized malicious software attack. The present disclosure can apply a light-weight binary rewriting and in-lining system to tame and secure untrusted binary programs. The disclosed systems and methods can also implement binary stirring by imbuing native code of software with the ability to self-randomize its instruction addresses each time it is launched. | 05-21-2015 |
| 20150143453 | Policy Service Authorization and Authentication - Requests for remote network resources can be denied by a policy service by redirecting a requesting user agent to an authorization portal. The authorization portal can authenticate the user agent and redirect the user agent to the originally requested resource with a token. The policy service can be configured to detect the token, and redirect the requesting user agent to the resource with a cookie. The policy service can be configured to reference such cookies when applying policy. Accordingly, an authenticated user agent can be allowed to access the remote network resource and resources at the same host/domain by virtue of the cookie and without additional authentication. | 05-21-2015 |
| 20150143454 | SECURITY MANAGEMENT APPARATUS AND METHOD - A security management apparatus and method are provided. The security management apparatus includes a user authentication unit, a packet inspection unit, a packet extraction unit, a file analysis unit, and an agent generation unit. The user authentication unit receives user information from a terminal of a user, and performs a user authentication procedure. The packet inspection unit inspects a packet based on rules, and transfers the inspected packet to a destination over the Internet. The packet extraction unit recognizes a specific protocol in a packet transferred to the destination or a packet returned from the destination and extracts a file based on the results of the recognition. The file analysis unit determines whether or not the extracted file is a malicious file. If the extracted file is the malicious file, the agent generation unit generates a malware removal agent, and removes malware by executing the malware removal agent. | 05-21-2015 |
| 20150143455 | OFF-DEVICE ANTI-MALWARE PROTECTION FOR MOBILE DEVICES - Techniques for off-device anti-malware protection for mobile devices are disclosed. In some embodiments, off-device anti-malware protection for mobile devices includes receiving a software inventory for a mobile device, in which the software inventory identifies a plurality of applications installed on the mobile device; and determining whether one or more of the plurality of applications identified in the software inventory are associated with malware based on a policy. In some embodiments, the off-device anti-malware protection for mobile devices further includes enforcing the policy on the mobile device. In some embodiments, the off-device anti-malware protection for mobile devices is provided as a cloud service. | 05-21-2015 |
| 20150143456 | END USER DEVICE THAT SECURES AN ASSOCIATION OF APPLICATION TO SERVICE POLICY WITH AN APPLICATION CERTIFICATE CHECK - Mobile end-user devices are disclosed having a stored network access policy, applicable to specific applications stored on and executable by the device. The policy specifies, for at least some of the applications, whether or not those applications are individually allowed to initiate access network communication activity using one or more wireless data modems, when those applications are running as a background application. One or more device agents, which may operate at different points within the device in different embodiments, enforce the policies based on a determination as to whether a running application is running as a background application. | 05-21-2015 |
| 20150143457 | CLIENT DEVICE TOKEN BASED MULTIFACTOR AUTHENTICATION - A multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services. During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user. During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy. | 05-21-2015 |
| 20150143458 | TECHNIQUES FOR IDENTITY AND POLICY BASED ROUTING - Techniques for identity and policy based routing are presented. A resource is initiated on a device with a resource identity and role assignments along with policies are obtained for the resource. A customized network is created for the resource using a device address for the device, the resource identity, the role assignments, and the policies. | 05-21-2015 |
| 20150150072 | SYSTEM AND METHOD FOR A SECURITY ASSET MANAGER - Implementations of the present disclosure involve a system and/or method of performing security asset management. The system and/or method may schedule vulnerability scanners to scan the various portions of one or more networks and obtain the results of the vulnerability scans. IP addresses may be assigned to each of vulnerability scanners to scan. The system obtains the results of the vulnerability scans and may adjust the results of the scans according to configuration of the one or more networks that an IP address is associated with. The system and/or method may also assign and reassign IP addresses amongst the scanners to optimize scanning speed. | 05-28-2015 |
| 20150150073 | Smart Virtual Private Network - In one implementation, a policy server establishes a smart virtual private network between two client devices. The smart virtual private network includes a secure communication session using a security level or security algorithm that is variable and defined as a function of the two client devices. A first client device may generate a registration request including a first security configuration including the security level. Based on the registration request, the policy server generates a routing message that defines routing for communication from the first client device to a second client device. The routing message may update a routing table to associate the policy server with the second client device. | 05-28-2015 |
| 20150150074 | METHOD AND APPARATUS FOR PROVIDING PRIVACY PROFILE ADAPTATION BASED ON PHYSIOLOGICAL STATE CHANGE - An approach is provided for adapting privacy profiles to respond to changes in physiological state. The policy platform may process and/or facilitate a processing of sensor information to determine at least one change in one or more physiological states of at least one user, wherein the at least one user is associated with at least one context, at least one activity, or a combination thereof. Then, the policy platform may cause, at least in part, a modification of at least one privacy profile for at least one device associated with the at least one user based, at least in part, on the at least one change in the one or more physiological states, the at least one context, the at least one activity, or a combination thereof, wherein the modification of the at least one privacy profile includes, at least in part, an enabling or a disabling of one or more privacy services operating at least at least one device. | 05-28-2015 |
| 20150150075 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR VERIFYING USER DATA ACCESS POLICIES WHEN SERVER AND/OR USER ARE NOT TRUSTED - To verify compliance with a data access policy, a query result including data specified by a requesting entity and a representation of a data access policy is received from a database. Based on the representation of the data access policy included in the query result, it is verified whether the requesting entity is permitted to access the data included in the query result. Transmission of the data included in the query result to the requesting entity is controlled responsive to the verification. Related methods, systems, and computer program products are also discussed. | 05-28-2015 |
| 20150150076 | Method and device for instructing and implementing communication monitoring - Provided are a method and device for instructing and implementing communication monitoring. The method for instructing communication monitoring includes: determining that a currently sent message is a message used for instructing a monitoring enforcement network element whether to monitor current communication; and sending the message carrying monitoring instruction information to the monitoring enforcement network element, wherein the monitoring instruction information is used for instructing the monitoring enforcement network element whether to monitor the current communication. Through the technical solution, no matter the monitoring is required or not, the message used for instructing the monitoring enforcement network element whether to monitor the current communication includes the monitoring instruction information, so that a difference between monitored communication and unmonitored communication can not be identified, and a hidden security risk in existing monitoring is eliminated. | 05-28-2015 |
| 20150150077 | TERMINAL DEVICE, MAIL DISTRIBUTION SYSTEM, AND SECURITY CHECK METHOD - To check the security of a link destination described in an electronic mail without the necessity of access operation on the link destination, A terminal device according to the present invention, when operation on a user interface satisfies a predetermined first condition different from operation, of instructing connection to a WEB site, requests test of the security of a link destination indicated by first link information contained in an electronic mail text, and then displays information corresponding to the test result in a manner permitting visual recognition together with second link information indicating another link destination which is different from that of the first link information. | 05-28-2015 |
| 20150150078 | APPARATUS AND METHOD FOR ENHANCING COMPUTER SYSTEM SECURITY - Provided are an apparatus and method for enhancing computer system security by applying a security polity to mobile user equipment. The apparatus includes a security policy monitor unit for switching a job environment of a user equipment to a secure job environment corresponding to a security policy so as to apply the security policy to the user equipment loaded into a system to which the security policy is applied; and a secure job environment providing unit for providing an execution environment based on the secure job environment via the user equipment. Accordingly, the security policy may be guaranteed to be continuously and securely applied while a job is performed in the system. | 05-28-2015 |
| 20150150079 | METHODS, SYSTEMS AND DEVICES FOR NETWORK SECURITY - Devices, systems, and methods for observing and intercepting network activity for network data resources passing through one or more network security apparatuses and updating configuration of said apparatuses to control the network activity from one or more network computing devices. A spectrum of admissibility of network access may be used to configure network security apparatuses to allow or deny access to network data resources according to their position in the spectrum of admissibility and to display network characteristics in a graphical form | 05-28-2015 |
| 20150150080 | Method and System for Determining and Sharing a User's Web Presence - A method and system for determining and sharing a user's web presence have been disclosed. According to one embodiment, a computer implemented method comprises providing web presence information associated with a first user from a first computer having a first software module. The web presence in formation is received at a second computer. The web presence information is used to dynamically inform a second user communicating with the second computer of a website that the first user is viewing. | 05-28-2015 |
| 20150150081 | TEMPLATE REPRESENTATION OF SECURITY RESOURCES - Systems and methods are described for enabling users to model security resources and user access keys as resources in a template language. The template can be used to create and update a stack of resources that will provide a network-accessible service. The security resources and access keys can be referred to in the template during both stack creation process and the stack update process. The security resources can include users, groups and policies. Additionally, users can refer to access keys in the template as dynamic parameters without any need to refer to the access keys in plaintext. The system securely stores access keys within the system and allows for templates to refer to them once defined. These key references can then be passed within a template to resources that need them as well as passing them on securely to resources like server instances through the use of the user-data field. | 05-28-2015 |
| 20150150082 | TIME BASED DISPERSED STORAGE ACCESS - A method begins with a managing unit establishing an access policy that designates, for a first group of user devices, a first read time window and a first write time window. The method continues with a storage unit receiving an access request from a user device. The method continues with the storage unit determine whether the access request is received within the first read time window or whether the access request is received within the first write time window. The method continues with the storage unit generating a read response that includes encoded data slices when the access request is a read request and is received within the first read time window. The method continues with the storage unit processing the write request to store encoded data slices when the access request is the write request and is received within the first write time window. | 05-28-2015 |
| 20150294116 | BOOTING A MULTI-NODE COMPUTER SYSTEM FROM A PRIMARY NODE DYNAMICALLY SELECTED BASED ON SECURITY SETTING CRITERIA - A method includes identifying, from among nodes within a multi-node system, a node that has a security setting satisfying a security setting criteria, booting the multi-node system with the identified node as the primary node, and operating the multi-node system using the security setting of the identified node. Accordingly, the method may provide dynamic selection of a primary node based upon the security setting criteria and the security settings of the nodes within the multi-node system. Optionally, the security setting of each node is stored in a trusted platform module. In non-limiting examples, the security setting criteria may be the highest security setting among all nodes within the multi-node system or a predetermined minimum security setting, such as a trusted execution technology setting. | 10-15-2015 |
| 20150294120 | Policy-based data-centric access control in a sorted, distributed key-value data store - A method, apparatus and computer program product for policy-based access control in association with a sorted, distributed key-value data store in which keys comprise n-tuple structure that includes a cell-level access control. In this approach, an information security policy is used to create a set of pluggable policies. A pluggable policy may be used during data ingest time, when data is being ingested into the data store, and a pluggable policy may be used during query time, when a query to the data store is received for processing against data stored therein. Generally, a pluggable policy associates one or more user-centric attributes (or some function thereof), to a particular data-centric label. By using pluggable policies, preferably at both ingest time and query time, the data store is enhanced to provide a seamless and secure policy-based access control mechanism in association with the cell-level access control enabled by the data store. | 10-15-2015 |
| 20150295936 | GET VPN GROUP MEMBER REGISTRATION - An example of the present disclosure includes a Group Member (GM) registering on a Key Server (KS) in a Group Encrypted Transport Virtual Private Network (GET VPN). The KS is to manage at least one group, and GMs belonging to the same group have the same group ID. The KS receives a group ID and a Security Association, SA, policy list supported by a GM sent by the GM. The KS, according to the group ID, determines a KS SA policy list corresponding to the group, and matches the SA policy list supported by the GM with the KS SA policy list according to a priority. A group SA policy with the highest priority is sent the GM. | 10-15-2015 |
| 20150295937 | DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES - Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a file having associated therewith a certificate chain is received. A type and structure of the file are identified. A location of the certificate chain is determined based on the identified type and structure. A signature of the file is formed by extracting a targeted subset of information from the certificate chain. The file is evaluated by comparing the signature with a set signatures having a known desirable or undesirable status. The file is classified based on a result of the evaluating into a category of multiple categories, including one indicative of an associated file being an undesired file or a file suspected of being undesired. The file is handled in accordance with a policy associated with the category. | 10-15-2015 |
| 20150295939 | SYSTEM AND METHOD FOR EVALUATING A REVERSE QUERY - Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision. | 10-15-2015 |
| 20150295947 | METHOD AND SYSTEM FOR VERIFYING THE SECURITY OF AN APPLICATION WITH A VIEW TO THE USE THEREOF ON A USER DEVICE - A method is provided for verifying the security of a computing application, including the following steps:
| 10-15-2015 |
| 20150295952 | Service Provisioning with Improved Authentication Processing - A service provision apparatus and related method which provides a service for a user via a network includes a setting unit, a determination unit, and a decision unit. The setting unit sets an evaluation policy for evaluating reliability of at least one authentication apparatus performing authentication on the user. The determination unit determines whether the authentication made by the at least one authentication apparatus is to be relied on, on the basis of at least one evaluation result obtained by evaluating whether the at least one authentication apparatus is to be relied on, on the basis of the evaluation policy. The decision unit determines that the service is to be provided for the user in response to a determination that the authentication made by the at least one authentication apparatus is to be relied on and information that the user has been authenticated by the at least one authentication apparatus. | 10-15-2015 |
| 20150296012 | Migrating Shared Content Items Between Accounts - Shared content items are migrated between accounts on a content management system. Users store content items synchronized between one or more client devices and the content management system. A user may have multiple accounts including personal and organization accounts. Content items may be shared with accounts belonging to other users to enable those other users to view or manipulate the content items. A user initiates a migration of content items between accounts of different categories via a user interface, e.g., by dragging and dropping a folder from one account to another. The content management system recognizes that the user has deleted the folder from the user's first account and determines that an identical folder has been created in another account belonging to the same user. In response the content management system joins the second account to the shared folder, and removes the first account from the shared folder. | 10-15-2015 |
| 20150302213 | SYSTEM SECURITY DESIGN SUPPORT DEVICE, AND SYSTEM SECURITY DESIGN SUPPORT METHOD - Security measures taking into consideration significance of handled information is made applicable and prevents security requirement to be set in the system from missing, in system security design. In supporting requirement defining and measures planning, the system as the target of design is indicated divided in a plurality of zones and is classified into a path | 10-22-2015 |
| 20150304281 | METHOD AND APPARATUS FOR APPLICATION AND L4-L7 PROTOCOL AWARE DYNAMIC NETWORK ACCESS CONTROL, THREAT MANAGEMENT AND OPTIMIZATIONS IN SDN BASED NETWORKS - A multi-cloud fabric system includes an open flow switch responsive to a first and subsequent data packets and a services controller including a flow database. Further, the multi-cloud fabric system includes a SDN controller that communicates with the services controller through an open flow switch, wherein upon the receipt of the first data packet, the open flow switch directs the first packet to the services controller. The services controller creates a flow entry and makes authentication decisions based on authentication information. The open flow controller based on authentication policies, determines whether to allow or deny access to a corporate network based on saved authentication policies and if the open flow controller determines to deny access, the first packet being re-directed to an authentication server for access. | 10-22-2015 |
| 20150304327 | Dynamically Mapping Network Trust Relationships - In an embodiment, the method is comprising, receiving an access request, from an authenticator device, to grant a supplicant device access to a data network; transmitting the access request to an authentication server; after sending a response that the access request was granted, updating a trust topology map by including in the trust topology map information that has been obtained from the response and that indicates a secure link between the authenticator device and the supplicant device, and causing displaying the updated trust topology map as a logical map depicting one or more network devices and roles assigned to the one or more network devices; wherein the method is performed by one or more computing device. | 10-22-2015 |
| 20150304333 | Network Zone Identification In A Network Security System - Different network segments can have overlapping address spaces. In one embodiment, the present invention includes a distributed agent of a security system receiving a security event from a network device monitored by the agent. In one embodiment, the agent normalizes the security event into an event schema including one or more zone fields. In one embodiment, the agent also determines one or more zones associated with the received security event, the one or more zones each describing a part of a network, and populates the one or more zone fields using the determined one or more zones. | 10-22-2015 |
| 20150304337 | METHODS, SYSTEMS AND COMPUTER READABLE MEDIA FOR DETECTING COMMAND INJECTION ATTACKS - Methods and systems are described for detecting command injection attacks. A positive, taint inference method includes receiving signature fragments on one hand, converting command injection instructions into command fragments on another hand, thus identifying potential attacks upon the condition that a command injection instruction includes critical untrusted parts by using signature fragments. A system detects command injection attacks using this kind of method, and remediates and rejects potential attacks. | 10-22-2015 |
| 20150304338 | COLLABORATIVE STRUCTURED ANALYSIS SYSTEM AND METHOD - Methods, systems, and apparatus for providing compartmented, collaborative, integrated, automated analytics to analysts are provided. In a first aspect, the present invention provides a computer-implemented method for providing compartmented, collaborative, integrated, automated analytics to analysts including: selecting a computer-encoded project-specific workflow; determining a computer-encoded compartment manager, said computer-encoded compartment manager including computer-encoded information about the context of said project-specific workflow; retrieving said computer-encoded information about the context; selecting a computer-implemented automated analytic using said computer-encoded project-specific workflow; providing under control of said computer-encoded compartment manager said information about the context to said automated analytic; processing said computer-encoded information using said computer-implemented automated analytic, to generate thereby analytical information representing an outcome to said analysts; and processing said analytical information in accordance with said computer-encoded compartment manager and said computer-encoded project-specific workflow. | 10-22-2015 |
| 20150304339 | CLOUD EMAIL MESSAGE SCANNING WITH LOCAL POLICY APPLICATION IN A NETWORK ENVIRONMENT - A method for applying policies to an email message includes receiving, by an inbound policy module in a protected network, message metadata of an email message. The method also includes determining, based on the message metadata, whether receiving the email message in the protected network is prohibited by at least one metadata policy. The method further includes blocking the email message from being forwarded to the protected network if receiving the email message in the protected network is prohibited by the metadata policy. In specific embodiments, the method includes requesting scan results data for the email message if receiving the email message in the protected network is not prohibited by one or more metadata policies. In further embodiments, the method includes receiving the scan results data and requesting the email message if receiving the email message in the protected network is not prohibited by one or more scan policies. | 10-22-2015 |
| 20150304340 | Early Policy Evaluation of Multiphase Attributes in High-Performance Firewalls - A policy is established comprising a condition having a multiphase attribute of a multiphase transaction. Phase specific policies are established for each phase in which the multiphase attribute may become known. The multiphase transaction is evaluated according to the phase specific policies at each phase of the multiphase transaction in which the multiphase attribute may become known until a policy decision of the policy is determined. | 10-22-2015 |
| 20150304344 | SYSTEM AND METHOD FOR CONTROLLING VIRTUAL NETWORK INCLUDING SECURITY FUNCTION - Disclosed therein are system and method for controlling a virtual network with a security function which can manage security states of virtual machines in a cloud datacenter, analyze security states of malicious virtual machines, and isolate and treat the malicious virtual machines in order to cope with intrusion of a virtual network under a cloud computing environment. The virtual network controlling system and method reduce the number of packets to which the IPS carries out a signature matching inspection through a DPI test by diffusing blocking against the previously detected intruder by the network level, so as to enhance performance of the virtualized network IPS. | 10-22-2015 |
| 20150304354 | METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK - Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. | 10-22-2015 |
| 20150304355 | Automated Synchronized Domain Wide Transient Policy - Techniques are provided for, at an administrative device in a network domain, monitoring a network traffic flow parameter to determine whether a presently applied domain wide policy configured to control a network traffic flow should be removed. In response to determining that the domain wide policy should be removed, a command is generated which causes removal of the domain wide policy at each one of the plurality of network devices, and the command is sent to each one of the plurality of network devices to cause the domain wide policy to be removed at substantially the same time at each network device. Alternatively, the domain wide policy can be automatically removed by the expiry of a timer or in accordance with a timestamp so that the policy is revoked across the network domain without a need for an explicit network wide control message instructing removal of the policy. | 10-22-2015 |
| 20150304356 | METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR ENFORCING ACCESS CONTROLS TO FEATURES AND SUBFEATURES ON UNCONTROLLED WEB APPLICATION - Embodiments disclosed herein provide feature-level access control functionality useful for enforcing access controls to features and subfeatures on uncontrolled, third party Web Applications such as those associated with social networking sites. Specifically, pages of uncontrolled Web applications are programmatically inspected as they are accessed by users of an enterprise computing environment. Specific features on the pages are located and access to these features is enabled or disabled on a per user basis. A modified page is generated if feature(s) on a Web page is/are to be disabled. To block certain feature(s), content may be rewritten on-the-fly. Because embodiments disclosed herein can programmatically inspect a Web page and understand what is on the page at a much finer granularity, it is possible for enterprises to gain benefits that may come from embracing social networking sites without risking the downsides of allowing enterprise users access to uncontrolled Web applications. | 10-22-2015 |
| 20150304357 | EXTENDING SELINUX POLICY WITH ENFORCEMENT OF FILE NAME TRANSLATIONS - An operating system identifies a request of a process to create a new object with a name in a file system of the processing device. The operating system identifies a policy rule applicable to the new object in view of at least the name of the new object. The operating system creates a label for the new object using the applicable policy rule and associates the new object with the created label. | 10-22-2015 |
| 20150304358 | Rights Management Services Integration with Mobile Device Management - Rights management services (RMS) integration with mobile device management (MDM) may be provided. A functionality associated with a document may be restricted according to a document management policy. After the document has been transmitted to a receiving device, a request to un-restrict the at least one functionality associated with the document may be received. If it is determined that the receiving device complies with the document management policy, the functionality associated with the document may be un-restricted. | 10-22-2015 |
| 20150304448 | PROFILE AND CONSENT ACCRUAL - Consent management between a client and a network server. In response to a request for consent, a central server determines if requested user information is included in a user profile associated with a user and if the user has granted consent to share the requested user information. A user interface is provided to the user via a browser of the client to collect the requested user information that is not included in the user profile and the consent to share the requested user information from the user. After receiving the user information provided by the user via the user interface, the service provided by the network server is allowed access to the received user information, and the central server updates the user profile. Other aspects of the invention are directed to computer-readable media for use with profile and consent accrual. | 10-22-2015 |
| 20150310210 | SECURING AND MANAGING APPS ON A DEVICE USING POLICY GATES - A method of securing an app for execution on a device using an app security program with policy gates is described. First, Java class files are generated for the app security program, where the generating is dictated by a plurality of app security policies located in a plurality of policy gates. The plurality of policy gates are managed by a policy gate manager. Next, Java class files are replaced for the app with the Java class files for the app security program. Third, a security-wrapped app is created upon completion of replacing the Java class files for the app. Further, the security-wrapped app is prepared for execution on the device. Last, the security-wrapped app is re-signed with a new key. | 10-29-2015 |
| 20150312262 | DETERMINATION OF USER REPUTATION REGARDING DATA OBJECT EXPOSURE IN CLOUD COMPUTING ENVIRONMENTS - Embodiments disclosed herein provide systems, methods, and computer readable media for determining user reputation regarding data object exposure in a cloud computing environment. In a particular embodiment, a method provides receiving, from the cloud computing environment, information regarding behavior of a user in the cloud computing environment. The method further provides analyzing the information to determine a plurality of exposure characteristics for the user. The method provides determining a reputation of the user for exposing data objects in the cloud computing environment based on the plurality of exposure characteristics. | 10-29-2015 |
| 20150312267 | USING REPUTATION TO AVOID FALSE MALWARE DETECTIONS - A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection. | 10-29-2015 |
| 20150312274 | METHOD AND SYSTEM FOR ENSURING AN APPLICATION CONFORMS WITH SECURITY AND REGULATORY CONTROLS PRIOR TO DEPLOYMENT - Asset security compliance data ensuring defined asset security policies are applied to the creation and/or operation of assets to be used to implement an application and application deployment security compliance data for ensuring compliance with one or more application deployment security policies associated with the deployment of assets used to implement the application is generated. The asset security compliance data is then used to ensure each asset used to implement the application is created and used in compliance with asset security policies and the application deployment security compliance data is used to ensure that each asset used to implement the application is deployed in compliance with the application deployment security policies. | 10-29-2015 |
| 20150312275 | SINGLE-STEP CUSTOM CONFIGURATION OF A CLOUD CLIENT DEVICE - In one embodiment, a cloud client device identifies a configuration event. The cloud client device identifies a configuration associated with the configuration event. The cloud client device stores a first security key associated with the configuration and configures the cloud client device in accordance with the configuration. | 10-29-2015 |
| 20150312277 | SYSTEM FOR POLICY-MANAGED CONTENT PRESENTATION - The invention pertains to a system and method to display content, including data and messaging, based on a secure, policy-managed set of instructions for selecting, distributing, and presenting information on a device. The system accepts one or more streams of data in any digital form from one or more data sources. The content is assessed via a set of policy instructions that may include time, location, hierarchy of ownership, type of content, assessed importance of content, and display availability. Only approved content is transmitted to the device for display. | 10-29-2015 |
| 20150319175 | RETROACTIVE SHARED CONTENT ITEM LINKS - A content management system implementing methodologies providing retroactive shared content item links is disclosed. The content management system and methodologies allow a team administrator of a team to configure a team-wide shared link policy that determines whether non-team members can access content items associated with team accounts using shared links generated for the content items by team members. The team shared link policy has two settings. In a first setting, the content management system allows non-team members to use shared links generated by team members to access content items associated with team accounts. In a second setting, the content management system blocks access to the content items by non-team members. Shared links are retroactive in the sense they do not need to be regenerated after the team shared link policy has been changed from the second setting back to the first setting. | 11-05-2015 |
| 20150319178 | REMOTE ASSISTANCE FOR MANAGED MOBILE DEVICES - According to some aspects disclosed herein, a system for remote assistance and control of user devices subject to one or more remote assistance policies may be provided. In some embodiments, an administrator may request remote control of a managed user device. A managed application launcher may be provided by the user device and may be modified by the user device to remove managed applications or otherwise prevent access to applications that have a policy indicating that remote assistance is not allowed. The administrator may open a managed application included in the launcher and remotely control that application. In other embodiments, a user of the managed user device may initiate a request for remote assistance from within a managed application and/or the managed application launcher. The administrator's control of the user device and access to other applications on the user device may be limited based on the remote assistance policies. | 11-05-2015 |
| 20150319179 | METHOD AND SYSTEM FOR PROVIDING A PRIVATE NETWORK - A system for providing a private network to a user terminal ( | 11-05-2015 |
| 20150319192 | METHOD AND APPARATUS FOR MULTI-TENANCY SECRETS MANAGEMENT - A service provider computing environment includes a service provider secrets policy. A service provider computing device receives tenant secrets policies from tenants. The tenants are tenants of multi-tenant assets of a service provider. The service provider computing environment determines of the tenant secrets policies satisfy the requirements of the service provider secrets policy. If the tenant secrets policies satisfy the requirements of the service provider secrets policy, the service provider computing environment allows the tenant secrets policies to be applied to tenant data or information in the multi-tenant assets. | 11-05-2015 |
| 20150319193 | METHOD FOR CLOUD-BASED ACCESS CONTROL POLICY MANAGEMENT - A Web-based management server includes an ACP manager to manage access control rules (ACRs) and access control policies (ACPs). The ACRs and ACPs are configured by an administrator via a Web interface of the management server. The ACP manager is to transmit over the Internet the ACPs and the ACRs to network access devices (NADs) to allow the NADs to apply the ACPs to their respective network client devices (NCDs) based on the ACRs, where the NADs are managed by the management server over the Internet. Each of the NADs operates as one of a router, a network switch, and an access point. The ACP manager is to periodically update the ACRs and ACPs stored in the NADs, including receiving an update from one NAD and broadcasting the update to a remainder of the NADs. | 11-05-2015 |
| 20150319194 | MANAGING SECURE CONTENT IN A CONTENT DELIVERY NETWORK - A system, method, and computer readable medium for managing secure content by CDN service providers are provided. A network storage provider stores one or more resources on behalf of a content provider. A CDN service provider obtains client computing device requests for secure content. Based on processing first signature information, the CDN service provider determines whether the secure content is available to the client computing device. If the CDN service provider does not maintain the requested content, the CDN service provider transmits a request to the network storage provider. Based on second signature information and an identifier associated with the CDN service provider, the network storage provider processes the request based policy information associated with the identifier. | 11-05-2015 |
| 20150324559 | DYNAMIC ADJUSTMENT OF AUTHENTICATION POLICY - Embodiments relate to managing authentication policies for users on a network of an organization. A computer-implemented method for managing an authentication policy for a user on a network of an organization is provided. The method maintains a current risk assessment score of the user based on an organizational role of the user within the organization and a history of security violations on the network. The method determines the authentication policy for the user based on the current risk assessment score. | 11-12-2015 |
| 20150324589 | SYSTEM AND METHOD FOR CONTROLLED DEVICE ACCESS - An industrial environment includes an industrial system device. The industrial system device includes a processor to receive a certificate describing a security policy of one or more access constraints for the industrial system device and to implement the security policy on the industrial system device. Accordingly, access to the device may be customizable based upon a particular job to be completed on the device, providing more appropriate device access. Further, the security policy certificate may be provided to the device without relying on an “always-on” server-based system, resulting in fewer points of failure for accessing the device. | 11-12-2015 |
| 20150324602 | Managing Access of Information Using Policies - An information management system approves or denies user requests to access information of the system. The information includes all types of information including documents and e-mail. The information management system is driven using a policy language having policies and policy abstractions. The information management system may approve or deny many different types of requests including opening a document or file, copying a file, printing a file, sending an e-mail, reading an e-mail, cut and paste of a portion of a document, saving a document, executing an application on a file, and many others. | 11-12-2015 |
| 20150324606 | Identifying and Securing Sensitive Data at its Source - A data management service identifies sensitive data stored on enterprise databases according to record classification rules that classify a data record as having a sensitive data type if the data record includes fields matching at least one of the record classification rules. The data management service determines assessment scores for enterprise databases according to sensitive data records and protection policies on the enterprise databases. The data management service provides an interface that groups enterprise databases having common attributes or common sensitive data types and indicates aggregated assessment scores for the groups of enterprise databases. Through the interface with the grouped enterprise databases, an administrator apply protection policies to enterprise databases. To apply the protection policy, the data management service applies the protection policy to a source database from which dependent enterprise databases access the sensitive database. | 11-12-2015 |
| 20150324608 | Functionality Management via Application Modification - Methods, systems, apparatuses, and/or computer-readable media for providing device management via application modification may be provided. In some embodiments, a request to perform an action may be received. Upon determining that the action is associated with a metered resource, a further determination may be made as to whether the request complies with at least one management policy. In response to determining that the request complies with the at least one management policy, the requested action may be authorized and/or caused to be performed. | 11-12-2015 |
| 20150326528 | Enforcement of Network-Wide Context Aware Policies - A method implemented in an edge router, the method comprising receiving an authentication request from a device, forwarding the authentication request to an authentication and policy server, receiving an authentication response and an indication of a device tag from the authentication and policy server, wherein the device tag is based on a characteristic of the device, a location, a destination, or a user of the device, forwarding the authentication response to the device, receiving a policy associated with the device tag from the authentication and policy server, receiving a packet from the device, embedding the device tag in the packet to form a tagged packet, and executing the policy. | 11-12-2015 |
| 20150326532 | METHODS AND APPARATUS TO PROVIDE A DISTRIBUTED FIREWALL IN A NETWORK - Methods and apparatus to provide a distributed firewall in a network are disclosed. An example method includes identifying, at a control plane, a network traffic rule to implement in a network; determining, at the control plane, a distributed firewall for a first firewall in the network to enforce the network traffic rule; instructing, using the control plane, a first software-defined networking node to instantiate the first firewall of the distributed firewall; configuring a second software-defined networking node to route network traffic through the first firewall; and instructing the first software-defined networking node to enforce the network traffic rule. | 11-12-2015 |
| 20150326586 | REMEDIATING ROGUE APPLICATIONS - In one example embodiment, a remediating system may include a mobile communication device, to which an application is to be installed, and a remediator that may be configured to remediate the application and transmit the remediated version of the application to the mobile communication device for installation. | 11-12-2015 |
| 20150326589 | SYSTEM AND METHODS FOR REDUCING IMPACT OF MALICIOUS ACTIVITY ON OPERATIONS OF A WIDE AREA NETWORK - System architecture and methods for controlling improper network activity in a wide area network, where the system includes multiple service provider devices configured to provide communications service to attack vector devices. Each service provider device or plurality of devices is provided with at least one policy agent. The policy agent of each of the service provider devices is placed in communication with a security service system. The method includes detecting an improper network event using one of the policy agents and providing the security service device associated with that policy agent/service provider device with vector data characterizing the improper network event. The method further includes forwarding the vector data relating to the improper network event from the security service system to other of the security service systems, and from those to the policy agents in the other service provider devices. The method then inhibits the transfer of messages, data, or other forms of traffic corresponding to the vector data. | 11-12-2015 |
| 20150326596 | CLOUD BASED METHOD AND APPARATUS FOR MONITORING INTERNET USAGE - A cloud based method and apparatus for monitoring internet usage are provided. The method comprises: receiving a website inquiry instruction sent by a client, wherein the instruction comprises a website identifier; determining whether the website is a website to be monitored; and if the website is a website to be monitored, processing the website inquiry instruction in accordance with a security policy pre-stored in a server, wherein the security policy is set by the client. Since the security policy is stored on a server, it cannot be easily circumvented by the user, and its effectiveness is enhanced. | 11-12-2015 |
| 20150326604 | RULES BASED MONITORING AND INTRUSION DETECTION SYSTEM - The present invention is a rules-based monitoring and intrusion detection system that comprises three core components in a data network: a client electronic device in the form of a smart phone, tablet, or other electronic device; a mobile app gateway; and a web server. The system is initiated with an electronic request by a client to receive monitoring of their electronic device. The request is sent through a mobile application gateway and received by a web server. The web server responds to this request by sending a graphical user interface to the client's electronic device, with which the client may be able to configure certain settings for monitoring. The settings are in the form of rules, which in response to certain events, may trigger alarms in the intrusion detection software. The web server then receives these rules and compiles monitoring software for installation on the client's electronic device. Once activated, this software continuously monitors the client's electronic device and compares certain events with the programmed rules. Upon finding a matching event and rule, the monitoring software sends a communication to the web server and the web server then issues a command or sends a communication, depending on and in accordance with the user-defined rules. This system can be used to better secure the sensitive data stored on a client's electronic device in the event of theft, hacking, or misplacement. | 11-12-2015 |
| 20150326609 | DESIGNATING A VOTING CLASSIFIER USING DISTRIBUTED LEARNING MACHINES - In one embodiment, possible voting nodes in a network are identified. The possible voting nodes each execute a classifier that is configured to select a label from among a plurality of labels based on a set of input features. A set of one or more eligible voting nodes is selected from among the possible voting nodes based on a network policy. Voting requests are then provided to the one or more eligible voting nodes that cause the one or more eligible voting nodes to select labels from among the plurality of labels. Votes are received from the eligible voting nodes that include the selected labels and are used to determine a voting result. | 11-12-2015 |
| 20150326610 | CONNECTION CONFIGURATION - A connection method is provided. The method includes retrieving by a data retrieval device, unique data comprising an identifier associated with a wireless device. The unique data is transmitted to a router transmitting an authorization request and a configuration request for a configuration change to an authorization service. The authorization request is presented to a user and in response the user transmits an authorization code to the authorization service. In response, the router generates a virtual SSID and preconfigured firewall rules based on the unique data and the wireless device is automatically connected to the router based on the virtual SSID and the preconfigured firewall rules. | 11-12-2015 |
| 20150326611 | SECURITY CONTROL APPARATUS AND METHOD FOR CLOUD-BASED VIRTUAL DESKTOP - The security control apparatus includes a network control unit for receiving a security protocol-based packet that includes a protocol control header and data and that is transmitted between a cloud-based virtual desktop interaction remote agent unit and a virtual machine of a cloud-based virtual desktop interaction device, and blocking network traffic between cloud-based virtual desktop interaction remote agent unit and the virtual machine, depending on received results of checking. A policy checking unit checks whether information extracted from the security protocol-based packet is compliant with control policies, and transmits results of checking to the network control unit. If the information is not compliant with the control policies, a security solution interaction unit transmits the extracted information to an external security solution, and transmits results of checking by a corresponding security solution to the network control unit. | 11-12-2015 |
| 20150326612 | TECHNIQUES FOR NETWORK SELECTION IN UNLICENSED FREQUENCY BANDS - Aspects described herein relate to detecting wireless network services. A network that advertises access to a service provider network via a cellular radio access technology (RAT) in an unlicensed frequency can be discovered at a user equipment (UE). The UE can then determine one or more user-defined or operator-defined policies related to selecting the network, and select the network for access based at least in part on the one or more user-defined or operator-defined policies. | 11-12-2015 |
| 20150326613 | DYNAMIC USER IDENTIFICATION AND POLICY ENFORCEMENT IN CLOUD-BASED SECURE WEB GATEWAYS - A cloud-based secure Web gateway, a cloud-based secure Web method, and a network deliver a secure Web gateway (SWG) as a cloud-based service to organizations and provide dynamic user identification and policy enforcement therein. As a cloud-based service, the SWG systems and methods provide scalability and capability of accommodating multiple organizations therein with proper isolation therebetween. There are two basic requirements for the cloud-based SWG: (i) Having some means of forwarding traffic from the organization or its users to the SWG nodes, and (ii) Being able to authenticate the organization and users for policy enforcement and access logging. The SWG systems and methods dynamically associate traffic to users regardless of the source (device, location, encryption, application type, etc.), and once traffic is tagged to a user/organization, various polices can be enforced and audit logs of user access can be maintained. | 11-12-2015 |
| 20150326614 | Social Sharing of Security Information in a Group - Techniques for social sharing security information between client entities forming a group are described herein. The group of client entities is formed as a result of a security server providing one or more secure mechanisms for forming a group among client entities, the client entities each belonging to a different organization. The security service then automatically shares security information of a client entity in the group with one or more other client entities in the group. | 11-12-2015 |
| 20150326615 | CLOUD BASED MOBILE DEVICE SECURITY AND POLICY ENFORCEMENT - Cloud based mobile device security and policy systems and methods use the “cloud” to pervasively enforce security and policy on mobile devices. The cloud based mobile device security and policy systems and methods provide uniformity in securing mobile devices for small to large organizations. The cloud based mobile device security and policy systems and methods may enforce one or more policies for users wherever and whenever the users are connected across a plurality of different devices including mobile devices. This solution ensures protection across different types, brands, operating systems, etc. for smartphones, tablets, netbooks, mobile computers, and the like. | 11-12-2015 |
| 20150326616 | Directing Audited Data Traffic to Specific Repositories - Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules. A first audit data collection is sent to a first repository in response to one or more data access elements of a first data access matching a first condition of one of the security rules. The one of the security rules having the first condition designates the first audit data collection and the first repository. A second audit data collection is sent to a second repository in response to one or more data access elements of a second data access matching a second condition of one of the security rules. The one of the security rules having the second condition designates the second audit data collection and the second repository. | 11-12-2015 |
| 20150326617 | Privacy Control Processes for Mobile Devices, Wearable Devices, other Networked Devices, and the Internet of Things - Mobile devices are increasingly capable of collecting, storing, and transmitting data which may infringe on the security or privacy of others. The inventions disclosed provide methods by which such conflicts may be reduced by allowing geo-graphical areas to be opted-out of certain types of collection, at all or specific times. These methods may help broaden the acceptance of such devices as Google Glass®, other wearable devices, or other mobile collection-capable devices. The disclosure describes a “collection controller” which maintains positive control over a device's collection capabilities. This controller may be paired with an online opt-out registry or sensor which detects coded opt-out beacons. Certain data collected by the device might be metadata tagged and its further use determined by a “data disposition controller” which ensures restrictions on the collected data are maintained and adhered to. Finally, the device may itself be queried to determine if it is controlled by any or all of the processes disclosed in this submission. | 11-12-2015 |
| 20150332024 | Syndication Including Melody Recognition and Opt Out - A syndication system facilitates rights management services between media content owners and media hosting services that elect to participate in the syndication system and mutually elect to participate with each other. The syndication system utilizes a content recognition system to identify hosted media content and ownership rights associated with the hosted content. By applying melody recognition, the content recognition system can identify compositions embodied in hosted media content even when these compositions do not precisely match any known sound recording. Thus, the content recognition system is beneficially able to detect, for example, recorded cover performances and recorded live performances embodied in hosted media content. Once identified, ownership information is determined and the syndication system can facilitate rights management policies associated with the content such as monetizing or blocking the protected content. | 11-19-2015 |
| 20150332048 | Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features - Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a detection mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or notification of, and action by a monitoring guest upon access by a monitored guest to predetermined physical memory locations. | 11-19-2015 |
| 20150334066 | METHOD AND APPARATUS FOR DATA FILE TRANSFER USING DESTINATION LINKED DIRECTORIES - A file authentication requesting device that stores a computer program for requesting authentication of files in digital systems, the device comprises a confirmation request system that generates a request for a confirmation receipt from a third party authenticator authenticating the attributes of a file; a transferring system that transfers attributes of at least one file to be authenticated to the third party authenticator from the device that requested the confirmation; and a receiving system that receives the confirmation receipt comprising authenticated file attributes, after authentication by the third party authenticator; wherein, at least one file authentication is received from the third party authenticator. Corresponding processing devices, media, systems and methods are also provided. | 11-19-2015 |
| 20150334102 | Network Application Security Utilizing Network-Provided Identities - A network security system receives a request from a user over a network to access a network application. The system verifies user credentials for the user. The user credentials include a user identifier and specify a social network. The user is redirected to the social network for authentication. The system queries a rule-set database using the user identifier and an integer representation of the social network. The rule-set database includes recommendations as to access determined by a security application based at least in part on a known memory state for the user associated with the user identifier. Then the system blocks access by the user to the network application based on a recommendation in the rule-set database. | 11-19-2015 |
| 20150334116 | MAINTAINING IP TABLES - Data including a set of one or more resources and one or more associated IP addresses is updated based on data from a DNS server. A request is received from a client device for a resource identified by an IP address. The IP address is matched to one of the IP addresses in the set of one or more IP addresses. A particular resource associated with the matched IP address is identified. A particular network policy that applies is identified. The identified particular network policy is applied to the received request. | 11-19-2015 |
| 20150334118 | METHOD AND APPARATUS FOR CLEARING NOTIFICATION ICON, AND STORAGE MEDIUM - The present disclosure discloses a method and an apparatus for clearing a notification icon, and a storage medium. The method includes: acquiring a list of applications corresponding to to-be-cleared notification icons, the application list including application identifiers of the applications corresponding to the to-be-cleared notification icons; and stop displaying a notification icon corresponding to the application identifier, when a clearing command is received and according to each application identifier included in the application list. By determining application identifiers of applications corresponding to to-be-cleared notification icons, displaying of notification icons corresponding to the application identifiers can be stopped at once according to the application identifiers of the applications of the to-be-cleared notification icons when a clearing command is received. Hence, notification message prompts which a user does not care about are cleared quickly, and unwanted distraction is avoided when messages are reduced, and the operation is simple and convenient. | 11-19-2015 |
| 20150334122 | METHOD AND COMPUTER DEVICE TO CONTROL SOFTWARE FILE DOWNLOADS - A computer device includes a download unit which downloads one or more files into a storage device. A file logging unit records a resource locator identifying a source network location of the file, when the file is downloaded, and associates the resource locator with a first fingerprint of the file. A system policy unit stores the resource locator associated with a process control policy relevant to the file. A process control unit is arranged to obtain a second fingerprint of the file upon launching a process in a runtime execution environment, retrieve the resource locator from the file logging unit by matching the second fingerprint with the first fingerprint, retrieve the process control policy from the system policy unit according to the retrieved resource locator, and selectively apply process execution privileges which determine execution of the process in the runtime execution environment according to the retrieved process control policy. | 11-19-2015 |
| 20150334126 | Systems and Methods Involving Aspects of Hardware Virtualization Such as Hypervisor, Detection and Interception of Code or Instruction Execution Including API Calls, and/or Other Features - Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a instruction execution detection/interception mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it). The instruction execution detection/interception mechanism may perform processing, inter alia, for detection and/or notification of, and actions upon by a monitoring guest, code execution by a monitored guest involving predetermined physical memory locations, such as API calls. Such actions may include interception of API calls within the monitored guest and simulation thereof by the monitoring guest or another authorized guest. | 11-19-2015 |
| 20150334129 | USER BEHAVIORAL RISK ASSESSMENT - A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation. | 11-19-2015 |
| 20150334131 | Spoofing Detection - A wireless access device in a wireless network, whether a known or unknown entity, can be located using a geolocation system according to the present invention. A signal strength is determined by a wireless intrusion detection system (WIDS) node in a wireless network for each wireless access device that it detects. Based on the signal strength, an approximate distance from the node is determined, which, in one embodiment corresponds to a radius of a circle around the node. To account for error, an approximation band of the circle is calculated that will allow a user to determine the approximate location of the device within the wireless network. | 11-19-2015 |
| 20150334132 | SECURITY INFORMATION FOR UPDATING AN AUTHORIZATION DATABASE IN MANAGED NETWORKS - A method for amending, by a rule engine, a network element in a telecommunications network containing network elements each described by at least one parameter. An authorization database contains information for who and what extent configuring operators have access to the network elements, and a rule repository containing parameter dependent rules describing which activity is carried out for the network elements, and parameter dependent security information describing whether and how configuring operators are supervised by a security administrator when amending and how the authorization database is amended for a network element. A request for amending the network element in the network is identified and its parameter is determined. A rule is determined in the rule repository for which the parameter corresponds to the parameter of the amended network element and the security information for the determined rule is determined. The authorization database is updated using the security information. | 11-19-2015 |
| 20150334133 | HARDWARE IMPLEMENTATION METHODS AND SYSTEM FOR SECURE, POLICY-BASED ACCESS CONTROL FOR COMPUTING DEVICES - A system and method for hardware implementations of policy-based secure computing environments for Internet enabled devices. The present invention facilitates a secure computing environment for any Internet enabled device where policy rules can be described as hardware components that allow or deny access to resources on the device. A compiler produces a hardware description language (HDL) of the hardware components based on given policy rules for that component. The system may be partially or completely implemented in hardware to address inherent limitations of a software only solution. The invention provides greater flexibility to the overall system in terms of performance, security, and expressiveness of the policy rules that must be executed. | 11-19-2015 |
| 20150339467 | APPARATUS, METHOD FOR CONTROLLING APPARATUS, AND PROGRAM - An apparatus which includes one or more control modules, comprising: a state managing unit configured to manage a current state of the apparatus to control the control modules based on the current state, wherein the state of the apparatus is changed from one to another among a plurality of states with the passing of time; a storage unit configured to store state data for defining processes for controlling the respective control modules in response to a change of the state; and an data editing unit configured to edit the state data stored in the storage unit so as to change a process to be performed in a state among a plurality of states; wherein the state data includes respective state datum corresponding to each state in the plurality of states, and the state managing unit controls the control modules according to the state datum corresponding to the current state. | 11-26-2015 |
| 20150339489 | SYSTEM AND METHOD TO PROVIDE SERVER CONTROL FOR ACCESS TO MOBILE CLIENT DATA - Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item. | 11-26-2015 |
| 20150339490 | TRUE-OWNERSHIP OF SHARED DATA - A method for managing a data item includes a hub receiving a first access request from a first engine executing on a computing device operated by a first host and sending the first access request to a second engine executing on a first computing device of a second host. The second host owns the data item. The hub receives, from the second engine, the data item and an access rule set by the second host for the first host, and sends the first access rule and the data item to the first engine for storage. The first engine grants the first host access to the data item according to the first access rule. | 11-26-2015 |
| 20150341314 | FLOW OWNERSHIP ASSIGNMENT IN A DISTRIBUTED PROCESSOR SYSTEM - A security device for processing network flows includes one or more packet processors configured to receive incoming data packets associated with one or more network flows where a packet processor is assigned as an owner of one or more network flows and each packet processor processes data packets associated with flows for which it is the assigned owner; and a packet processing manager configured to assign ownership of network flows to the one or more packet processors where the packet processing manager includes a global flow table containing entries mapping network flows to packet processor ownership assignments. The packet processing manager informs a packet processor of an ownership assignment after one or more packets are received, and the one or more packet processors learns of ownership assignments of network flows from the packet processing manager. | 11-26-2015 |
| 20150341359 | Method of Controlling Access to Network Drive, And Network Drive System - A network drive system for controlling access to a network drive based on location information on a communication device according to the present technology includes: a storage unit storing a network drive that stores security data and general data; a receiving unit receiving a request for access to the network drive from a first communication device; a location checking unit checking whether the distance between the first communication device and a second communication device designated as a device for controlling access to the network drive is within a critical value; and a policy setting unit that applies a policy allowing the first communication device to access general data stored in the network drive or applies a policy disallowing the first communication device to access general data stored in the network drive, according to results of the determining by the location checking unit. | 11-26-2015 |
| 20150341367 | SYSTEMS AND METHODS FOR SECURE RESOURCE ACCESS AND NETWORK COMMUNICATION - Systems and methods for secure resource access and network communication are provided. A plurality of policies are received on a client device, each policy comprising a respective resource and a respective permission for a respective action that can be performed by a user of the client device in regards to the resource. A first application, which is configured to store data in an encrypted repository on the client device, receives a request to open a resource. The first application determines that one of the policies prohibits access by the resource to the encrypted repository and, based thereon, selects a different second application to open the resource that does not have access to the encrypted repository. The second application then opens the resource. | 11-26-2015 |
| 20150341387 | Identification of Web Form Parameters for an Authorization Engine - A method, system and computer-usable medium are disclosed for automating the identification of web form parameters for an authorization engine. A web page containing a set of parameters is received and then processed to identify structured portions it may contain. A target structured portion is then selected and processed to identify a corresponding set of web form parameters. Once identified, the set of web form parameters are then processed to generate a policy with a corresponding set of policy rule parameters. Matching operations are then performed to respectively match individual parameters of the set of web form parameters to individual parameters of the set of policy rule parameters. The policy is then associated with its associated web page URL and the process is repeated, proceeding with selecting another target structured portion to process. | 11-26-2015 |
| 20150341388 | METHODS AND SYSTEMS FOR PROTECTING A SECURED NETWORK - Methods and systems for protecting a secured network are presented. For example, one or more packet security gateways may be associated with a security policy management server. At each packet security gateway, a dynamic security policy may be received from the security policy management server, packets associated with a network protected by the packet security gateway may be received, and at least one of multiple packet transformation functions specified by the dynamic security policy may be performed on the packets. Performing the at least one of multiple packet transformation functions specified by the dynamic security policy on the packets may include performing at least one packet transformation function other than forwarding or dropping the packets. | 11-26-2015 |
| 20150341389 | LOG ANALYZING DEVICE, INFORMATION PROCESSING METHOD, AND PROGRAM - A log information collecting unit that collects log information and traffic information output from a plurality of communication devices included in a network; a normalization processing unit that normalizes the log information and traffic information collected by the log information collecting unit; a log information analysis processing unit that extracts, and analyzes according to a predetermined rule, relative log information and traffic information from the normalized log information and traffic information, and determines whether or not there is unauthorized access; and an event information notifying unit that outputs event information including information indicating importance based on a result of the determination by the log information analysis processing unit, are included. | 11-26-2015 |
| 20150341390 | MODULARIZED SOFTWARE SYSTEM FOR MANAGING A PLURALITY OF DISPARATE NETWORKS - Converged network management application and system is provided that delivers a management platform as a service that can view and/or manage all managed networks in the aggregate, or any one of them individually (including individual devices within the managed networks), in a secure and efficient manner, providing continuously available intelligence in real time on the managed networks and systems, and overcoming integration issues including conflicting address schemas, the need to avoid unnecessary infrastructure, and the need acquire all necessary information in real time within applicable memory and bandwidth constraints. | 11-26-2015 |
| 20150341391 | SYSTEMS AND METHODS FOR SERVING APPLICATION SPECIFIC POLICIES BASED ON DYNAMIC CONTEXT - Methods, systems and computer readable media for serving application specific policies based on dynamic context are described. In some implementations, the method can include determining a dynamic authentication context for a user including one or more access credentials, and authenticating the access credentials. The method can also include determining an indication of a need for a service-based policy, and generating a dynamic service-based policy based on the dynamic authentication context and an application. The method can further include providing the dynamic service-based policy to the application, and monitoring for a change in the dynamic authentication context. The method can also include updating the dynamic service-based policy. | 11-26-2015 |
| 20150347746 | METHODS FOR RESTRICTING RESOURCES USED BY AN APPLICATION BASED ON A BASE PROFILE AND AN APPLICATION SPECIFIC PROFILE - In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application. | 12-03-2015 |
| 20150347748 | METHOD AND APPARATUS FOR HANDLING SECURITY OF AN APPLICATION AND ITS EXTENSION - Techniques for handling security of an application and its extension are described. In one embodiment, an application manager of an operating system running within a data processing system launches an application in a first sandboxed environment based on a first security profile associated with the application. In response to receiving a request from the application for accessing a function of an application extension that is associated with the application, the application manager launches the application extension in a second sandboxed environment based on a second security profile associated with the application extension. The application manager is to individually enforce security and manage resources of the application and the application extension in the first and second sandboxed environments based on the first and second security profiles, respectively. The second security profile specifies resources fewer than the first security profile. | 12-03-2015 |
| 20150347768 | Policy-Based Trusted Inspection of Rights Managed Content - An embodiment includes a method executed by at least one processor comprising: initializing first and second secure enclaves each comprising a trusted software execution environment that prevents software executing outside the first and second secure enclaves from having access to software and data inside the first and second secure enclaves; the first secure enclave (a)(i) inspecting a policy, (a)(ii) authenticating the second secure enclave in response to inspecting the policy; and (a)(iii) communicating encrypted content to the second secure enclave in response to authenticating the second secure enclave; and the second secure enclave (b)(i) decrypting the encrypted content to produce decrypted content, and (b)(ii) inspecting the decrypted content. Other embodiments are described herein. | 12-03-2015 |
| 20150347773 | METHOD AND SYSTEM FOR IMPLEMENTING DATA SECURITY POLICIES USING DATABASE CLASSIFICATION - Access to a database is obtained, the database containing data that is potentially of one or more data types and/or data security classifications. The data in the database is scanned to determine the types and/or data security classifications of the data in the database. Then based, at least in part, on the determined types and/or data security classifications of the data in the database a database security classification is associated with the entire database and used to select one or more security measures to be applied to the entire database, at the database level, in accordance with defined data security policies. | 12-03-2015 |
| 20150350163 | SYSTEM AND METHOD FOR INITIATING PROTECTED INSTANT MESSAGING CONVERSATIONS - A system and method are provided for initiating protected instant messaging conversations. The method includes enabling a shared secret to be sent to a contact to initiate a key exchange to protect messages exchanged in an instant messaging conversation, the shared secret being sent using a communication medium other than instant messaging. After the shared secret has been sent, the method includes displaying a pending protected instant messaging conversation user interface prior to receiving a confirmation associated with receipt of the shared secret by the contact, the pending protected instant messaging conversation user interface comprising an option to resend the shared secret. | 12-03-2015 |
| 20150350183 | Internetwork Authentication - A technique for network authentication interoperability involves initiating an authentication procedure on a first network, authenticating on a second network, and allowing access at the first network. The technique can include filtering access to a network, thereby restricting access to users with acceptable credentials. Offering a service that incorporates these techniques can enable incorporation of the techniques into an existing system with minimal impact to network configuration. | 12-03-2015 |
| 20150350212 | METHODS AND SYSTEMS FOR AUTHORIZING WEB SERVICE REQUESTS - Systems and methods for authorizing web service requests. In some embodiments, a computer-implemented method includes receiving a web service request having an authorization header and business code, authenticating a Security Assertion Markup Language (SAML) token included in the authorization header and constructing a security context based on attributes of the SAML token. The process also includes passing the security context to an authorization interceptor to interact with a policy information point (PIP) and a policy decision point (PDP), receiving a permit response, and then authorizing the web services request. In some implementations, the requested web service is then transmitted to the client computer that requested the web service. | 12-03-2015 |
| 20150350216 | RETROSPECTIVE POLICY SAFETY NET - These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions. | 12-03-2015 |
| 20150350219 | PROFILE CHANGE MANAGEMENT - It is disclosed methods and trusted execution environments (TEE) of enabling one of at least two profile domains. An authorisation token for authorising a TEE application to request one of the at least two profile domains to be enabled, is received ( | 12-03-2015 |
| 20150350233 | Anomalous Behavior Detection Based on Behavioral Signatures - Electromagnetic (EM)/radio frequency (RF) emissions may be detected and corresponding EM personas may be created. One or more EM personas may be associated with a super persona corresponding to a particular entity. EM personas, super personas, and/or supplemental identifying information can be used to enforce security protocols. | 12-03-2015 |
| 20150350237 | Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware - The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices. | 12-03-2015 |
| 20150350248 | METHOD AND SYSTEM FOR DOMAIN CREATION AND BOOTSTRAPPING - A method at a mobile device for creating a managed domain on the mobile device, the method initializing a container on the mobile device to house the managed domain; retrieving, from the mobile device, a management agent for the management domain; establishing policies to govern the creation of the managed domain; and configuring the container for the domain based on the established policies. | 12-03-2015 |
| 20150350249 | DETERMINING TRUSTWORTHINESS OF API REQUESTS BASED ON SOURCE COMPUTER APPLICATIONS' RESPONSES TO ATTACK MESSAGES - A method includes receiving an application programming interface (API) request from a source computer application that is directed to a destination computer application. An attack response message that is configured to trigger operation of a defined action by the source computer application is sent to the source computer application. Deliverability of the API request to the destination computer application is controlled based on whether the attack response message triggered operation of the defined action. Related operations by API request risk assessment systems are disclosed. | 12-03-2015 |
| 20150350250 | System and Method for Switching Between Messaging Security Policies - A system and method are provided for switching between messaging security policies. The method includes determining that a messaging security policy a messaging application at for the electronic device has been downgraded from a higher security level to a lower security level; and removing messaging application content on the electronic device that has been subjected to the higher security level. Removing protected content can include any one or more of removing access to at least one protected instant messaging group, removing at least one multi-participant instant messaging conversation, and removing at least a portion of protected content from within a one-to-one conversation with an instant messaging contact. | 12-03-2015 |
| 20150350253 | COMMUNICATION BETWEEN FRAMES OF A WEB BROWSER - There is provided a method and apparatus of providing communication between frames of a web browser which is arranged to enforce a same origin security policy for communication between frames. The method comprises, receiving a hub document of a hub origin into a hub frame of the web browser. Receiving a first application document of a first application origin into a first application frame of the web browser, the first application origin being different to the hub origin. | 12-03-2015 |
| 20150350254 | AUTONOMOUS AND ADAPTIVE METHODS AND SYSTEM FOR SECURE, POLICY-BASED CONTROL OF REMOTE AND LOCALLY CONTROLLED COMPUTING DEVICES - An autonomous and adaptive method and system for secure, policy-based control of remote and locally controlled computing devices. The invention uses a policy-based access control mechanism to achieve adaptive and dynamic behavior modification based on the context of the local operating environment of the computing device. The modification system assesses the desirability of actions or outcomes as determined by the policy rules and modifies them accordingly, thus altering the behavior of the computing device. The system can utilize a machine learning technique, pattern matching and heuristic evaluation. When applied to the control of robotic and autonomous devices, the system allows the robot to offload adjudication to a remote system and also facilitates cooperative behaviors between robots operating in dynamic environments. | 12-03-2015 |
| 20150350255 | Verified Sensor Data Processing - Sensor data may be filtered in a secure environment. The filtering may limit distribution of the sensor data. Filtering may modify the sensor data, for example, to prevent identification of a person depicted in a captured image or to prevent acquiring a user's precise location. Filtering may also add or require other data use controls to access the data. Attestation that a filter policy is being applied and working properly or not may be provided as well. | 12-03-2015 |
| 20150356308 | SECURITY MANAGEMENT UNIT, HOST CONTROLLER INTERFACE INCLUDING SAME, METHOD OPERATING HOST CONTROLLER INTERFACE, AND DEVICES INCLUDING HOST CONTROLLER INTERFACE - A method of operating a host controller interface includes receiving a buffer descriptor including sector information from a main memory, fetching data by using a source address included in the buffer descriptor, selecting one of a plurality of entries included in a security policy table by using the sector information, and determining whether to encrypt the fetched data by using a security policy included in the selected entry. | 12-10-2015 |
| 20150356319 | Security Information for Software Parts - A system and method of identifying a security policy for a software part. Security information for the software part is signed with a security information digital signature to form signed security information. The security information identifies a security policy for the software part. The signed security information is associated with the software part. | 12-10-2015 |
| 20150358276 | METHOD, APPARATUS AND SYSTEM FOR RESOLVING DOMAIN NAMES IN NETWORK - Method, apparatus and system for resolving domain names in network. One embodiment provides a method for resolving a domain name in a network, including: receiving, at a controller associated with a switch in the network, a domain name system (DNS) request for the domain name from the switch, the DNS request initiated by a client, the controller controlling operations of the switch in the network; and controlling processing of the DNS request based on a predefined security constraint at the controller to obtain a network address corresponding to the domain name, wherein the DNS request is forwarded by the switch to the controller in response to a DNS record related to the domain name being missed in first storage at the switch. Other embodiments of the present invention provide a corresponding apparatus and system. | 12-10-2015 |
| 20150358282 | Firewall Policy Browser - Methods, computer-readable media, systems and apparatuses for firewall policy system are described. A computing system in a network comprising firewalls using a plurality of different formats may obtain configuration data of at least one firewall. The configuration data may comprise firewall policy information of the at least one firewall in a first format. A data type of each configuration item in the obtained configuration data may be determined, and a corresponding data in a second format for each configuration item based on the data type of the respective configuration item may be determined. The second format may be different from the plurality of different formats used by the firewalls. The properties of each configuration item in the second item may be stored, and the obtained configuration data of the at least one firewall may be presented in the second format. | 12-10-2015 |
| 20150358283 | Firewall Policy Converter - Methods, computer-readable media, systems and apparatuses for firewall policy system are described. The firewall policy system may include a unified format converter, a firewall policy browser, and a firewall policy converter. The firewall policy converter may convert firewall policies between different configuration formats. A first firewall policy may be received in a first configuration format. The first firewall policy may be converted into a second configuration format, and a command to convert the first firewall policy from the second configuration format into a third configuration format may be received. In response to receiving the command, the first firewall policy may be converted from the second configuration format into the third configuration format. The first firewall policy may be outputted in the third configuration format. | 12-10-2015 |
| 20150358291 | FIREWALL POLICY COMPARISON - Systems, methods, and apparatuses for comparing firewall policies are described. In one aspect, a system includes a first gateway configured to implement a first firewall having a first policy, a second gateway configured to implement a second firewall having a second policy, and a computing device configured to compare the first policy with the second policy to determine whether the first policy matches the second policy. The first firewall and the second firewall may be implemented with different technologies and/or on different platforms. The computing device may operate as, or execute, a firewall comparison tool to parse raw firewall configuration data from the different firewalls and generate data structures with a common format so that the firewall policies may be compared. | 12-10-2015 |
| 20150358353 | ENHANCED SELECTIVE WIPE FOR COMPROMISED DEVICES - Systems, methods, and software are disclosed herein that enhance selective wipe technology and operations. In an implementation, an application initiates a request to authenticate a user with respect to the application. In some scenarios, the application receives a response to the request that includes a selective wipe instruction. Then the application receives such a response, the application selectively wipes data associated with the application. | 12-10-2015 |
| 20150358354 | METHOD AND SYSTEM FOR POLICY BASED AUTHENTICATION - A mobile device capable of performing a plurality of functions. The mobile device includes a memory for storing a plurality of different security policies; an input device for invoking a function from the plurality of functions by a user; a processor for assigning a first security policy from the stored plurality of security policies to the invoked function; and a security module for requiring the user to satisfy the assigned first security policy, before the invoked function is performed by the mobile device. | 12-10-2015 |
| 20150358355 | DEVICES, SYSTEMS, AND METHODS FOR ENABLING RECONFIGURATION OF SERVICES SUPPORTED BY A NETWORK OF DEVICES - Systems, devices, and methods are disclosed for enabling the reconfiguration of services supported by a network of devices. Such reconfiguration can be realized dynamically and in real time without compromising the security of the overall system from external threats or internal malfunctions. These systems, devices and methods may provide a first functional stack supporting a previous version of a specific service and the provisioning of a second functional stack dynamically and in real-time that supports an updated version of the specific service. In addition, an administration function may be included in the embodiment such that the administration function manages and controls the functional stacks and network operations. Using these mechanisms, an existing service can be changed dynamically or a new service can be added dynamically in a secure manner without interruption of other existing services. | 12-10-2015 |
| 20150358356 | PROCESSING DEVICE AND METHOD OF OPERATION THEREOF - A processing device ( | 12-10-2015 |
| 20150358358 | ADDING FIREWALL SECURITY POLICY DYNAMICALLY TO SUPPORT GROUP VPN - A server device receives, from a member device, a registration request for a group virtual private network (VPN) and provides an initial firewall security policy for the group VPN. The server device receives instructions for a policy configuration change and sends, to the member device, a push message that includes dynamic policies to implement the policy configuration change. The dynamic policies are implemented as a subset of a template policy. The member device receives the push message with the dynamic policies, associates the dynamic policies with the template policy, and applies the initial security policy data and the dynamic policies to incoming traffic without the need for a reboot of the member device. | 12-10-2015 |
| 20150358360 | POLICY-BASED SELECTION OF REMEDIATION - Methods and systems for remediating a security policy violation on a computer system are provided. According to one embodiment, information regarding a program-code-based operational state of a host asset is collected by a light weight sensor (LWS) running on the host asset via a survey tool. The information is transmitted by the LWS to a remote server via an external network. Multiple security policies are enforced by the remote server with respect to the host asset based on the received information including determining whether the program-code-based operational state of the host asset represents a violation of one or more security policies, by evaluating, the received information with respect to the security policies, each of which define at least one parameter condition violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host asset making the host asset vulnerable to attack. | 12-10-2015 |
| 20150358822 | Utilizations and Applications of Near Field Communications in Mobile Device Management and Security - Systems and methods for using Near Field Communications | 12-10-2015 |
| 20150363583 | INFORMATION TERMINAL, DISPLAY METHOD FOR IMAGE FOR INFORMATION INPUT, AND COMPUTER-READABLE RECORDING MEDIUM - An information terminal | 12-17-2015 |
| 20150363604 | PROVISIONING SOFTWARE WITH POLICY-APPROPRIATE CAPABILITIES - Apparatus and methods are described for enabling distribution of user-tailored pieces of a larger software program in a way that facilitates compliance with organizational policies around security, access control, and the like. The pieces, representing new or missing functionality in an existing instance of pre-installed software, are supplied as supplemental software fragments (“aspects”) that provide new or missing logic to a target application with the target application having to know of the fragment's existence. The number and quality of aspects provisioned to the user are tailored to the user's identity and/or organizational role in accordance with explicit policy governing such provisioning. In this manner, the user of the software gains functionality appropriate to his security level, title, or other qualifications, and the events surrounding the provisioning become loggable, traceable, and verifiable. | 12-17-2015 |
| 20150365380 | SYSTEM AND METHOD FOR INTERLOCKING A HOST AND A GATEWAY - A method is provided in one example embodiment and includes exchanging a session descriptor associated with a network connection and an application on a host, correlating the session descriptor with a network policy, and applying the network policy to the network connection. In alternative embodiments, the session descriptor may be exchanged through an out-of-band communication channel or an in-band communication channel. | 12-17-2015 |
| 20150365435 | SHARED SECURITY UTILITY APPLIANCE FOR SECURE APPLICATION AND DATA PROCESSING - A security information technology element (ITE) for secure application and data processing, including a physical enclosure defining a protection envelope and a secure computing device disposed within the protection envelope. The security ITE provides security services to applications and a secure processing environment for hosting applications, and includes cryptographic services and hardware acceleration. A security manager within the security ITE is configured to erase data within the protection envelope upon detecting physical tampering. | 12-17-2015 |
| 20150365436 | Techniques for Improved Run Time Trustworthiness - Techniques are presented herein for attesting the trustworthiness of devices in a secure network during run-time operation. A security management device is configured to perform network trust attestation operations in order to generate an access control policy that defines access rights for a device in a network. The access control policy is assured by creating a hash value for the access control policy and then signing the hash value to generate a signed hash value. The signed hash value is integrated with the access control policy, and the access control policy is sent with the signed hash value to the operator device for verification. | 12-17-2015 |
| 20150365437 | MANAGING SOFTWARE DEPLOYMENT - The method includes identifying an instance of software installed. The method further includes determining a fingerprint corresponding to the instance of software installed. The method further includes determining a security risk associated with the instance of software installed. The method further includes identifying a software management policy for the instance of software based upon the fingerprint, security risk, and designated purpose of the computing device. In one embodiment, the method further includes in response to identifying the software management policy, enforcing, by one or more computer processors, the software management policy on the instance of software installed on the computing device. | 12-17-2015 |
| 20150365438 | Method and System for Automated Incident Response - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing a response to one or more security incidents in a computing network. One of the methods includes identifying a security incident based on detecting one or more indicators of compromise associated with the security incident, comparing the security incident with a predefined ontology that maps the security incident to one or more courses of action, selecting a response strategy that includes one or more of the courses of action, and implementing the response strategy as an automated response. | 12-17-2015 |
| 20150365439 | SYNCHRONIZATION OF SECURITY-RELATED DATA - An example method includes retrieving, by a local device ( | 12-17-2015 |
| 20150365440 | SHARED SECURITY UTILITY APPLIANCE FOR SECURE APPLICATION AND DATA PROCESSING - A method includes registering an application with a security information technology element (ITE), the security ITE comprising a secure computing device located within a protection envelope and configured to provide security services for one or more applications. The security ITE provides security services to applications and a secure processing environment for hosting applications, and includes cryptographic services and hardware acceleration. A security manager within the security ITE is configured to erase data within the protection envelope upon detecting physical tampering. | 12-17-2015 |
| 20150365441 | System for Providing DNS-Based Control of Individual Devices - A device control system is associated with individual devices connected through a network control point to a gateway and thereby to the Internet. The gateway inserts an EDNS0 pseudo resource record into an additional data section in each DNS query initiated by an individual device, the EDNS0 pseudo resource record identifying the initiating device. A dynamic policy enforcement engine in front of the DNS engine intercepts the DNS query, identifies the initiating device, and selects a policy that applies to the device. The dynamic policy enforcement engine may provide parental control and security service to the individual device by blocking the DNS query or passing it to the DNS engine according to the policy. A component that intercepts DNS queries may provide several additional types of services to the individual devices, including advertising, messaging, mobile device tracking, individual device application control, and delivery of individualized content. | 12-17-2015 |
| 20150371042 | Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, Pages of Interest, and/or Other Features - Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a detection mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or notification of, and action by a monitoring guest upon access by a monitored guest to predetermined physical memory locations. | 12-24-2015 |
| 20150371045 | METHODS, SYSTEMS AND MACHINE-READABLE MEDIA FOR PROVIDING SECURITY SERVICES - Systems, methods and machine-readable media for providing a security service are disclosed. The methods include receiving a modification of the application object code to allow the software application to transmit a request for the security service; retrieving the modified application object code corresponding to the software application from memory; receiving, via a processor, the request for the security service from the modified application object code; and providing, via the processor, the security service. The systems and machine-readable media performing operations according to the methods disclosed. | 12-24-2015 |
| 20150372977 | FIREWALL POLICY MANAGEMENT - Methods and systems are provided for creation and implementation of firewall policies. Method of the present invention includes enabling a firewall device to maintain a log of network traffic flow observed by the device. The method further includes enabling firewall device to receive an administrator request for a customized report to be generated based on log of network traffic and generating the report by extracting information from the log based on report parameters, where the report includes desired network traffic items that are associated with one or more action objects. The method further provides for firewall device to receive a directive to implement an appropriate firewall policy on one or more network traffic items responsive to interaction of administrator with one or more action objects corresponding to the network traffic items. Based on the directive and information from log, the firewall then defines and/or establishes appropriate firewall policy. | 12-24-2015 |
| 20150372980 | INTRUSION PREVENTION AND REMEDY SYSTEM - According to one embodiment, a computerized method is directed to neutralizing callback malware. This method involves intercepting an incoming message from a remote source directed to a compromised endpoint device. Next, a first portion of information within the incoming message is substituted with a second portion of information. The second portion of information is designed to mitigate operability of the callback malware. Thereafter, the modified incoming message, which includes the second portion of the information, is returned to the compromised endpoint device. | 12-24-2015 |
| 20150372985 | SYSTEM AND METHOD FOR OPERATING A SAFETY-CRITICAL DEVICE OVER A NON-SECURE COMMUNICATION NETWORK - A system and method for operating, at a near location, a safety-critical device located at a far location. The system includes a first operating input device to be operated at the near location, providing a first barrier control signal; and a second operating input device to be operated at the near location, providing a second barrier control signal. The first barrier control signal is communicatively connected to a near end of a first secure communication tunnel through the non-secure communication network, and the second barrier control signal is communicatively connected to a near end of a second secure communication tunnel through the non-secure communication network. A far end of the first secure communication tunnel is communicatively connected to an activating input of a first barrier circuit, and a far end of the second secure communication tunnel is communicatively connected to an activating input of a second barrier circuit. | 12-24-2015 |
| 20150373042 | RUNTIME PROTECTION OF WEB SERVICES - Protecting a runtime Web service application. A web service application is instrumented to log its operation and allow recreation of its execution trace. Trace point vulnerabilities are identified using one or more data payloads. Candidate trace point operations associated with the trace point vulnerabilities are identified. Supplementary candidate operations are computed based on the existing trace point operations and the one or more data payloads. The Web service application is further instrumented with the one or more supplementary candidate operations. | 12-24-2015 |
| 20150373052 | Management of Privacy Policies - Master privacy policies for different users are stored to a cloud-based central server. When a user interacts with a third-party service (such as FACEBOOK® or AMAZON®), the third party service may require acceptance of privacy policies before services are rendered. Here the cloud-based central server may automatically configure a privacy policy of the third-party service to the user's master privacy policy. The cloud-based central server thus relives the user of managing many different privacy policies required by many different third party service providers. | 12-24-2015 |
| 20150373053 | METHOD AND APPARATUS FOR PROVIDING PRIVACY MANAGEMENT IN MACHINE-TO-MACHINE COMMUNICATIONS - A method, non-transitory computer readable medium and apparatus for processing a request from a server of a machine-to-machine service provider are provided. For example, the method receives the request from the server of the machine-to-machine service provider to communicate with a machine-to-machine device, determines whether to authorize the request based upon a policy in a privacy database, and enables communications between the server of the machine-to-machine service provider and the machine-to-machine device if the request is authorized based upon the policy. | 12-24-2015 |
| 20150373054 | AUTOMATED FEEDBACK FOR PROPOSED SECURITY RULES - A computer determines a number of matches returned by a proposed security rule that result from application of the proposed security-rule to historical logged event data. The computer determines a predicted performance of the proposed security rule as part of a network security system based on the number of matches. The computer sends a message during a creation session of the proposed security-rule. The message includes a recommended change for a portion of the proposed security based on the predicted performance of the proposed security rule. | 12-24-2015 |
| 20150379298 | DATA PROTECTION SYSTEMS AND METHODS - Systems and methods are provided for protecting electronic content from the time it is packaged through the time it is experienced by an end user. Protection against content misuse is accomplished using a combination of encryption, watermark screening, detection of invalid content processing software and hardware, and/or detection of invalid content flows. Encryption protects the secrecy of content while it is being transferred or stored. Watermark screening protects against the unauthorized use of content. | 12-31-2015 |
| 20150381658 | PREMISES-AWARE SECURITY AND POLICY ORCHESTRATION - A tracking station detects a mobile data processing system (DPS) within communication range of a short range wireless module of the tracking station. In response to detecting the mobile DPS, the tracking station obtains identification data for the mobile DPS from a security module of the mobile DPS. The tracking station uses the identification data to obtain credentials to access secure storage on the mobile DPS. The tracking station automatically generates security configuration data for the mobile DPS, based on multiple factors pertaining to the mobile DPS, such as identity of the mobile DPS, a location of the mobile DPS, capabilities of the mobile DPS, etc. The tracking station uses the credentials to write the security configuration data to the secure storage of the mobile DPS. The security configuration data calls for the mobile DPS to automatically disable or enable at least one component. Other embodiments are described and claimed. | 12-31-2015 |
| 20150381659 | CRYPTOGRAPHY AND KEY MANAGEMENT DEVICE AND ARCHITECTURE - A method for operating a secure device having a plurality of mutually exclusive circuit zones, including a first circuit zone having a first level of security and a second circuit zone having a second level of security less than the first level of security, the method including unpacking a key exchange package including receiving a key exchange package in the second circuit zone, the key exchange package including encrypted key data and processing the encrypted key data using a content key in the first circuit zone to generate decrypted key data and storing the decrypted key data in the first circuit zone without disclosing the decrypted key data into the second circuit zone. | 12-31-2015 |
| 20150381660 | Dynamically Generating a Packet Inspection Policy for a Policy Enforcement Point in a Centralized Management Environment - A mechanism is provided for generating a packet inspection policy for a policy enforcement point in a centralized management environment. Data of a network topology for the policy enforcement point corresponding to a network infrastructure is updated according to metadata of the policy enforcement point, the metadata including a capability of the policy enforcement point. The packet inspection policy for the policy enforcement point is generated according to the data of the network topology and the capability of the policy enforcement point. The packet inspection policy is then deployed to the policy enforcement point. | 12-31-2015 |
| 20150381661 | METHOD OF MANAGING ACCESS CONTROL IN A CLOUD NETWORK - A method which makes it possible to manage access control between a first entity and a second entity belonging to two security domains in a cloud network is disclosed. In one aspect the method comprises, if the entities belong to security domains implementing different access control policies, determining whether there exists a first access control rule between the first entity and a virtual entity within the security domain of the first entity, and a second access control second rule between the second entity and the virtual entity within the security domain of the second entity. If so, the method may comprise controlling access between the first and second entities as a function of the first and second rules. | 12-31-2015 |
| 20150381662 | SOCIAL-GRAPH AWARE POLICY SUGGESTION ENGINE - Systems, devices and methods are disclosed to assist in configuring devices and policies to protect a regional network (e.g., home network) and its users. Users on the network are monitored to determine appropriate configuration settings and preferences by utilizing a combination of internally configured information and externally gathered information for each user. For example, externally gathered information may include information obtained about a user from one or more social media Internet sites. Automatically obtained information may be used to provide or augment policy information such that a user's preference relative to internet content (e.g., content blocking software configuration) may be achieved without requiring an administrator to individually prepare each users security profile and configuration. | 12-31-2015 |
| 20160004869 | VERIFICATION OF TRUSTED THREAT-AWARE MICROVISOR - A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB). The microvisor is illustratively configured to enforce a security policy of the TCB, which may be implemented as a security property of the microvisor. The microvisor may manifest (i.e., demonstrate) the security property in a manner that enforces the security policy. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the microvisor. The predetermined level of confidence is based on an assurance (i.e., grounds) that the microvisor demonstrates the security property. Trustedness of the microvisor may be verified by subjecting the TCB to enhanced verification analysis configured to ensure that the TCB conforms to an operational model with an appropriate level of confidence over an appropriate range of activity. The operational model may then be configured to analyze conformance of the microvisor to the security property. A combination of conformance by the microvisor to the operational model and to the security property provides assurance (i.e., grounds) for the level of confidence and, thus, verifies trustedness. | 01-07-2016 |
| 20160006693 | DEPLOYING A SECURITY POLICY BASED ON DOMAIN NAMES - A firewall uses a variety of techniques to obtain a useful domain name from a network request, that is, a domain name that facilitates the accurate enforcement of domain-based security rules for network traffic at the firewall. If the network request includes an Internet Protocol (IP) address instead of the domain name, the firewall may begin with a reverse domain name lookup. If this technique fails to adequately resolve the domain name, then the firewall may attempt a hypertext transfer protocol (HTTP) GET request to the IP address and investigate the header for useful domain name information. The firewall may also or instead initiate a secure connection to the IP address and analyze a certificate returned from the destination for the presence of domain name information. These measures can produce one or more domain names that can be collectively analyzed to select a suitable domain name for the application of a domain-based security rule or policy by the firewall. | 01-07-2016 |
| 20160006738 | ENHANCED USER INTERFACE AND DATA HANDLING IN BUSINESS INTELLIGENCE SOFTWARE - A business intelligence and reporting solution can include a databook interface that acts as both as a reporting mechanism and an interface for providing data visualization parameters. In some embodiments, the databook includes a plurality of palettes whereby visualization parameters can be specified through a drag-and-drop interaction with the databook. The databook can include a tab interface to select between data views, graphic visualizations of data currently in the databook, and a composite visualization mechanism that provides output to place one or more rows in context to other data in the databook and/or to forecast trends for one or more databook values. The databook may rely on an underlying dataset collected from multiple distinct sources, such as different databases. The solution may include a security policy restricting access to certain fields, records, and/or columns based on a user's role in an organization, data content, and/or a defined access hierarchy for different data items. | 01-07-2016 |
| 20160006741 | NETWORK SWITCH WITH HIERARCHICAL SECURITY - Network switches and methods are disclosed. A network switch may include multiple input ports and multiple output ports, a switch fabric, and switch controller. The controller may receive and store data identifying a plurality of users and data defining which input ports and which output ports each user has authority over. The controller may receive, from a requesting user from the plurality of users, a request to make a connection between a selected input port and a selected output port. The controller may determine, based on the stored data, if the requesting user has authority over both the selected input port and the selected output port. The controller may refuse to make the requested connection if the requesting user does not have authority over both the selected input port and the selected output port. | 01-07-2016 |
| 20160006755 | Dynamic Traffic Steering System and Method in a Network - The invention provides a security system and method for use in a communications network, said network comprising means to allow a plurality of devices to communicate over the network; a security agent configured on at least one device and adapted to communicate with the security system; said system comprising: means for performing dynamic intelligent traffic steering from the device based on analysis of data traffic on the network or on the device, wherein the steering decision can be made to select a channel on a per flow basis. | 01-07-2016 |
| 20160006763 | METHOD AND APPARATUS TO DETERMINE USER PRESENCE - According to some embodiments, a method and apparatus are provided to receive a first signal from a sensor, determine that a user is present based on the received first signal, receive a second signal from the sensor, and determine if the user is still present based on the received second signal. | 01-07-2016 |
| 20160006764 | DISTRIBUTED NETWORK INSTRUMENTATION SYSTEM - A distributed network instrumentation system ( | 01-07-2016 |
| 20160006765 | CONNECTION-SPECIFIC COMMUNICATION MANAGEMENT - A method of managing a connection-specific policy for accessing a target system includes receiving a request from a user client for a connection with a target system. A unique identifier is determined for the requested connection. Connection settings for connecting to the target system are provided to the user client. The connection settings include the unique connection identifier. A corresponding access policy for the connection identifier is provided to the target system. The target system applies the corresponding access policy on the connection established with the connection settings. | 01-07-2016 |
| 20160006766 | METHOD AND APPARATUS FOR PROVIDING ANALYSIS SERVICE BASED ON BEHAVIOR IN MOBILE NETWORK ENVIRONMENT - An apparatus and method for providing analysis service based on behavior in a mobile network environment are disclosed. The apparatus includes a control unit configured to control the path of a packet based on predetermined policy information, to block the packet based on a result of an analysis of the packet, or to extract information about the packet and selectively process the extracted information based on the predetermined policy information; a download path and file management engine configured to collect downloaded files corresponding to the URL of the packet, to extract the downloaded files as an app file, and to transfer the extracted app file to a virtual machine; and a virtual machine management engine unit configured to determine whether malware is present in the app file and whether the app file has accessed the resources, and to selectively manage the corresponding app based on a result of the determination. | 01-07-2016 |
| 20160006767 | DISTRIBUTED NETWORK CONNECTION POLICY MANAGEMENT - A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host | 01-07-2016 |
| 20160006768 | Controlling Physical Access to Secure Areas Via Client Devices in a Network Environment - A method is disclosed for providing physical access credentials to a client device. The method may include receiving a request for a physical access credential, where the first request includes at least one user access credential and at least one physical access point identifier. The method may also include determining whether the request should be granted based at least in part on the at least one user access credential. The method may further include, in response to determining that the request should be granted, sending the physical access credential associated with the physical access point. | 01-07-2016 |
| 20160006769 | PROVIDING SERVICES TO VIRTUAL OVERLAY NETWORK TRAFFIC - In one embodiment, an apparatus includes a processor and logic integrated with and/or executable by the processor. The logic is configured to communicate with a first physical switch, a second physical switch, and an overlay network that connects the first physical switch to the second physical switch. The logic is also configured to receive a request for a communication path through the overlay network for a packet, the request including at least the packet, first information about a source of the packet, the source of the packet being connected to the first physical switch, and second information about a most closely connected physical switch to a destination of the packet. Moreover, the logic is configured to determine the destination of the packet, the destination of the packet being connected to the second physical switch. Also, the logic is configured to determine whether to apply a security policy to the packet. | 01-07-2016 |
| 20160012216 | SYSTEM FOR POLICY-MANAGED SECURE AUTHENTICATION AND SECURE AUTHORIZATION | 01-14-2016 |
| 20160012240 | SYSTEM AND METHODS FOR USING CIPHER OBJECTS TO PROTECT DATA | 01-14-2016 |
| 20160012242 | ENSURING COMPLIANCE REGULATIONS IN SYSTEMS WITH DYNAMIC ACCESS CONTROL | 01-14-2016 |
| 20160014080 | SYSTEMS AND METHODS FOR PASSING NETWORK TRAFFIC CONTENT | 01-14-2016 |
| 20160014082 | DYNAMIC RESOLUTION OF FULLY QUALIFIED DOMAIN NAME (FQDN) ADDRESS OBJECTS IN POLICY DEFINITIONS | 01-14-2016 |
| 20160014129 | User Control of Data De-Idenfication | 01-14-2016 |
| 20160014140 | NETWORK-BASED REAL-TIME DISTRIBUTED DATA COMPLIANCE BROKER | 01-14-2016 |
| 20160014154 | CONTROLLING ACCESS TO AN OPERATOR NETWORK BY NON-CONFORMING DEVICES | 01-14-2016 |
| 20160014155 | ABSTRACT EVALUATION OF ACCESS CONTROL POLICIES FOR EFFICIENT EVALUATION OF CONSTRAINTS | 01-14-2016 |
| 20160014156 | SECURITY SETTINGS AND INDICATIONS OF CONTROLLERS | 01-14-2016 |
| 20160014157 | OBLIGATION ENFORCEMENT FOR RESOURCE ACCESS CONTROL | 01-14-2016 |
| 20160014158 | SEPARATED APPLICATION SECURITY MANAGEMENT | 01-14-2016 |
| 20160014159 | SEPARATED SECURITY MANAGEMENT | 01-14-2016 |
| 20160014161 | MANAGEMENT APPARATUS AND METHOD FOR CONTROLLING MANAGEMENT APPARATUS | 01-14-2016 |
| 20160014162 | QUERY SYSTEM AND METHOD TO DETERMINE AUTHENTICATION CAPABILITIES | 01-14-2016 |
| 20160014607 | METHOD AND SYSTEM FOR ENHANCED WIRELESS NETWORK SECURITY | 01-14-2016 |
| 20160019395 | ADAPTING DECOY DATA PRESENT IN A NETWORK - Disclosed are various embodiments for obtaining policy data specifying decoy data eligible to be inserted within a response to an access of a data store. The decoy data is detected in the response among a plurality of non-decoy data based at least upon the policy data. An action associated with the decoy data is initiated in response to the access of the data store meeting a configurable threshold. | 01-21-2016 |
| 20160021057 | SYSTEMS AND METHODS TO SECURE A VIRTUAL APPLIANCE - The present disclosure relates to systems and methods for providing secure support to virtual appliances delivered to customer sites without passwords or enabled ports for service. A virtual appliance may be established on a first device. The virtual appliance may comprise a self-contained virtual machine with a pre-installed operating system and may be established with no root password enabled and a remote access port disabled. An administration tool may receive from a requestor a request to enable maintenance for the virtual appliance. The administration tool may generate, responsive to the request, a random password. The administration tool may enable, responsive to the request, the remote access port. The virtual appliance may wait for a connection to the remote access port for a predetermined period of time. The administration tool may transmit the random password to a service of a second device remote to the first device. | 01-21-2016 |
| 20160021102 | METHOD AND DEVICE FOR AUTHENTICATING PERSONS - A method for authenticating a person with respect to a host. The host requests a temporary password from the person for accessing a service of the host. Random-based information is generated and provided to the person via a communication device as an input value for an algorithm from which the temporary password is calculated. The same algorithm is used by the person and by the host in order to calculate the password, and after a match is determined between the password calculated by the person and by the host, the person is granted access to the service of the host. The random-based information is displayed to the person as part of a password request routine of the host, and the person responds by inputting a temporary password. The random-based information is used solely as an input variable for the secret algorithm which ascertains the temporary password. | 01-21-2016 |
| 20160021114 | Method and Server of Remote Information Query - A method and a server of remote information query are disclosed. The method includes receiving a query request sent by a client side and acquiring content of a type field of the query request; acquiring a type of the query request based on the content of the type field; adding a type identifier corresponding to the type and a domain name of a preset authorized DNS (Domain Name System) to the query request to acquire a target query request; and sending the target query request to a local DNS to enable the local DNS to send the target query request to the preset authorized DNS according to the domain name of the preset authorized DNS in the target query request, and receiving a response message corresponding to the type of the query request from the preset authorized DNS. Thus, a simpler and highly efficient recognition of user security can be realized. | 01-21-2016 |
| 20160021117 | DEVICES AND METHODS FOR THREAT-BASED AUTHENTICATION FOR ACCESS TO COMPUTING RESOURCES - In some embodiments, a method includes receiving, at a host device, a signal indicative of an authentication request for a client device to access a resource from a set of resources. A resource confidence value associated with the authentication request is calculated based at least in part on (1) a threat confidence vector associated with at least one risk mitigation score for each threat from a set of threats and (2) a set of resource vulnerability scores associated with the resource and each threat from the set of threats. The resource confidence value is compared to a resource confidence criterion associated with the resource from the set of resources. A signal indicative of a positive authentication is sent from the host device to the client device when the resource confidence value satisfies the resource confidence criterion such that the client device is granted access to the resource. | 01-21-2016 |
| 20160021119 | METHOD FOR ESTABLISHING A PLURALITY OF MODES OF OPERATION ON A MOBILE DEVICE - A method, device and system for establishing plural modes of operation on a mobile device, including: associating each application on the mobile device with one of a plurality of modes; and restricting access to data on the mobile device to only a subset of applications based on the mode associated for the each application. A system includes connection of an untrusted device to a trusted device and restricting data access for restricted data to a subset of trusted applications on the untrusted device. | 01-21-2016 |
| 20160021121 | METHODS, SYSTEMS, AND MEDIA FOR INHIBITING ATTACKS ON EMBEDDED DEVICES - Methods, systems, and media for inhibiting attacks on embedded devices are provided, in some embodiments, a system for inhibiting on embedded devices is provided, the system comprises a processor that is configured to: identify an embedded device that is configured to provide one or more services to one or more digital processing devices within a communications network; receive a first firmware associated with the embedded device; generate a second firmware that is functionally equivalent to the first firmware by: determining unused code within the first firmware; removing the unused code within the second firmware; and restructuring remaining code portions of the first firmware into memory positions within the second firmware; and inject the second firmware into the embedded device. | 01-21-2016 |
| 20160021139 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING CYBER-THREATS | 01-21-2016 |
| 20160021143 | DEVICE FEDERATION - The present application is directed to device federation. Interaction between devices in a federation may be conducted using reduced security, while interactions with devices outside the federation may be conducted with a variable security up to a standard level of security that may be associated with a communication protocol. A device may comprise at least a communication module and a federation module. The federation module may include at least a relationship rules module having at least one rule based on relationships between devices and a link security control module to control the amount of security utilized during interaction based on the at least one rule. The link security control module may also control how a device may be inducted into a federation by, if necessary, providing qualification data to qualify the device for induction. | 01-21-2016 |
| 20160026798 | Selectively Capturing Video in a Virtual Environment Based on Application Behavior - One example method includes executing a software application within the virtual machine environment; during execution of the software application, detecting one or more actions specified by a malicious application policy being performed by the software application within the virtual machine environment, the malicious application policy specifying one or more actions that will trigger video capture in the virtual machine environment executing the software application; and initiating capture of a video signal of the virtual machine environment in response to detecting the one or more actions specified by the malicious application policy | 01-28-2016 |
| 20160026799 | SECURITY DEVICE HAVING INDIRECT ACCESS TO EXTERNAL NON-VOLATILE MEMORY - A method in a security device that provides a security service to a host includes receiving a security command from an application program running on the host. The security command is executed by accessing a Non-Volatile Memory (NVM) device external to the security device transparently to the application program via a dedicated device driver, which runs on the host and mediates between the NVM device and the security device. | 01-28-2016 |
| 20160026818 | USER INTERFACE FOR SECURE VIRTUAL DOCUMENT MANAGEMENT SYSTEM - A user interface for a virtual file management system that provides user access to managed content on mobile devices. The system comprises storage domains storing the managed content distributively using file systems, and a data infrastructure that organizes the managed content into a virtual file system. The data infrastructure includes a component that maintains policies defining controls for permissible operations on the managed content, the permissible operations including the file system primitives. A client application including a user interface is hosted on the mobile devices and is coupled to the data infrastructure and the storage domains and includes an enforcement component that retrieves and enforces the policies by applying the controls on the mobile devices. | 01-28-2016 |
| 20160026819 | USE CASE DRIVEN GRANULAR APPLICATION AND BROWSER DATA LOSS PREVENTION CONTROLS - A flexible policy system allows compliant apps on a mobile device to interact with a secure container memory space to ensure that data leak prevention policies are being enforced. Third-party applications can include an SDK or application wrapper that provide policy enforcement via agent functionality. An administrator can define policies via a web-based portal, allowing a server to identify appropriate users and devices and to distribute policies to those devices to be enforced within the secure container on each device. Policies can identify the datatypes and security levels, and the related applications and users that have authority to access that data. The agent or application wrapper enforces these policies on the mobile device before applications can access data in the secure memory space. | 01-28-2016 |
| 20160026821 | EVENT DRIVEN PERMISSIVE SHARING OF INFORMATION - Event driven permissive sharing of information is disclosed. In an aspect, user equipment can include information sharing profiles that can facilitate sharing information with other devices or users, such as sharing location information. The information sharing profiles can include trigger values, such that when a target value transitions the trigger value, a permission value is updated to restrict or allow access to sharable information. As such, event driven permissive sharing of information allows for designation of temporary friend information sharing with user-defined triggers. | 01-28-2016 |
| 20160028704 | ESTABLISHING SECURE COMPUTING DEVICES FOR VIRTUALIZATION AND ADMINISTRATION - Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function. | 01-28-2016 |
| 20160028708 | DIGITAL CREDENTIAL WITH EMBEDDED AUTHENTICATION INSTRUCTIONS - Methods and systems are provided for sending messages in a security system. In particular, a new message syntax can include one or more positive assertions that may be verified. The receiver of the message or credential may verify all the positive assertions. In other configurations, one or more nodes that relay the message from the sender to the receiver can verify the positive assertions or may create one or more of the positive assertions. In this way, the network or entities used to relay the message can also be checked. | 01-28-2016 |
| 20160028737 | MULTIPLE RESOURCE SERVERS INTERACTING WITH SINGLE OAUTH SERVER - A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access. | 01-28-2016 |
| 20160028769 | POLICY EVALUATION TREES - Technology for improving evaluation of policies comprising multiple rules is disclosed. By generating a policy evaluation tree controlling, for any given policy state, which rules should be evaluated next, policy optimization can be performed off-line prior to policy evaluation. For a policy, a policy evaluation tree can be generated such that each node in the tree corresponds to a policy state and each child node corresponds to a policy state that may result from an action that may be taken from its parent policy state. Policy evaluation trees may be generated by iteratively generating, from an initial policy state, possible next states as child states until a result of the policy is determined. Some next possible policy states may be pruned from the tree based on conditions such as having a high cost of evaluation compared to the likelihood a rule will yield an interesting result. | 01-28-2016 |
| 20160028770 | Wireless Network Service Interfaces - A uniform wireless network service selection information exchange interface system is provided to facilitate a consistent user experience across multiple wireless networks that may have different service plan activation or service plan purchase processes. Network detection of service usage anomalies based on device-based data usage reports is provided to enable the network to determine whether an end-user device is likely operating in accordance with the established policy, or whether the end-user device may be operating fraudulently. | 01-28-2016 |
| 20160028771 | USING EVENTS TO IDENTIFY A USER AND ENFORCE POLICIES - Enforcing a policy is described. Event data generated in response to a device authenticating to a node on a first network is received. A request for a resource that is external to the first network is received from the device. A mapping between an IP address of the device and a user identity is determined, at least in part by using at least a portion of the received event data. A policy is applied to the device based at least in part on the user identity. | 01-28-2016 |
| 20160028772 | System and Method for Automatic Data Protection in a Computer Network - A method of protecting data items in an organizational computer network, including, defining multiple information profiles for classifying the data item, defining rules for protecting the data item belonging to a specific information profile, classifying the data item according to the defined information profiles, applying a protection method to the data item responsive to the classification and the defined rules, automatically updating the classification of the data item responsive to a change in the content or location of the data item; and automatically transforming the applied protection method, throughout the lifecycle of the data item, responsive to a change in classification or location of the data item, according to the defined rules. | 01-28-2016 |
| 20160028773 | STATISTICAL SECURITY FOR ANONYMOUS MESH-UP ORIENTED ONLINE SERVICES - Web pages and applications commonly consume functionality provided by services to provide users with a rich experience. For example, a backend mapping service may provide access to these services. However, the users and application consuming the services may be anonymous and unverified. Accordingly, a two ticket validation technique is provided to validate service execution requests from anonymous applications. In particular, a user is provided with a client ticket comprising a reputation. The reputation may be adjusted over time based upon how the user consumes services. An application may request access to a service by providing the client ticket and an application ticket for validation. The reputation of the user may be used to determine an access level at which the application may access the service. Users with a high reputation may receive high quality access to the service, while users with a low reputation may receive lower quality access. | 01-28-2016 |
| 20160028774 | Data Access Policies - To verify compliance with a data access policy, a query result including data specified by a requesting entity and a representation of a data access policy is received from a database. Based on the representation of the data access policy included in the query result, it is verified whether the requesting entity is permitted to access the data included in the query result. Transmission of the data included in the query result to the requesting entity is controlled responsive to the verification. Related methods, systems, and computer program products are also discussed. | 01-28-2016 |
| 20160028775 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MANAGING FIREWALL CHANGE REQUESTS IN A COMMUNICATION NETWORK - A method of managing firewall change requests for a communication network includes providing a change request interface comprising a plurality of change request form types, each request form including an interface for entering requestor identification information, Internet Protocol (IP) address information, change implementation schedule information, and submission information specifying any requestor instructions for implementing the change, receiving completed change request forms from at least one requestor, arranging the completed change request forms in a request queue, and presenting the request queue to at least one administrator responsible for implementing firewall changes in the communication network. | 01-28-2016 |
| 20160028776 | Analyzing Policies of an Information Management System - In an information management system, activity data is collected and analyzed for patterns. The information management system may be policy based. Activity data may be organized as entries including information on user, application, machine, action, object or document, time, and location. When checking for patterns in the activity or historical data, techniques may include inferencing, frequency checking, location and distance checking, and relationship checking, and any combination of these. Analyzing the activity data may include comparing like types or categories of information for two or more entries. | 01-28-2016 |
| 20160034696 | Data Permission Management for Wearable Devices - Methods and apparatus for providing rule-based access to data stored on wearable devices are provided. A wearable computing device can store data that includes data about a wearer of the wearable computing device. The wearable computing device can receive a request for a portion of the stored data. The wearable computing device can determine a designated role associated with the request for the portion of the stored data. The wearable computing device can determine one or more rules regarding access to the portion of the stored data based on the designated role. The wearable computing device can determine a response to the request for the portion of the stored data by at least: determining whether the request is validated by at least applying the one or more rules to the request, and after determining that the request is validated, providing the requested portion of the stored data. | 02-04-2016 |
| 20160034711 | CLOUD BASED REAL TIME APP PRIVACY DASHBOARD - A method of operating an electronic device comprises detecting access to private information stored in memory of the electronic device. The detecting is performed by a privacy management module downloadable to the electronic device as object code for execution on the electronic device and the access is performed by a client application program. The method further comprises tracking, using the privacy management module, the private information being accessed by the client application program, and reconfiguring the electronic device, using the privacy management module, to change the access to the private information by the client application program according to at least one privacy access policy stored in the electronic device. | 02-04-2016 |
| 20160034717 | Filtering Transferred Media Content - An approach is provided in which an information handling system identifies areas of sensitive content in a digital image that is intended to be sent to a recipient. The information handling system retrieves rules corresponding to both the intended recipient and the sensitive content, and modifies the digital image based upon the identified rules. The modification of the digital image includes protecting the sensitive content, such as blurring a person's face on the digital image. In turn, the information handling system sends the modified digital image to the intended first recipient. | 02-04-2016 |
| 20160036778 | APPLYING A PACKET ROUTING POLICY TO AN APPLICATION SESSION - A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy. | 02-04-2016 |
| 20160036796 | METHOD AND SYSTEM FOR FACILITATING TERMINAL IDENTIFIERS - Embodiments of the present application disclose a method for providing a terminal identifier to a terminal. During operation, a security server receives a registration information set from the terminal, in which the registration information set includes multiple pieces of equipment information from the terminal. The security server then generates a terminal identifier based on the multiple pieces of equipment information in the registration information set. The security server then returns the terminal identifier to the terminal. | 02-04-2016 |
| 20160036816 | ZERO DAY THREAT DETECTION BASED ON FAST FLUX DETECTION AND AGGREGATION - A method in a cloud-based security system includes operating a Domain Name System (DNS) resolution service, proxy, or monitor in the cloud-based security system; receiving DNS records with time-to-live (TTL) parameters; checking the TTL parameters for indication of a fast flux technique; and detecting domains performing the fast flux technique based on the DNS records. A cloud-based security system includes a plurality of nodes communicatively coupled to one or more users; and a Domain Name System (DNS) service providing a resolution service, proxy, or monitor in the cloud-based security system; wherein the DNS service is configured to receive DNS records with time-to-live (TTL) parameters; check the TTL parameters for indication of a fast flux technique; and detect domains performing the fast flux technique based on the DNS records. | 02-04-2016 |
| 20160036825 | COMMUNICATION MANAGEMENT AND POLICY-BASED DATA ROUTING - A network environment includes a wireless access point providing access to a corresponding network. One or more mobile communication devices communicate with the wireless access point to access the network. In response to receiving a request from a mobile communication device to establish the wireless communication link, the wireless access point conveys communications between the mobile communication device and a remote server to authenticate the mobile communication device. During authentication, the wireless access point receives a policy assigned to the mobile communication device. | 02-04-2016 |
| 20160036826 | SECURE CONTENT PACKAGING USING MULTIPLE TRUSTED EXECUTION ENVIRONMENTS - Technologies for secure content packaging include a source computing device that transmits a secure package to a destination computing device. The destination computing device establishes a content policy trusted execution environment and a key policy trusted execution environment. The content policy trusted execution environment may be established in a secure enclave using processor support. The key policy trusted execution environment may be established using a security engine. The key policy trusted execution environment evaluates a key access policy and decrypts a content key using a master wrapping key. The content policy trusted execution environment evaluates a content access policy and decrypts the content using the decrypted content key. Similarly, the source computing device authors the secure package using a content policy trusted execution environment and a key policy trusted execution environment. The master wrapping key may be provisioned to the computing devices during manufacture. Other embodiments are described and claimed. | 02-04-2016 |
| 20160036844 | EXPLAINING NETWORK ANOMALIES USING DECISION TREES - In an embodiment, the method comprises receiving an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; creating a plurality of training sets each comprising identifications of a plurality of samples of network communications; for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer; based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules. | 02-04-2016 |
| 20160036855 | CLOUD APPLICATION CONTROL USING MAN-IN-THE-MIDDLE IDENTITY BROKERAGE - A cloud-based method, a system, and a cloud-based security system include receiving a request from a user for a cloud application at a proxy server; determining whether the user is authenticated based on a presence of cookies in the request; if the cookies are present, un-transforming the cookies by the proxy server and forwarding the request with the un-transformed cookies to the cloud application; and, if the cookies are not present, forwarding the request to the cloud application by the proxy server for authentication and transforming the cookies subsequent to the authentication prior to sending the cookies to the user. | 02-04-2016 |
| 20160036856 | DATA FLOW FORWARDING METHOD AND DEVICE - This disclosure makes public a data flow forwarding method and device, and in this method, a second health state is acquired based on the first health state of one or more pieces of identifying information of the received data flow, wherein the first health state and second health state are associated with the access rights of the user and/or user device that sent the data flow; it employs firewall policy property sets to determine whether or not to forward the data flow, wherein the firewall policy property sets comprise: the second health state. The technical schemes based on this disclosure improve the ability of a firewall to identify network attacks or abnormal activities and reduce administration costs. | 02-04-2016 |
| 20160036857 | CLOUD-BASED USER-LEVEL POLICY, REPORTING, AND AUTHENTICATION OVER DNS - A cloud-based method, system, and transparent proxy for user-level policy, reporting, and authentication over Domain Name System (DNS) include maintaining a local user Internet Protocol (IP) database identifying users in an enterprise; and acting as a transparent proxy for all DNS requests from the users performing the steps of: for a user already identified in the local user IP database, forwarding a DNS request to a cloud-based system with an identifier from the local user IP database of the user associated with the DNS request; and for the user not identified in the local user IP database, performing a series of redirects and hand offs in the cloud-based system to identify the user. | 02-04-2016 |
| 20160036858 | SERVER VALIDATION WITH DYNAMIC ASSEMBLY OF SCRIPTS - Systems and methods for computer automated validation of server configurations are provided. A method for validation of a target environment, comprises assembling a validation script from a plurality of script fragments, inserting the assembled validation script into the target environment, executing the validation script in the target environment, gathering results of the executing, and reporting the results to at least one user. | 02-04-2016 |
| 20160036859 | SYSTEM AND METHOD FOR SECURING USE OF A PORTABLE DRIVE WITH A COMPUTER NETWORK - Solution for autonomously securing the use of a portable drive with a computer network. A data store is written and maintained that contains entries corresponding to a plurality of portable drives initialized for use with the computer network, each entry corresponding to at least one identifiable drive. Events are monitored as they occur on the computer network involving use of each of the plurality of portable drives. Predefined security policy determination criteria is applied, which can include drive mobility assessment criteria and drive content sensitivity criteria, to determine a drive-specific security policy for each one of the plurality of portable drives. A set of at least one policy enforcement action is executed that corresponds to a determined drive-specific security policy in response to detected usage activity for each one of the plurality of portable drives. | 02-04-2016 |
| 20160036860 | POLICY BASED DATA PROCESSING - A method and system for protecting resources stored in a data store, wherein the different resources are protectable on the basis of different policies defined for each of the respective resources and structured in a hierarchical manner. The method allows the different resources to be protected with a variable granularity, by defining policies such that the most fine-grained of the policies defined for a specific resource is dynamically applicable for that resource when executing a request involving that resource. | 02-04-2016 |
| 20160036861 | PERFORMING ACTIONS VIA DEVICES THAT ESTABLISH A SECURE, PRIVATE NETWORK - Embodiments are directed towards, gateway computers and management platform server computers for managing secure communication over a network. Gateway computer may intercept communications from unauthenticated source node computers directed to target node computers. If the unauthenticated node computer provides its credentials in response to a request for credentials from the gateway computer, the credentials and the intercepted communications may be provided to a management platform server for further processing. The management platform server may authenticate the unauthenticated source node computer based on its credentials and the intercepted communication and the management platform server may determine a target gateway computer that corresponds to the target node computer based on content of the intercepted communication. The management platform server may provide configuration information for generating a secure private network connection between the gateway computer and the target gateway computer. | 02-04-2016 |
| 20160036862 | Highly Scalable Architecture for Application Network Appliances - A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also describe. | 02-04-2016 |
| 20160042191 | PROGRAMMABLE INTERFACE FOR EXTENDING SECURITY OF APPLICATION-BASED OPERATING SYSTEM, SUCH AS ANDROID - Methods, systems, and computer readable media for extending security of an application-based computer operating system are disclosed. One system includes a memory. The system also includes an application-based operating system security module bridge implemented using the memory. The application-based operating system security module bridge is for receiving, from a reference monitor, a registration for at least one security authorization hook, for receiving a callback when a protected event occurs, for communicating with the reference monitor that registered the at least one security authorization hook corresponding to the callback, and for receiving, from the reference monitor, an access control decision associated with the protected event. | 02-11-2016 |
| 20160043995 | SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE IN AN APPLICATION FIREWALL - System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer. | 02-11-2016 |
| 20160043996 | SECURE PATH DETERMINATION BETWEEN DEVICES - Methods, network controllers, and machine-readable and executable instructions are provided to determine a secure path between a source device and a destination device. The secure path may be via a plurality of network devices. The secure path may be determined based on a security capability of each of the plurality of network devices in the secure path. Data may be forwarded between the source device and the destination device, via the plurality of network devices, based on the determined path. | 02-11-2016 |
| 20160044023 | AUTHENTICATION POLICY ENFORCEMENT - A method of operating a network message interceptor for enforcing an authentication policy for communication over a network between first and second network endpoints, the interceptor being in communication with the network and external to the first and second endpoints, the network including transport layer security, the method comprising the steps of: intercepting a handshake message transmitted over the network between the first and second endpoints; extracting a certificate for an authenticating one of the endpoints from the handshake message; determining a validity status of the certificate for confirming an identity of the authenticating endpoint; and preventing communication between the first and second endpoints based on a negatively determined validity status of the certificate. | 02-11-2016 |
| 20160044043 | METHOD AND DEVICE FOR TRANSMITTING A FILE CONTAINING A CONTROLLED-ACCESS MULTIMEDIA CONTENT - The invention relates to a method for transmitting a controlled-access multimedia content to at least one recipient terminal. The method comprises a step of inserting into a file containing the multimedia content at least one identifier relating to the recipient terminal or to the user of the recipient terminal, the identifier being intended to control access to the multimedia content by the recipient terminal, and a step of dispatching the file to at least the recipient terminal. The invention also relates to a corresponding transmission device. | 02-11-2016 |
| 20160044045 | SECURITY VERIFICATION METHOD, APPARATUS, SERVER AND TERMINAL DEVICE - A security verification method is provided. The method includes receiving a security verification request from a terminal device, sending verification information to the terminal device in response to the security verification request, and receiving first converted verification information from the terminal device. The first converted verification information may be generated by converting the verification information according to a preset verification rule. The method may further include determining whether the first converted verification information matches with second converted verification information. The second converted verification information may be generated by converting the verification information according to the preset verification rule. The method may further include determining that a user associated with the terminal device passes security verification if the first converted verification information matches with the second converted verification information. | 02-11-2016 |
| 20160044046 | SECURE, NON-DISRUPTIVE FIRMWARE UPDATING - Firmware updates for, e.g., thin client devices may be achieved in a seamless, non-disruptive manner using a two-stage firmware loader, including a base loader pre-installed on the device and a caching loader downloaded, by the base loader, from a firmware server and thereafter responsible for downloading and updating other firmware application packages. | 02-11-2016 |
| 20160044057 | Cyber Security Posture Validation Platform - A cyber security assessment platform is provided. The platform can assess the security posture of a network by deploying one or more scenarios to be executed on one or more assets on the network and analyzing the outcomes of the scenarios. A scenario can be configured to validate a device or network status, and/or mimic an unauthorized cyber-attack. Each scenario can include one or more phases defining an execution path. Related method, apparatus, systems, techniques and articles are also described. | 02-11-2016 |
| 20160044060 | POLICY SYNCHRONIZATION FOR MULTIPLE DEVICES - Technologies are generally described for generating policies for multiple devices associated with a user. In some examples, one or more policies associated with a user may be accessed. The policies may pertain to one or more computing devices associated with the user. The capabilities of an additional computing device to be associated with the user may be determined. Based on the determined capabilities, which of the one or more policies are applicable to the additional computing device may be identified. Based on the identified policies, a default set of policies for the additional computing device may be automatically generated. | 02-11-2016 |
| 20160044062 | INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING APPARATUS, AND METHOD FOR CONTROLLING INFORMATION PROCESSING SYSTEM - An information processing system includes a first information processing apparatus for setting a security policy, and a second information processing apparatus subject to a function restriction according to the security policy set by the first information processing apparatus. The first information processing apparatus includes a generation unit generating forced data based on the security policy to set. The forced data includes a setting value for determining an operation of the second information processing apparatus and control information for controlling prohibition of a change of the setting value in the second information processing apparatus. The second information processing apparatus includes an application unit performing application processing for setting the setting value included in the forced data generated by the first information processing apparatus to the second information processing apparatus and enabling a prohibition control on a change of the setting value based on the control information about the setting value. | 02-11-2016 |
| 20160048685 | PROTECTED SHELL FOR RISK VALIDATION - On a computer system, a shell is invoked, through which a plurality of commands and/or scripts can be executed. Individual ones of the plurality of commands and/or scripts are validated. Given individual ones of the plurality of commands and/or scripts, for which the validation is successful, are executed via the shell. | 02-18-2016 |
| 20160050180 | PROXY DEVICE FOR A NETWORK OF DEVICES - A proxy device for a network of devices may include memory, a device status module, a data intercept module, a network interface, and an emulation module. The memory may be configured to store an emulation policy for emulating a device in a network, where the policy includes a status criterion that indicates a status of the device for which the policy applies. The device status module may be configured to monitor the status of the device. The data intercept module may be configured to intercept action requests directed to the device. The network interface may be configured to forward the intercepted action requests to the device when the status of the device fails to satisfy the status criterion. The emulation module may be configured to emulate the device, and respond to the action request without accessing the device, when the status of the device satisfies the status criterion. | 02-18-2016 |
| 20160050206 | ACCESS TO A SUBSET OF INFORMATION RELATIVE TO A USER - One embodiment described herein is a method comprising obtaining at least one sharing rule, each sharing rule associated with at least one subset of information and defined by at least one criterion to be verified in order to authorize making available to a consulter the associated subset of information, at least one criterion specifying at least one place of publication where the publisher—must be situated and/or at least one place of consultation where a consulter must be situated. It may include obtaining a location of the publisher user and/or a location of the consulter, identification on the basis of the location or locations obtained of at least one information subset for which all the criteria of at least one associated sharing rule are satisfied, making available—via a terminal of at least one consulter of at least one identified subset of information. | 02-18-2016 |
| 20160050214 | METHOD FOR AUTOMATICALLY APPLYING ACCESS CONTROL POLICIES BASED ON DEVICE TYPES OF NETWORKED COMPUTING DEVICES - Techniques for managing access control policies are described herein. According to one embodiment, access control policies (ACPs) and access control rules (ACRs) are downloaded from a management server to a network access device (NAD) over the Internet, where the network access device is one of a plurality of network access devices managed by the management server over the Internet. In response to a request from a network client device for entering a network, a device type of the network client device is detected and an ACP identifier is determined based on the device type using the ACRs An ACP is selected from the ACPs based on the ACP identifier and enforced against the network client device. At least the selected ACP is reported to the management server to distribute the selected ACP to other network access devices. | 02-18-2016 |
| 20160050216 | CLOUD-BASED GATEWAY SECURITY SCANNING - Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter. | 02-18-2016 |
| 20160050222 | Modification of Computing Resource Behavior Based on Aggregated Monitoring Information - A computer system deploys monitoring agents that monitor the status and health of the computing resources. An analysis engine aggregates and analyzes event information from monitoring agents in order to support self-configuration, self-healing, self-optimization, and self-protection for managing the computer resources. If the analysis engine determines that a computing resource for a software application is approaching a critical status, the analysis engine may issue a command to that computing resource in accordance with a selected policy based on a detected event pattern. The command may indicate how the computing resource should change its behavior in order to minimize downtime for the software application as supported by that computing resource. The computer system may also support a distributed approach with a plurality of servers interacting with a central engine to manage the computer resources located at the servers. | 02-18-2016 |
| 20160050226 | IN-LINE FILTERING OF INSECURE OR UNWANTED MOBILE DEVICE SOFTWARE COMPONENTS OR COMMUNICATIONS - Techniques for in-line filtering of insecure or unwanted mobile components or communications (e.g., insecure or unwanted behaviors associated with applications for mobile devices (“apps”), updates for apps, communications to/from apps, operating system components/updates for mobile devices, etc.) for mobile devices are disclosed. In some embodiments, in-line filtering of apps for mobile devices includes intercepting a request for downloading an application to a mobile device; and modifying a response to the request for downloading the application to the mobile device. In some embodiments, the response includes a notification that the application cannot be downloaded due to an application risk policy violation. | 02-18-2016 |
| 20160050233 | APPLYING SECURITY POLICY TO AN APPLICATION SESSION - Applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session. | 02-18-2016 |
| 20160050234 | SEAMLESS AUTHENTICATION ACROSS MULTIPLE ENTITIES - A user may be authenticated by an identity provider (IdP) and an authentication agent (AA), producing a result. Proof of the authentication, such as a ticket for example, may be provided to the SP. The UE may be authenticated with another IdP and another authentication agent, producing an associated result. Proof of the authentication, such as another ticket for example, may be provided to the SP. One or more of the authentication agents may reside on an authentication entity besides the UE. A multi-factor authentication proxy (MFAP) may trigger the authentication agents to nm authentication protocols and the MFAP may provide tickets to a client agent of the UE. A user may seamlessly transition between client agents on the same UE or between client agents on different UEs by leveraging authentications. | 02-18-2016 |
| 20160050253 | Asynchronous Message Passing - This specification describes technologies relating to software execution. A computing device includes a processor. An operating system includes an execution environment in which applications can execute computer-specific commands. A web-browser application includes a scripting environment for interpreting scripted modules. The web-browser application further includes a native environment in which native modules can execute computer-specific commands. The web-browser application further includes an interface between the scripting environment and the native environment. The interface includes functions to asynchronously pass data objects by value, from one of the scripting environment and the native environment, to the other of the scripting environment and the native environment. | 02-18-2016 |
| 20160050567 | Wireless Network System, Terminal Management Device, Wireless Relay Device, and Communications Method - Provided is a technology for allowing only a wireless terminal satisfying a security policy to be connected to an in-company network without causing a significant increase in costs. The terminal management device including a determination part communicating with a wireless terminal via a different communication network from the wireless network system, and determining whether or not the wireless terminal satisfies a predetermined security policy, and a connection information transmission part transmitting connection information for connection to the wireless relay device to the wireless terminal which is determined to satisfy the security policy by the determination part is provided in a wireless network system that includes a wireless access point device constituting an in-company network and connecting a wireless terminal for which predetermined connection information has been set. | 02-18-2016 |
| 20160055349 | CUSTOMER DATA MANAGEMENT FOR DATA ANALYTICS OUTSOURCING - A method of customer data management in data analytics outsourcing includes communicating to a third party service provider an anonymous customer identifier (customer ID) that is uniquely associated with a customer. The method includes receiving from the third party service provider a customer data query that references the customer using the customer ID and requests customer data. The method includes determining whether an access control policy allows disclosure of customer data requested in the customer data query. In response to the access control policy allowing disclosure of the requested customer data, the method includes accessing the requested customer data and communicating the requested customer data to the third party service provider. In response to the access control policy prohibiting disclosure of the requested customer data, the method includes denying the customer data query. | 02-25-2016 |
| 20160057150 | EVENT ANALYTICS FOR DETERMINING ROLE-BASED ACCESS - Embodiments of the present invention disclose a method, computer program product, and system for determining role-based access. In one embodiment, the method includes receiving an audit event for a restricted resource and a first user id associated with the audit event. The method further includes determining based at least in part on the audit event, a historical reference, the historical reference including at least one audit event associated with at least one user id. The method further includes determining access activity associated with the first user id. The method further includes determining based at least in part on the historical reference and the access activity, at least one recommended role for the first user id. | 02-25-2016 |
| 20160057161 | SYSTEM FOR SECURELY ACCESSING NETWORK ADDRESS, AND DEVICE AND METHOD THEREIN - Disclosed are a system for securely accessing a network address, and a device and a method therein. The system for securely accessing a network address comprises a terminal device and a security control server. The security control server stores security attributes of known network addresses. The terminal device comprises: a scanner, used for scanning a two-dimensional code; a decoder, used for decoding the two-dimensional code scanned by the scanner to obtain a network address corresponding to the two-dimensional code; a transmission interface, used for transmitting the network address to a security control server for check, and receiving a security attribute of the network address from the security control server; and a monitor, used for forbidding or allowing the connection of the network address according to the security attribute of the network address. | 02-25-2016 |
| 20160057168 | SYSTEM AND METHODS FOR EFFICIENT NETWORK SECURITY ADJUSTMENT - Various of the disclosed embodiments contemplate systems and methods for implementing network security without extensive remodeling of the network infrastructure. Rather than redesign a network topology to accommodate a plurality of firewall devices at the network periphery, various embodiments introduce localized access proxy systems, e.g., into an existing legacy network. Rule sets operating at the local proxies may ensure compliance with various security standards (e.g., PCI-DSS) without requiring an extensive overhaul of the network's connections. | 02-25-2016 |
| 20160057169 | APPARATUS AND METHOD - An apparatus includes a memory, and a processor coupled to the memory and configured to specify a communication source device that performs a plurality of traffic confirmations of communications with a plurality of first devices, and control to discard a plurality of first authentication requests for the plurality of first devices generated by the communication source device after performing the plurality of traffic confirmations of communications. | 02-25-2016 |
| 20160057170 | Network Session Management Based on Contextual Information - An access control module in an enterprise computing network receives contextual information of a first active network session at a first network endpoint and contextual information of a second active network session at a second network endpoint. The access control module is configured to evaluate the contextual information of one or more of the first or second network sessions based on one or more network policies to determine a policy action for enforcement on at least one of the first or second network endpoints. | 02-25-2016 |
| 20160063229 | HYBRID ADAPTIVE AUTHENTICATION SCORING SYSTEM - The present invention relates to a hybrid adaptive authentication scoring system. The system is combination of rules-cases based machine learning and also includes human in the decision making process whenever new cases are not found in system database. Based on defined policy that contains rules and user attributes, the system calculates a score that reflect risk for each request made by the user for completing the system authentication request. This is a continuous learning process and user attributes defines score for each transaction in one or more combination. | 03-03-2016 |
| 20160063260 | POLICY-BASED TECHNIQUES FOR MANAGING ACCESS CONTROL - A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities. | 03-03-2016 |
| 20160063272 | SECURE VIRTUAL FILE MANAGEMENT SYSTEM - Virtual file management is disclosed. Managed content from multiple separate storage domains is organized into a virtual file system that maintains with respect to each of at least a subset of said separate storage domains information of storage domain specific file system primitives to perform primitive operations with respect to content stored in that storage domain. Policies are determined that apply to the managed content. Each policy indicates primitive operations permitted to be performed with respect to the managed content. Information comprising the virtual file system and the policies is provided to a client application on a mobile device. The client application is configured to provide access to the managed content in the virtual file system in a manner at least in part indicated in the policies, including by allowing the permitted primitive operations to be performed using said storage domain specific file system primitives. | 03-03-2016 |
| 20160065554 | Authentication Management - A method of managing authentication during a user session comprises the steps of operating a user session for a specific user, maintaining a user authentication level for the user session, monitoring one or more factors relating to the user's activity, applying one or more rules to the monitored factors, detecting that a rule has indicated the user's current authentication level is too high, and lowering the user's authentication level, without ending the user's session. | 03-03-2016 |
| 20160065557 | ELECTRONIC DEVICE AND METHOD FOR MANAGING RE-ENROLLMENT - The present disclosure relates to electronic devices and methods for managing re-enrollment. According to the present disclosure, a method for managing re-enrollment of an electronic device may comprise storing data necessary for re-enrollment to manage the electronic device, reading the stored data corresponding to any one of initialization of the electronic device and deletion of a pre-stored management agent, sending a request for information necessary for authentication using the read data, and receiving at least one of the information necessary for authentication and a management agent installation file received corresponding to the request. | 03-03-2016 |
| 20160065574 | USER MANAGEMENT FRAMEWORK FOR MULTIPLE ENVIRONMENTS ON A COMPUTING DEVICE - An environment manager in a computer executes multiple environments concurrently. A user management framework (UMF) virtual machine on the computer runs an authentication domain that supports user profile management of the multiple environments. | 03-03-2016 |
| 20160065575 | Communication Managing Method and Communication System - Disclosed are a communication managing method and a communication system, when an authentication of the user terminal is passed or the user information of the user terminal is changed, an AAA server sends the user information including authorization information of the user terminal to a service control server corresponding to the user terminal, the service control server performs the policy control on the service of the user terminal according to the user information, the realization process is simple and easy to be extended, which improves the processing efficiency and reduces the press of the service control server; meanwhile, in the above-mentioned scheme, the AAA server can send the user formation to the service control server independently, and it is not required that the authentication server must exist, thereby it can provide a wider application, provide a more flexible service development way for the operator, and further improve the processing efficiency. | 03-03-2016 |
| 20160065587 | METHODS AND SYSTEMS FOR A PORTABLE DATA LOCKER - The embodiments provide for binding files to an external drive, a secured external drive, or portable data locker. The files are bound in order to help restrict or to prevent access and modification by certain computers or users. Computers or users that are authorized or within the authorized domain are permitted full access. The files stored on the external drive may be bound in various ways. The files may be encapsulated in a wrapper that restricts the use and access to these files. The bound files may require execution of a specific application, plug-in, or extension. A computer may thus be required to execute program code that limits the use of the secured files. In one embodiment, the external drive provides the required program code to the computer. In other embodiments, the required program code may be downloaded from a network or provided by an external authority. | 03-03-2016 |
| 20160065595 | APPARATUS AND METHOD FOR PERFORMING REAL-TIME NETWORK ANTIVIRUS FUNCTION - An apparatus and method for performing a real-time network antivirus function, which can perform, at high speed, real-time antivirus scanning on a transmission file in a network to be protected and blocking of a malicious file. The apparatus includes a packet processing unit for parsing input packets and outputting a transmission data stream, a packet-based checksum calculation unit for calculating a checksum of the transmission data stream for each packet, and outputting a signature included in the transmission data stream when a last packet of the transmission data stream is input, a virus scanning unit for performing virus scanning based on the signature, a detection and blocking unit for blocking each input packet or transmitting it to a destination, based on result of the virus scanning unit, and a caching unit for updating a blacklist, based on result of the detection and blocking unit. | 03-03-2016 |
| 20160065616 | Multi Cloud Policy Enactment via Organizations to Cloud-Provider Partnerships - A method includes acts for establishing a subscription for an entity. The method includes receiving, at a cloud service provider, a request from an entity to establish a subscription. The request includes credentials for the entity that are not proper credentials for an organization associated with the entity that the entity should use to access services for the organization. The method further includes performing a corrective action based on detecting one or more factors to determine that the entity is associated with the organization. The method further includes providing services based on the corrective action. | 03-03-2016 |
| 20160065617 | IMAGE MONITORING FRAMEWORK - A computing platform may receive, from a network device, a message identifying data that was transmitted by a user device located in a private network associated with an organization. The network device may be located at a boundary between the private network and a public network. The data may include one or more images and may be destined for a network address associated with the public network. The computing platform may generate and store a record corresponding to the message. The computing platform may receive, from an analysis platform, data indicating whether the image(s) comprise content that violates a data leak prevention (DLP) policy of the organization. The computing platform may identify the record corresponding to the message and may update the record corresponding to the message to reflect whether the image(s) comprise content that violates the DLP policy of the organization. | 03-03-2016 |
| 20160065618 | Method and Apparatus for Automating Security Provisioning of Workloads - A method of automating security provisioning is provided. The method includes receiving a request to start a virtual application and determining an owner of the virtual application. The method includes determining a workload based on the virtual application, the workload including an application and a virtual machine and assigning the workload to a security container or sub-container, among a plurality of security containers, based on the owner of the virtual application. | 03-03-2016 |
| 20160065619 | Distributed Multi-Processing Security Gateway - A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided. | 03-03-2016 |
| 20160065620 | NETWORK MALICIOUSNESS SUSCEPTIBILITY ANALYSIS AND RATING - Network security and robustness is analyzed by developing correlations among network maliciousness observations to determine attack susceptibility. Network traffic is analyzed at the autonomous system (AS) level, among connected Internet Protocol (IP) routing prefixes, to identify these observations. The traffic is monitored for any of a number of specified mismanagement metrics. Correlations among these metrics are determined and a unified network mismanagement metric is developed, indicating network susceptibility to potentially malicious attack. | 03-03-2016 |
| 20160065621 | Generating Accurate Preemptive Security Device Policy Tuning Recommendations - An approach is provided for determining a likelihood of an attack on a first computer system of a first business. Characteristics of the first business and a second business are determined. The second business has a second computer system currently or recently under attack. The characteristics include respective industries, sizes, geographical locations, types of sensitive data, and security vulnerabilities associated with the first and second businesses or first and second computer systems, an address of traffic through a device in the first computer system, and an address of an entity responsible for the attack on the second computer system. Based on a similarity between the characteristics of the first and second businesses, a likelihood that the entity responsible for the attack on the second computer system will attack the first computer system of the first business is determined. | 03-03-2016 |
| 20160070905 | SYSTEMS AND METHODS FOR DETECTING ATTEMPTS TO TRANSMIT SENSITIVE INFORMATION VIA DATA-DISTRIBUTION CHANNELS - The disclosed computer-implemented method for detecting attempts to transmit sensitive information via data-distribution channels may include (1) identifying an attempt to transmit a file through a data-distribution channel, (2) comparing, using an image-matching technique, the file with at least one known sensitive file that is both stored in an image format and protected by a data-loss-prevention policy, (3) determining, based on the results of the image-matching technique, that the file violates the data-loss-prevention policy, and (4) performing a security action in response to determining that the file violates the data-loss-prevention policy. Various other methods, systems, and computer-readable media are also disclosed. | 03-10-2016 |
| 20160070907 | Malicious Mobile Code Runtime Monitoring System and Methods - Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts. | 03-10-2016 |
| 20160070922 | MANAGING APPLICATIONS IN NON-COOPERATIVE ENVIRONMENTS - The present invention extends to methods, systems, and computer program products for managing applications in non-cooperative environments. Embodiments of the invention provide the ability to manage non-cooperative applications and operating systems. For example, applications and operating systems at a user's (e.g., an information worker's) personal device (e.g., smartphone) can be appropriately managed to provide more secure access to a corporate IT infrastructure. An IT worker can programmatically repackage an application, deploy it to a user's personal device, and manage the user's ability to use the application through policy. | 03-10-2016 |
| 20160070928 | System for and Method of Controllably Disclosing Sensitive Data - System and method of producing a collection of possibilities that agree on information that must be disclosed (disclosable information) and disagree with a sufficient degree of diversity as defined by a policy to protect the sensitive information. A policy defines: what information is possible, what information the recipient would believe, what information is sensitive (to protect), what information is disclosable (to share) and sufficiency conditions that specify the degree of ambiguity required to consider the sensitive information protected. A formalism is utilized that provably achieves these goals for a variety of structured datasets including tabular data such as spreadsheets or databases as well as annotated graphs. The formalism includes the ability to generate a certificate that proves a disclosure adheres to a policy. This certificate is produced either as part of the protection process or separately using an altered process. | 03-10-2016 |
| 20160072812 | System And Method For Implementing A Two-Person Access Rule Using Mobile Devices - A system using mobile devices and a network provides access authentication, authorization and accounting to computing resources using a two-person access rule solution approach. A central access control server coordinates a rule-based authorization process in which a requesting user and one or more authorizing users are engaged in real-time communications to facilitate approved access to a sensitive resource. The technique utilizes mobile cellular interfaces and location service technologies, while also providing traditional security control measures of voice and visual verification of user identities. | 03-10-2016 |
| 20160072813 | ENTERPRISE-SPECIFIC FUNCTIONALITY WATERMARKING AND MANAGEMENT - Embodiments for enterprise-specific functionality watermarking and management are provided. A request, originated in response to an attempt to perform an enterprise function on a client device, can be received by at least one computing device over a network, where the enterprise function is associated with a remotely-stored compliance rule. At least one watermark template can be identified from a plurality of available watermark templates based at least in part on the enterprise function, and a communication can be generated that, when received by the client device, authorizes the client device to: perform the enterprise function where at least one resource is generated or modified, and apply the at least one watermark template to the at least one resource such that performing the enterprise function complies with the compliance rule. | 03-10-2016 |
| 20160072814 | PROVISIONING SYSTEM-LEVEL PERMISSIONS USING ATTRIBUTE-BASED ACCESS CONTROL POLICIES - A permissions provisioning module includes a data adapter and a permissions calculator associated with a policy evaluator operable to evaluate an ABAC policy. The module is adapted to interact with a computer system including resources, metadata and an access control mechanism enforcing, in respect of each resource, an access control list associated with the resource. In operation, the data adapter receives metadata for said computer system and assigns values to attributes in the policy based on the metadata. The permissions calculator queries the policy evaluator on combinations of resources and principals of the system using the attribute values thus assigned, and returns permission data. The data adapter formats said permission data into ACLs, for deployment in the computer system. | 03-10-2016 |
| 20160072823 | USING MULTIPLE CREDENTIALS FOR ACCESS AND TRAFFIC DIFFERENTIATION - The disclosure relates in some aspects to establishing connectivity with a network using a first set of credentials and determining whether additional connectivity needs to be established (e.g., using a second set of credentials) to communicate data. The disclosure relates in some aspects to the use of multiple credentials for access and service connectivity. For example, traffic generated by a device may be authorized based on a different set of credentials than the set of credentials used to access the network (e.g., to connect to an LTE network for a PDN connection). In this way, traffic belonging to a specific service or application can be charged and policed based on service specific needs. The disclosure thus relates in some aspects to the use of access credentials and service credentials. These different types of credentials can be used to enable traffic differentiation and policing based on the credentials in use. | 03-10-2016 |
| 20160072825 | Mobile Station Comprising Security Resources with Different Security Levels - The invention provides a mobile station comprising a mobile end device, security resources, and a discovery module implemented in the mobile station, with which the security resources of the mobile station are discoverable, at least one security level of the mobile station that is achievable by means of the security resources is derivable, and derived security levels of the mobile station are outputable. Further, there are stated an application loading system having such a mobile station, and a risk assessment system for mobile stations. | 03-10-2016 |
| 20160072831 | SYSTEMS AND METHODS FOR NETWORK ANALYSIS AND REPORTING - Among other things, embodiments of the present disclosure can collect and analyze asset and network data from multiple sources, and use such data to present a more complete and accurate representation of the network connections between various systems and software applications and the policies dictating the operation of security controls on a network compared to conventional systems. | 03-10-2016 |
| 20160072834 | DEVICE ACTIVITY AND DATA TRAFFIC SIGNATURE-BASED DETECTION OF MOBILE DEVICE HEALTH - The subject matter described herein includes methods, systems, and computer program products for data traffic signature-based detection and protection against malware. According to one method, data traffic and behavior associated with a computing device is monitored and a device activity signature is created that includes an abstraction of the data traffic. A classification of the device activity signature is determined and a policy decision for the computing device is applied based on the determined classification. | 03-10-2016 |
| 20160072839 | FACILITATING DYNAMIC MANAGEMENT OF PARTICIPATING DEVICES WITHIN A NETWORK IN AN ON-DEMAND SERVICES ENVIRONMENT - In accordance with embodiments, there are provided mechanisms and methods for facilitating dynamic management of devices participating in a network in an on-demand services environment in an on-demand services environment in a multi-tenant environment according to one embodiment. In one embodiment and by way of example, a method includes receiving, by and incorporating into a database system, a policy document relating to a first computing device over a network, the network including Internet of Things (“IoT”), verifying, by the database, the first computing device based on contents of the policy document, and authorizing, by the database, the first computing device to participate within the network, where participating includes performing one or more tasks within the network on behalf of a user and in accordance with the policy document. | 03-10-2016 |
| 20160072840 | Real-Time Security Monitoring Using Cross-Channel Event Processor - Aspects described herein provide systems and methods for computer system security monitoring. Multiple event monitoring agents may be deployed across an enterprise-wide computing system such that each event monitoring agent monitors at least one event generator of the enterprise-wide computing system. The event monitoring agents may be connected to an event processing server. The event processing server may receive event information generated by the event monitoring agents that describe events occurring at the event generators. The event processing server may perform a security analysis on at least a portion of the event information received that includes applying a security policy to the event information. The event processing server may execute a security response based on the security analysis performed such as, for example, a response specified in the security policy applied. | 03-10-2016 |
| 20160072841 | COLLABORATION FOR NETWORK-SHARED DOCUMENTS - Disclosed are various embodiments for facilitating collaboration among users for network-shared documents. A computing environment can identify that a particular identifier was used in a communication regarding a file being accessible on various client devices. A suitable task to perform in association with at least one of the plurality of client devices can be identified based on the identifier and a determination can be made whether performance of the task would comply with at least one compliance rule. In response to the performance of the task complying with the at least one compliance rule, the task can be performed. | 03-10-2016 |
| 20160072842 | MAINTAINING RULE COHERENCY FOR APPLICATIONS - The disclose describes a system and method for maintaining network access rules for device applications using a state graph of the device application. A rules update agent generates a state graph by recursively exercising internal state transitions and recording network locations of a corresponding resource server associated with the state transition. The internal states of the application are reflected as nodes in the state graph. A rule list is generated from the state graph to identify which states have access to which resource servers. The rules update agent is also configured to dynamically generate a truncated state graph from which a transitory rule list is generated. | 03-10-2016 |
| 20160072843 | Policy-Based Control Layer in a Communication Fabric - Presented herein are techniques for adding a secure control layer to a distributed communication fabric that supports publish-subscribe (pub-sub) and direct query (synchronization) communication. The secure control layer is configured to perform policy-based authentication techniques to securely manage the exchange of data/information within the communication fabric and enable registration/discovery of new capabilities. | 03-10-2016 |
| 20160072844 | METHOD AND SYSTEM FOR PROTECTING DATA FLOW AT A MOBILE DEVICE - A method and system for evaluating and enforcing a data flow policy at a mobile computing device includes a data flow policy engine to evaluate data access requests made by security-wrapped software applications running on the mobile device and prevent the security-wrapped software applications from violating the data flow policy. The data flow policy defines a number of security labels that are associated with data objects. A software application process may be associated with a security label if the process accesses data having the security label or the process is in communication with another process that has accessed data having the security label. | 03-10-2016 |
| 20160072845 | METHOD AND APPARATUS FOR PROVIDING AUTHENTICATION USING POLICY-CONTROLLED AUTHENTICATION ARTICLES AND TECHNIQUES - A method and apparatus provides first or second factor authentication by providing selectability of a plurality of second factor authentication policies associated with a second factor authentication article. The first or second factor authentication article includes authentication information, such as a plurality of data elements in different cells or locations on the authentication article, which can be located by using corresponding location information. The method and apparatus provides second factor authentication based on the first or second factor authentication article by enforcing at least one of the plurality of selected authentication policies. | 03-10-2016 |
| 20160072847 | INTERNET MEDIATION - A system for mediating Internet service includes a DNS server and a DNS policy engine associated with the DNS server. The DNS policy engine can be configured to apply one or more DNS policies selected by the DNS policy engine to DNS queries received by the DNS server from a client, analyze the DNS query based on predetermined criteria, and based on the analysis, and selectively redirect a data request associated with the client to a proxy server for further mediation. The system can further include a proxy server and a proxy policy engine associated with the proxy server. The proxy policy engine can be configured to apply one or more proxy policies selected by the proxy policy engine to at least one of data requests received by the proxy server from a client and data responses returned to the proxy server from an IP address. | 03-10-2016 |
| 20160072848 | DETECTING AND MANAGING ABNORMAL DATA BEHAVIOR - Methods and systems for providing destination-specific network management are described. One example method includes determining a normal data movement profile for a computing device based on observed normal data transfer behavior by the computing device; identifying a data movement rule associated with the computing device, the data movement rule including a deviation amount, and one or more actions to take when the computing device deviates from the normal data movement profile by more than the deviation amount; detecting a data movement associated with the computing device; determining that the detected data movement exceeds the deviation amount included in the data movement rule relative to the normal data movement profile for the computing device; and performing the one or more actions associated with the data movement rule upon determining that the data movement violates the data movement rule. | 03-10-2016 |
| 20160072849 | DETERMINING SECURITY FACTORS ASSOCIATED WITH AN OPERATING ENVIRONMENT - Embodiments of the present invention disclose a method, computer program product, and system for determining security factors associated with an operating environment for a computer through a wireless network. The computer identifies one or more local computers operating within range of wireless communications to the computer through a wireless network. The computer determines a current operating environment corresponding to the one or more identified local computers. The computer determines a current security value for the current operating environment corresponding to identities and security of the identified local computers. The computer identifies data corresponding to the current operating environment, the data corresponding to a current time period of the current operating environment. The computer determines security information corresponding to the current operating environment, wherein the security information includes a familiarity of the computer to the current operating environment, and a historical security of the computer in the current operating environment. | 03-10-2016 |
| 20160078208 | DEVICE AND MANAGEMENT MODULE - A device holding control target data inside, includes a state management unit configured to manage the present life cycle state of the device; a user authentication unit configured to authenticate a user and output a group of the user; and an access control unit configured to acquire a present life cycle state when an access request to access the control target data is received, acquire the group of the authenticated user, acquire access possibility information based on the present life cycle state and the group of the user, and control access to the control target data based on the access possibility information. The state management unit manages a fixed life cycle state, and a variable life cycle state that can be added, changed, or deleted, and the access control unit implements control on the fixed life cycle state before the variable life cycle state. | 03-17-2016 |
| 20160078220 | POLICY ENFORCEMENT IN A TOPOLOGY ABSTRACTION SYSTEM - A capability for providing policy enforcement in a topology abstraction system is presented. The capability for providing policy enforcement in a topology abstraction system may support use of topology abstraction policies to control abstraction of topology information of a topology (e.g., a network topology of a communication network or any other suitable type of topology). The capability for providing policy enforcement in a topology abstraction system providing an abstract representation of a topology may support use of topology abstraction policies to control selection (or acceptance) of topology elements for inclusion within the abstract representation of a topology and filtering (or rejection) of topology elements from being included within the abstract representation of a topology. The capability for providing policy enforcement in a topology abstraction system providing an abstract representation of a topology may support use of topology abstraction policies to control clustering of topology elements selected for inclusion within the abstract representation of the topology. | 03-17-2016 |
| 20160078235 | DEVICE AND MANAGEMENT MODULE - A device holding control target data includes a management unit configured to manage the present life cycle state of the device; an authentication unit configured to authenticate a user and indicate a role of the user; a control unit configured to acquire a present life cycle state when a request to access the control target data is received, authenticate the user and acquire the role, acquire access possibility information based on the present life cycle state and the role, and control the access based on the access possibility information; and a prohibiting unit configured to compare a position/time allowed in operation plan information with a present position/time, and prohibit the access when these information items do not match, based on the operation plan information in which life cycle states are associated with positions and times that are allowed for state transitions of the life cycle states. | 03-17-2016 |
| 20160078236 | SYSTEM AND METHOD FOR PROGRAMMABLY CREATING AND CUSTOMIZING SECURITY APPLICATIONS VIA A GRAPHICAL USER INTERFACE - A system and method for programmably creating a security application via a graphical user interface. The method comprises: causing a display of a service stage GUI window including at least one security phase zone; receiving a selection of at least one security service including at least one security decision engine; causing a display of an event rule stage window including at least one event rule parameters zone; receiving a selection of at least one event rule related to the at least one SDE; causing a display of an event relationship stage GUI window including at least one rule selection zone; receiving a selection of at least one workflow rule and at least one action; and configuring the security application based on the selected at least one work rule and the selected at least one action. | 03-17-2016 |
| 20160078247 | SECURITY EVALUATION SYSTEMS AND METHODS FOR SECURE DOCUMENT CONTROL - A system may be broken down into one or more components. Each of the components may be evaluated to ascribe a security score to each of the components. A composite security score may be generated for the system based on the security scores and a rate of decay measure characterizing a probabilistic security degradation of the system. The rate of decay measure may be applied to the composite security score to obtain a current composite security score. The composite security score may be used to control access to a document, either alone or in addition to other criteria. | 03-17-2016 |
| 20160080322 | PARENTAL CONTROL MANAGEMENT AND ENFORCEMENT BASED ON HARDWARE IDENTIFIERS - A device may receive a first indication that a user device connected to a first network device associated with a first network, the first indication including a hardware identifier associated with the user device; identify a policy set associated with the hardware identifier; and output the policy set to the first network device. The outputting may cause the first network device to filter traffic, transmitted via the first network device and destined for the user device, in accordance with the policy set. The device may receive a second indication that the user device has connected to a second network device associated with a second network; and output the policy set to the second network device. The outputting may cause the second network device to filter traffic, transmitted via the second network device and destined for the user device, in accordance with the policy set. | 03-17-2016 |
| 20160080324 | Auto-detection of web-based application characteristics for reverse proxy enablement - This disclosure describes an automated process of discovering characteristics needed to integrate a web-based application to a web portal, such as a reverse proxy. This process eliminates the need for application owners and security analysts to manually discover the information needed for the on-boarding process. To this end, application-specific information is determined by monitoring network traffic flows in and out of the application, user authentication and authorization event data, and the like. An application discovery engine analyzes the discovered data, preferably against a set of patterns and heuristic-based rules, to discover or identify the one or more application characteristics. A set of configuration data is then generated, and this configuration data is then used to integrate the application into the web reverse proxy and, in particular, by specifying the configuration needed to “board” the application. Preferably, the monitoring and application characterization determination functions occur in an automated manner. | 03-17-2016 |
| 20160080392 | IMPLEMENTING SECURITY IN A SOCIAL APPLICATION - Implementing security in social applications includes inferring a closeness level of a connection to a user's profile of a social application based on a closeness policy and implementing a security level individualized to the connection based on the closeness level. | 03-17-2016 |
| 20160080393 | ALLOWING VARIED DEVICE ACCESS BASED ON DIFFERENT LEVELS OF UNLOCKING MECHANISMS - Systems and methods may provide for receiving runtime input from one or more unlock interfaces of a device and selecting a level of access with regard to the device from a plurality of levels of access based on the runtime input. The selected level of access may have an associated security policy, wherein an authentication of the runtime input may be conducted based on the associated security policy. In one example, one or more cryptographic keys are used to place the device in an unlocked state with regard to the selected level of access if the authentication is successful. If the authentication is unsuccessful, on the other hand, the device may be maintained in a locked state with regard to the selected level of access. | 03-17-2016 |
| 20160080397 | Method and System for Forensic Data Tracking - The present invention relates to a method and system for tracking the movement of data elements as they are shared and moved between authorized and unauthorized devices and among authorized and unauthorized users. | 03-17-2016 |
| 20160080401 | METHOD AND SYSTEM FOR DETECTING UNAUTHORIZED ACCESS ATTACK - A method is provided for detecting unauthorized access attack. The detecting method includes obtaining at least one HTTP request and at least one URL address of the HTTP request by parsing the HTTP request; determining whether there exist one or more protection rules corresponding to the URL address; and, when it is determined that the protection rules corresponding to the URL address exit, obtaining access data of the HTTP request. The detecting method also includes determining whether the access data satisfies the protection rules; and, when it is determined that the access data does not satisfy the protection rules, determining the corresponding HTTP request of the URL address to be an unauthorized access attack. | 03-17-2016 |
| 20160080412 | EVENT DRIVEN ROUTE CONTROL - Embodiments provide system and methods for a DDoS service using a mix of mitigation systems (also called scrubbing centers) and non-mitigation systems. The non-mitigation systems are less expensive and thus can be placed at or near a customer's network resource (e.g., a computer, cluster of computers, or entire network). Under normal conditions, traffic for a customer's resource can go through a mitigation system or a non-mitigation system. When an attack is detected, traffic that would have otherwise gone through a non-mitigation system is re-routed to a mitigation system. Thus, the non-mitigation systems can be used to reduce latency and provide more efficient access to the customer's network resource during normal conditions. Since the non-mitigation servers are not equipped to respond to an attack, the non-mitigation systems are not used during an attack, thereby still providing protection to the customer network resource using the mitigation systems. | 03-17-2016 |
| 20160080417 | LABELING COMPUTING OBJECTS FOR IMPROVED THREAT DETECTION - Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. | 03-17-2016 |
| 20160080418 | NORMALIZED INDICATIONS OF COMPROMISE - Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. | 03-17-2016 |
| 20160080419 | DATA BEHAVIORAL TRACKING - Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. | 03-17-2016 |
| 20160080420 | USING INDICATIONS OF COMPROMISE FOR REPUTATION BASED NETWORK SECURITY - Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. | 03-17-2016 |
| 20160080421 | Contextually Aware Device Management - Contextually aware device management techniques are described. Identifying data is provided via a communication connection by a client device to a service provider via a network that is usable by the service provider to identify the client device or functionality of the client device. One or more contexts are received at the client device from the service provider via the network that correspond to the identifying data. Each of the one or more contexts includes management objects along with one or more triggers configured to cause the context to transition to a corresponding one of a plurality of context states and thereby cause performance of one or more actions corresponding to the context state. The one or more contexts are implemented locally by the client device effective to identify and perform the one or more actions corresponding to the context state by the client device based on identification of the one or more triggers without use of network communication by the client device. | 03-17-2016 |
| 20160080423 | IMEI BASED LAWFUL INTERCEPTION FOR IP MULTIMEDIA SUBSYSTEM - The present invention addresses method, apparatus and computer program product for enabling International Mobile Equipment Identifier based Lawful Interception for Internet Protocol IP Multimedia Subsystem, VoLTE and beyond systems. Thereby, an International Mobile Equipment Identifier allocated to a User Equipment and verified by an Evolved Packet Core is transmitted from a Mobility Management Entity to a Packet Gateway, the International Mobile Equipment Identifier is transmitted to a Proxy Call State Control Function via Policy and Charging Rules Function within the Policy and Charging Control procedures at Internet Protocol Multimedia Subsystem registration, and the International Mobile Equipment Identifier is transmitted to a Serving Call State Control Function at call set-up. | 03-17-2016 |
| 20160080424 | APPARATUS AND METHOD FOR REESTABLISHING A SECURITY ASSOCIATION USED FOR COMMUNICATION BETWEEN COMMUNICATION DEVICES - A communication apparatus monitors a communication situation of a communication performed using each of a plurality of security associations established between the communication apparatus and a counterpart apparatus, and stores information indicating the communication situation. When a first security association in the plurality of security associations is disconnected, the communication apparatus determines whether the counterpart apparatus uses the disconnected first security association, based on the information. When the counterpart apparatus uses the first security association, the communication apparatus reestablishes a second security association which supersedes the first security association. | 03-17-2016 |
| 20160080425 | Content-Aware Firewalling, Policy Regulation, and Policy Management for Industrial Automation, Machine To Machine Communications, and Embedded Devices - In one embodiment, a processor-implemented method for controlling network traffic to and/or from at least one industrial machine, including: (a) receiving, as input, (i) a stored policy object in language form defining at least one desired behavior and/or operational constraint for the at least one industrial machine, and (ii) a stored machine profile defining an association between the language of the stored policy object and at least one control signal or instruction for the at least one industrial machine; (b) detecting, in network traffic to and/or from the at least one industrial machine, a transaction; (c) applying the received policy object and machine profile to the detected transaction to determine whether a desired behavior exists and/or whether an operational constraint is satisfied; and (d) modifying network traffic to and/or from the at least one industrial machine based on the determination in step (c). This permits expression and enforcement of constraints on actual industrial machine behaviors by filtering, modifying or blocking network communications (e.g., control signals and telemetry) that violate constraints or could cause unsafe or inefficient operation. | 03-17-2016 |
| 20160080427 | SYSTEM, ARRANGEMENTS AND METHODS RELATING TO ACCESS HANDLING - A core network access packet data node and a core network access edge node are described herein. The core network access packet data node and/or the core network access edge node is/are adapted to hold or receive access priority related information comprising a subscriber related access allocation priority parameter relating to a subscriber requesting a network resource. Further, the core network access packet data node and/or the core network access edge node is/are adapted to have a preliminary access decision unit being provided for deciding if a network resource request is to be handled. Moreover, the core network access packet data node and/or the core network access edge node is/are adapted to have a final decision unit being provided for making a final decision relating to grant/rejection of a request to be handled, i.e. given preliminary access. | 03-17-2016 |
| 20160085984 | LEVERAGING DIGITAL SECURITY USING INTELLIGENT PROXIES - A method for protecting data is disclosed that protects not only who may access data but also how it is used. This invention uses an intelligent proxy which controls access to protected data using any of a variety of already existing security measures and is also the only object capable of making use of the data so that the data may not be copied or otherwise used in any manner inconsistent with the design of a data protection scheme chosen to meet security needs. | 03-24-2016 |
| 20160085986 | SYSTEM AND METHOD OF FRAUD AND MISUSE DETECTION USING EVENT LOGS - A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored if the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided. | 03-24-2016 |
| 20160087943 | METHOD AND APPARATUS FOR OPTIMIZING HYPERTEXT TRANSFER PROTOCOL ("HTTP") UNIFORM RESOURCE LOCATOR ("URL") FILTERING SERVICE - A method for handling hyper-text transfer protocol (“HTTP”) requests from client devices is disclosed. The method comprises receiving an HTTP request from a client device to connect to a destination server. It further comprises extracting a plurality of HTTP headers from the HTTP request using a gateway device in accordance with a user defined configuration to create a subset of the request. Next, it comprises forwarding the subset to an external security device from the gateway device to perform URL policy processing using the request. Finally, it comprises based on a received result of the URL policy processing, transmitting the client request to the destination server. | 03-24-2016 |
| 20160087953 | METHOD TO MODIFY ANDROID APPLICATION LIFE CYCLE TO CONTROL ITS EXECUTION IN A CONTAINERIZED WORKSPACE ENVIRONMENT - Methods, devices, and systems are described to modify the life cycle of a Google Android® application, in its application manifest file and byte code, such that the execution of the application can be controlled via policies and security governed by a workspace application installed on an Android-based device. Dummy wrapper classes are inserted into the byte code for network and I/O system calls that call security code before calling the original classes. | 03-24-2016 |
| 20160087957 | MULTI-FACTOR AUTHENTICATION TO ACHIEVE REQUIRED AUTHENTICATION ASSURANCE LEVEL - As users gain access to different services, the grade of the services may vary, for example, from low value services to high value services. A low value may indicate that a low strength of authentication is required, while a high value may indicate that a high strength of authentication is required to access the service. There is disclosed a method for authenticating a device comprising the determination ( | 03-24-2016 |
| 20160087963 | ESTABLISHING SECURE COMPUTING DEVICES FOR VIRTUALIZATION AND ADMINISTRATION - Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function. | 03-24-2016 |
| 20160087988 | Detection and Management of Unauthorized Use of Cloud Computing Services - Concepts and technologies disclosed herein are for detecting and managing unauthorized use of cloud computing services from within an internal network of a business or other organization. A computer system may be configured to identify a plurality of Web resources that have been accessed by computing devices from within the internal network. The computer system may also be configured to obtain Internet protocol (“IP”) information from a network component of the internal network. The IP information may be used to determine whether each of the plurality of Web resources is a cloud computing service resource. The computer system may also be configured to block access to a cloud computing service resource of the plurality of Web resources upon determining that the IP information identifies the cloud computing service resource as being unauthorized. | 03-24-2016 |
| 20160087993 | Selectively Managing Datasets - Selectively wiping data. A method includes identifying a plurality of datasets on a device. The method further includes identifying one or more datasets, on a dataset basis, from among the plurality of datasets that are managed datasets associated with a particular user account by being associated with an account identifier for the particular user account at a data structure external to the device. The managed datasets are associated with a particular user account by being associated with an account identifier for the particular user account. The method further includes receiving an indication that managed data associated with the particular user account should be wiped from the device. The method further includes wiping the one or more datasets that are identified as being managed datasets associated with a particular user account while not wiping datasets from the plurality of datasets that are not associated with the particular user account. | 03-24-2016 |
| 20160088002 | INTEGRATED NETWORK INTRUSION DETECTION - Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion. | 03-24-2016 |
| 20160088005 | METHOD AND SYSTEM FOR RISK-ADAPTIVE ACCESS CONTROL OF AN APPLICATION ACTION - Risk-adaptive access control techniques are disclosed. In various embodiments, a value for a threat level attribute is determined based at least in part on threat detection data generated by a security system or process. The determined value for the threat level attribute is used to make, at least in part, an access control decision with respect to a request to access the resource. In various embodiments, the threat level attribute is used as an environment attribute provided as input to an XACML-based access control system. | 03-24-2016 |
| 20160088016 | Policy Application for Multi-Identity Apps - Controlling application behavior in the context of managed accounts. A device includes one or more applications. At least one of the applications is configured to be used with a plurality of user accounts including zero or more managed user accounts. The device includes or communicates with a client component. The client component is configured to identify active user accounts for the applications. The client component is further configured to receive policy from a management system, where the policy specifies application controls a user account basis. The client component is further configured to enforce application configuration based on the policy from the management system and the active user accounts. | 03-24-2016 |
| 20160088017 | Conditional Access to Services Based on Device Claims - Providing access to one or more resources to a user device. A method includes at a user device, registering with an identity service to obtain an identity credential. The method further includes at the user device, registering with a policy management service by presenting the identity credential. The method further includes at the user device, providing an indication of current state of the user device to the policy management service. The policy management service can then indicate to the identity service the compliance level of the user device. The method further includes the user device receiving a token from the identity service based on the policy management level of the user device as compared to a policy set. | 03-24-2016 |
| 20160088018 | SYSTEM AND METHOD FOR CONFIGURING A COMPUTER SYSTEM ACCORDING TO SECURITY POLICIES - Method and system for configuration of a computer system according to security policies. The configuration of an employee's personal computer system according to the security policies of the corporate network provides for security of access to the corporate network. Configuration change instructions are generated according to the security policy and applied to the configuration of the computer system. The configuration system includes at least one computer system used to access a corporate network, a policy application module configured to determine configuration parameters of the computer system and to pass the configuration data to an instruction forming module. The computer system is configured according to the selected security policy by execution of at least one configuration change instruction. The configuration system also includes a database of security policies. | 03-24-2016 |
| 20160088019 | TECHNOLOGIES FOR MULTI-FACTOR SECURITY ANALYSIS AND RUNTIME CONTROL - Technologies for client-level web application runtime control and multi-factor security analysis by a computing device include receiving application code associated with a browser-based application from a web server. The computing device collects real-time data generated by at least one sensor of the computing device and performs a multi-factor security assessment of the browser-based application as a function of the collected real-time data and the application code. Further, the computing device establishes a client-level web application runtime security policy associated with the browser-based application in response to performing the multi-factor security assessment and enforces the client-level web application runtime security policy. | 03-24-2016 |
| 20160088020 | DISTRIBUTED TRAFFIC MANAGEMENT SYSTEM AND TECHNIQUES - Approaches, techniques, and mechanisms are disclosed for implementing a distributed firewall. In an embodiment, many different computer assets police incoming messages based on local policy data. This local policy data is synchronized with global policy data. The global policy data is generated by one or more separate analyzers. Each analyzer has access to message logs, or information derived therefrom, for groups of computer assets, and is thus able to generate policies based on intelligence from an entire group as opposed to an isolated asset. Among other effects, some of the approaches, techniques, and mechanisms may be effective even in computing environments with limited supervision over the attack surface, and/or computing environments in which assets may need to make independent decisions with respect to how incoming messages should be handled, on account of latency and/or unreliability in connections to other system components. | 03-24-2016 |
| 20160088021 | POLICY-BASED COMPLIANCE MANAGEMENT AND REMEDIATION OF DEVICES IN AN ENTERPRISE SYSTEM - The present disclosure relates generally to managing compliance of remote devices that access an enterprise system. More particularly, techniques are disclosed for using a compliance policy to manage remediation of non-compliances of remote devices that access an enterprise system. A device access management system may be implemented to automate remediation of non-compliances of remote devices accessing an enterprise system. Remediation may be controlled based on different levels of non-compliance, each defined by one or more different non-compliances. In some embodiments, a level of non-compliance may be conditionally defined by one or more user roles for which non-compliance is assessed. Access to computing resources of an enterprise system may be controlled for a remote device based on compliance of the remote device. Access may be inhibited for those resources not permitted during a time period of a non-compliance. | 03-24-2016 |
| 20160088022 | PROXY SERVERS WITHIN COMPUTER SUBNETWORKS - Embodiments of the invention include techniques for processing messages transmitted between computer networks. In some embodiments, messages such as requests and responses for various types of web services, applications, and other web content may be transmitted between multiple computer networks. One or more intermediary devices or applications, such as a proxy server implemented within a physical or logical subnetwork, may receive, process, and transmit the messages between the communication endpoints. In some embodiments, a proxy server may be configured to operate within a subnetwork of an internal computer network, exposing various web applications and/or services of the internal computer network to external computer networks. Such a proxy server may select specific policies for processing messages based on various message characteristics and the current point in a predetermined processing flow for the message. After selecting the specific policies to be applied to the message, the proxy server may process the message in accordance with the policies and forward the message to its intended destination. | 03-24-2016 |
| 20160088023 | SERVICES WITHIN REVERSE PROXY SERVERS - Embodiments of the invention provide techniques for processing messages transmitted between computer networks. Messages, such as requests from client devices for web services and other web content may be transmitted between multiple computer networks. Intermediary devices or applications such as proxy servers may receive, process, and transmit the messages between the communication endpoints. In some embodiments, a reverse proxy server may be configured to dynamically generate Representational State Transfer (REST) services and REST resources within the reverse proxy server. The REST services and REST resources within the reverse proxy server may handle incoming requests from client devices and invoke backend web services, thereby allowing design abstraction and/or enforcement of various security policies on the reverse proxy server. | 03-24-2016 |
| 20160088024 | PROPOSAL SYSTEM ACCESS POLICY ENFORCEMENT - Described herein are techniques and mechanisms for access policy creation and enforcement. According to various embodiments, a message may be received via a communications interface. The message may include a request to perform an action within a proposal system. The proposal system may be operable to create a request for proposals based on user input. The request for proposals may describe a business need associated with a business entity. The proposal system may be further operable to process a plurality of proposal documents received in response to the request for proposals. The request may be associated with a user account. A determination may be made as to whether the requested action complies with an access policy. The requested action may be performed when it is determined that the requested action complies with the access policy. | 03-24-2016 |
| 20160088025 | APPROACH FOR MANAGING ACCESS TO DATA ON CLIENT DEVICES - A device management system is configured to manage access to electronic documents on client devices using policies. The policies specify one or more download and processing restrictions to be enforced with respect to the particular electronic document at client devices for example, particular hardware and software configurations that are required at client devices before data is permitted to be downloaded to those client devices. The policies may also specify other requirements that must be satisfied before data is permitted to be downloaded to those client devices, for example, user authentication. | 03-24-2016 |
| 20160088026 | RULE BASED DEVICE ENROLLMENT - Techniques for providing enrollment services for various types of electronic devices in a communication network is disclosed. The electronic devices may include devices associated with a user and headless devices not associated with any user. In certain embodiments, a device enrollment system is disclosed that controls the authentication and enrollment of both user devices and headless devices within a communication network. The device enrollment system detects a particular device within a communication network, identifies a type of enrollment policy to be applied to the device based on a type of the device, applies a set of enrollment rules to the device in accordance with the enrollment policy and enrolls the device if the device satisfies one or more criteria specified by the enrollment rules. | 03-24-2016 |
| 20160092685 | PASSIVE COMPLIANCE VIOLATION NOTIFICATIONS - Disclosed are various embodiments for passive compliance violation notifications. In one embodiment, it is detected that that a policy violation with respect to use of a client device has occurred. It is then determined that the policy violation may be passive. A user notification of the policy violation is generated by the client device in response to determining that the policy violation may be passive. The frequency and/or intensity of this notification may depend upon an extent of the policy violation. If the policy violation is later determined to be active, additional actions may be performed, such as disabling access to or removing managed resources on the client device. | 03-31-2016 |
| 20160092691 | Representation of Operating System Context in a Trusted Platform Module - Techniques for representation of operating system context in a trusted platform module are described. In at least some embodiments, authorization principals that corresponds to representations of operating system context are derived in a trusted platform module. The authorization principals can be used to define authorization policies for access to security assets stored in a trusted platform module. | 03-31-2016 |
| 20160092694 | Inspecting Code and Reducing Code Size Associated to a Target - Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target's profile. A code component may be a policy of an information management system. | 03-31-2016 |
| 20160092700 | DATA VERIFICATION USING ENCLAVE ATTESTATION - Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist. | 03-31-2016 |
| 20160094515 | MOBILE HOTSPOT MANAGED BY ACCESS CONTROLLER - Systems and methods are described for a mobile hotspot that can be managed from an access controller. According to an embodiment, a mobile establishes a wide area network (WAN) connection through a wireless WAN module and establishes a wireless local area network (WLAN) connection with a wireless fidelity (WiFi)-enabled device using a first wireless access point (AP) profile, wherein the first AP profile is also used for multiple APs of an enterprise that are controlled by an access controller (AC). The mobile hotspot sets up a secure tunnel with the AC through the WAN connection. After receiving WLAN traffic from the WiFi-enabled device through the WLAN connection, the WLAN traffic is transmitted to the AC through the secure tunnel. | 03-31-2016 |
| 20160094517 | APPARATUS AND METHOD FOR BLOCKING ABNORMAL COMMUNICATION - An apparatus and method for blocking abnormal communication are disclosed herein. The apparatus for blocking abnormal communication includes a packet collection unit, a packet analysis unit, and an access control unit. The packet collection unit collects a packet via a network device. The packet analysis unit generates a system rule, a communication flow rule, and a packet characteristic rule based on the packet from the packet collection unit. The access control unit determines whether to block the packet by determining whether the packet from the packet collection unit satisfies the system rule, the communication flow rule and the packet characteristic rule. | 03-31-2016 |
| 20160094560 | REMOTE PROCESSING OF MOBILE APPLICATIONS - In an example implementation of the disclosed technology, a method includes accessing, by a management agent associated with a client device, a profile associated with a requested resource, wherein the profile comprises at least one profile criterion. The method also includes evaluating the profile criterion based, at least in part, on status information associated with the client device to determine any processing restrictions associated with the requested resource. The method also includes, responsive to receiving an indication that the resource is subject to a server-device processing restriction, requesting access to the resource from a remote server and receiving an instance of a user interface for interacting with the resource. | 03-31-2016 |
| 20160094566 | METHOD AND SYSTEM FOR EMAIL PRIVACY, SECURITY, AND INFORMATION THEFT DETECTION - A system and method is proposed for managing email messages across a network. The system provides multiple means of verifying an originating sender of email. In addition, the system automatically generates unique email addresses as a means mask the email address of an original sender and shield users from unwanted email. The system may also be configured to block email security threats (e.g. phishing, spear phishing, etc.). Further, the system provides means of processing email messages to enable encryption, spam detection, geographical location identification of users, and social networking | 03-31-2016 |
| 20160094582 | SYSTEM AND METHOD FOR SUPPORTING WEB SERVICES IN A MULTITENANT APPLICATION SERVER ENVIRONMENT - In accordance with an embodiment, described herein is a system and method for supporting web services in a multitenant application server environment. The system comprises a domain with a plurality of partitions, wherein each partition can include one or more web services, and a web services inspection language (WSIL) application. A partition-aware managed bean server can include managed beans for generating addresses of web services deployed to each partition, wherein the generated addresses can be retrieved by the WSIL application in that partition for use by clients in accessing the web services. The system can further include a web service security manager that can secure web services in each partition, by attaching security policies to each web service endpoint and enforcing the security policies on requests directed to that web service endpoint. | 03-31-2016 |
| 20160094583 | SYSTEM AND METHOD FOR DYNAMIC SECURITY CONFIGURATION IN A MULTITENANT APPLICATION SERVER ENVIRONMENT - In accordance with an embodiment, described herein is a system and method for supporting dynamic security configuration in a multitenant application server environment. Common configuration changes required for partition level security can be made without requiring a server restart, such as for example, adding a new security realm for a partition; deleting an existing realm; changing the configuration on an existing realm; adding or removing a security provider to a realm; or changing the configuration of a security provider. In accordance with an embodiment, also described herein is a system and method for supporting dynamic reconfiguration in a multitenant application server environment. Attributes of partition management components, for example managed beans (MBeans) and child MBeans contained within a partition, can be made dynamic and annotated accordingly, so that a restart of servers is not required for configuration changes to those attributes for a particular partition. | 03-31-2016 |
| 20160094584 | MANAGEMENT OF APPLICATION ACCESS TO DIRECTORIES BY A HOSTED DIRECTORY SERVICE - Features are disclosed for facilitating management of network directories of multiple organizations by a centralized directory management system. Various applications can access the directories of the organizations via the directory management system according to the permissions that the applications have been granted by the respective organizations. Organizations may maintain directories on-premises or off-premises, and the applications can access the directories via the directory management system regardless of the physical location of the directories. Additionally, the applications may be hosted by a computing service provider that also hosts or otherwise manages the directory management service, or the applications can be hosted by third-party servers separate from the directory management system and the organizations. | 03-31-2016 |
| 20160094585 | SECURE POLICY PORTAL FOR REMOTE STORAGE NETWORKS - A system for securely managing uploaded content according to client-definable policies in remote storage configurations may include a content storage network with servers that are distributed in a plurality of geographic regions. The system may also include a policy engine that stores and processes policies that govern how content uploaded to the content storage network is stored. The system may additionally include a client portal that may be configured to receive a content object at the client device for upload to the content storage network, receive a policy or a selection of a policy that governs how the content object should be stored in the content storage network, and provide a status of how the policy is applied to the content object after the content object is uploaded to the content storage network. | 03-31-2016 |
| 20160098557 | METHOD AND APPARATUS FOR MANAGING APPLICATION DATA OF PORTABLE TERMINAL - A method for managing application data of a portable terminal according to the present invention comprises the steps of: allocating a plurality of data areas required for a data management policy for an application program; when the application program is executed, permitting connection to a specific data area of the plurality of data areas allocated for the application program on the basis of the data management policy; and executing the application program while performing the permitted connection to the specific data area. | 04-07-2016 |
| 20160099948 | METHOD AND SYSTEM FOR ENABLING ACCESS OF A CLIENT DEVICE TO A REMOTE DESKTOP - A computer implemented method, computer program product, and systems for enabling access of a client device to a remote desktop. The remote desktop is implemented within a remote virtual machine engine ( | 04-07-2016 |
| 20160099967 | SYSTEMS AND METHODS OF IDENTIFYING SUSPICIOUS HOSTNAMES - A method includes receiving a set of strings and applying one or more filters to generate a subset of strings that are determined to correspond to strings of interest. The method also includes retrieving domain name system (DNS) information associated with a first string of the subset. The method includes executing a rule-based engine to determine, based on application of one or more rules to the DNS information, whether to add the first string to a set of suspicious hostnames. | 04-07-2016 |
| 20160099971 | End-To-End Secure Cloud Computing - A method includes receiving, at a control node of a cloud computing network, a first enterprise policy specific to the first enterprise and a second enterprise policy specific to the second enterprise, and managing communications between at least one user device of the first enterprise and the at least one enterprise application hosted on behalf of the first enterprise based on the first enterprise policy. The method also includes managing communications between at least one user device of the second enterprise and the at least one enterprise application hosted on behalf of the second enterprise based on the second enterprise policy. | 04-07-2016 |
| 20160099972 | Secure Execution of Enterprise Applications on Mobile Devices - A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system. | 04-07-2016 |
| 20160099973 | LOCATION BASED SHARING OF A NETWORK ACCESS CREDENTIAL - A network access credential can be shared among devices based on location information for a device. Location information can include timed fingerprint location information. In an aspect, location information can be associated with a location of user equipment. This location information can be correlated with network access credentials. Location information can be used to access a relevant network access credential. The relevant network access credential can be shared with other devices. In an embodiment, sharing a network access credential can be between mobile devices. In another embodiment, sharing a network access credential can be between a remote computing device and a mobile device. Sharing a credential can allow for access to a network without having to generate or input new credentials. | 04-07-2016 |
| 20160099974 | SYSTEM AND METHOD FOR REMOTELY MANAGING SECURITY AND CONFIGURATION OF COMPUTE DEVICES - The present invention relates to a system that manages security of one or more computer systems and/or one or more different types of I/O channels such as USB, Ethernet, SATA, and SAS. According to certain aspects, the management system is distributed. That is, a central management system and computer subsystems are physically distributed within one or more geographical areas, and communicate with each other by passing messages through a computer network. According to certain additional aspects, the configuration and/or security functions performed by methods and apparatuses according to the invention can be logically transparent to the upstream host and to the downstream device. | 04-07-2016 |
| 20160099975 | Extending organizational boundaries throughout a cloud architecture - An information sharing paradigm for a cloud computing solution enables flexible organizational boundaries with respect to cloud resources. Cloud service customers manage their own organization boundary but can extend that boundary selectively by associating cloud resources they own with sets of domain names that may be associated with requests for cloud resources that the organization may be willing to share with other organizations that are using the cloud environment, and by ensuring that any such requests for resources that are shared in this manner are associated with one or more message handling policies that have been defined by (or otherwise associated with) the resource-owning organization. Cloud resources owned by an organization (even those marked as “internal only”) may be selectively shared with one or more other organizations using the cloud environment depending on the domain names associated with the requests. Message handling policies are enforced with respect to shared resources. | 04-07-2016 |
| 20160103657 | METADATA DRIVEN REAL-TIME ANALYTICS FRAMEWORK - Methods, systems, and computer program products are provided for developing application definition packages, and deploying the application definition packages at cloud services to produce real-time data analytics applications. In one implementation, a selection is received of an application definition package that defines a real-time data analytics application. The application definition package indicates an application name and includes at least one payload definition, reference data definition, and query definition. A domain name is provided for the real-time data analytics application, and a cloud service is generated that is associated with the domain name. The application definition package is applied to an application template to generate a finalized real-time data analytics package. The finalized real-time data analytics package is instantiated in the cloud service to create a network-accessible instance of the real-time data analytics application. | 04-14-2016 |
| 20160104002 | ROW LEVEL SECURITY INTEGRATION OF ANALYTICAL DATA STORE WITH CLOUD ARCHITECTURE - A predicate-based row level security system is used when workers build or split an analytical data store. According to one implementation, predicate-based means that security requirements of source transactional systems can be used as predicates to a rule base that generates one or more security tokens, which are associated with each row as attributes of a dimension. Similarly, when an analytic data store is to be split, build job, user and session attributes can be used to generate complementary security tokens that are compared to security tokens of selected rows. Efficient indexing of a security tokens dimension makes it efficient to qualify row retrieval based on security criteria. | 04-14-2016 |
| 20160104003 | INTEGRATION USER FOR ANALYTICAL ACCESS TO READ ONLY DATA STORES GENERATED FROM TRANSACTIONAL SYSTEMS - The technology disclosed preserves the tenant specificity and user specificity of the tenant data by associating user IDs to complementary special IDs referred to as the integration user(s). In particular, it combines the traceability of user actions, the integration of security models and the flexibility of a service ID into one integration user(s). | 04-14-2016 |
| 20160104004 | ACCESS CONTROL FOR OBJECTS HAVING ATTRIBUTES DEFINED AGAINST HIERARCHICALLY ORGANIZED DOMAINS CONTAINING FIXED NUMBER OF VALUES - An aspect of the present disclosure facilitates controlling access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values. In one embodiment, in response to receiving data indicating specific hierarchies of the hierarchically organized domains, the corresponding fixed number of values of the corresponding domains in each hierarchy is displayed. Accordingly, a user is enabled to select a desired set of values from the corresponding fixed number of values of the corresponding domains, and to specify a security rule for a combination of the selected set of values and a user entity. The security rule is thereafter enforced when objects having attributes matching the selected set of values are accessed by the user entity. | 04-14-2016 |
| 20160105395 | Applying a Packet Routing Policy to an Application Session - A security gateway includes packet routing policies, each including a host network address, an application network address, and a forwarding interface. In routing data packets of an application session, the security gateway: recognizes the application session between a network and an application; determines a user identity from an application session record for the application session; determines packet routing policies applicable to the application session based on the user identity; receives a data packet for the application session, including a source network address and a destination network address; compares the source network address with the host network address, and the destination network address with the application network address; and in response to finding a match between the source network address and the host network address, and between the destination network address and the application network address, processes the data packet using the forwarding interface of the packet routing policy. | 04-14-2016 |
| 20160105441 | Providing Restricted Access to Given Devices by Constructing Abstract Devices - Methods, systems, and computer program products for providing restricted access to given devices by constructing abstract devices are provided herein. A method includes generating a virtual device based on one or more physical devices; mapping multiple device actions of the one or more physical devices to multiple device actions of the virtual device exposed by the virtual device; incorporating (i) discretionary access control techniques, (ii) policy-based access control techniques, and (iii) a physical device-level partial ordering of actions to determine a resolution in response to a set of multiple user access requests for two or more of the multiple device actions of the virtual device; and executing the two or more device actions of the virtual device on the virtual device for one or more given users in accordance with said resolution by coordinating the execution of two or more corresponding device actions of the one or more physical devices on the one or more physical devices based on said mapping. | 04-14-2016 |
| 20160105444 | ENFORCING ALIGNMENT OF APPROVED CHANGES AND DEPLOYED CHANGES IN THE SOFTWARE CHANGE LIFE-CYCLE - On a host, host content change requests are intercepted in real-time. In a tracking mode, the change requests are logged and allowed to take effect on the host. In an enforcement mode, the change requests are logged and additionally compared against authorized change policies and a determination is made whether to allow the change to take effect or to block the changes, thereby enforcing the authorized change policies on the host. Tracking and enforcement can be done in real-time. In either mode and at any time, the logged changes can be reconciled against a set of approved change orders in order to identify classes of changes, including changes that were deployed but not approved and changes that were approved but not deployed. | 04-14-2016 |
| 20160105446 | APPLYING FORWARDING POLICY TO AN APPLICATION SESSION - A method for applying a security policy to an application session, includes recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session. | 04-14-2016 |
| 20160105459 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR SHARING CONTENT VIA LINKS - In accordance with embodiments, there are provided mechanisms and methods for sharing content via links. These mechanisms and methods for sharing content via links can enable customizable features associated with the operations related to those links. These features may include generating customized reports on usage of the links, and/or exposing one or more application programming interfaces (APIs) enabling applications to access the links and/or logic associated with operations related to those links. | 04-14-2016 |
| 20160105460 | SYSTEM AND METHOD FOR PROVIDING USER WITH SERVICES - Improper communication using modified software is inhibited without checking game data itself. A system according to one embodiment realizes provision of an online game to a login user with HTTP communication between the server and the client terminal. The HTTP communication includes transmitting, by a terminal device, a HTTP request to which a sequence number of the terminal side is attached; checking, by the server, validity of the HTTP request based on comparison between the sequence number of the login user stored in the server and the sequence number attached to the HTTP request; updating, by the server, the sequence number according to a predetermined update rule; transmitting, by the server, a HTTP response; and updating, by the terminal device, the sequence number in the terminal device according to the predetermined update rule. | 04-14-2016 |
| 20160105461 | INFORMATION PROCESSING APPARATUS AND CONTROL METHOD FOR INFORMATION PROCESSING APPARATUS - In an information processing apparatus that communicates with a printing control apparatus, whether the printing control apparatus is connected is determined in a case where a security policy is set for the information processing apparatus, and setting of the security policy is activated. The setting of the security policy is deactivated in a case where the printing control apparatus is connected, and the setting of the security policy is applied in a case where the printing control apparatus is not connected. | 04-14-2016 |
| 20160105462 | Systems and Methods for Rule-Based Anomaly Detection on IP Network Flow - A system to detect anomalies in internet protocol (IP) flows uses a set of machine-learning (ML) rules that can be applied in real time at the IP flow level. A communication network has a large number of routers equipped with flow monitoring capability. A flow collector collects flow data from the routers throughout the communication network and provides them to a flow classifier. At the same time, a limited number of locations in the network monitor data packets and generate alerts based on packet data properties. The packet alerts and the flow data are provided to a machine learning system that detects correlations between the packet-based alerts and the flow data to thereby generate a series of flow-level alerts. These rules are provided to the flow time classifier. Over time, the new packet alerts and flow data are used to provide updated rules generated by the machine learning system. | 04-14-2016 |
| 20160105463 | MANAGED REAL-TIME COMMUNICATIONS BETWEEN USER DEVICES - Managed real-time communications between user devices may be provided. Upon receiving a request to instantiate a communication connection from an application, a secure session may be established between the application and a remote application. Input from a user of the application may be received, subjected to at least one management policy, and transmitted to the remote application. | 04-14-2016 |
| 20160110213 | VIRTUAL MACHINE MONITORING METHOD AND SYSTEM THEREOF - A virtual machine monitoring method and a system thereof are provided. The virtual machine monitoring method includes: detecting at least one hardware resource of an electronic device and storing corresponding hardware configuration data, detecting display information of the electronic device and storing corresponding display configuration data, connecting a server and receiving image data therefrom, establishing a virtual machine based on the image data, configuring the at least one hardware resource on the virtual machine based on the hardware configuration data, setting a display image on the virtual machine based on the display configuration data, and clearing the image data to end the virtual machine, so as to provide a user-friendly interface and achieve corporate data security. | 04-21-2016 |
| 20160110539 | MONITORING ACCESS TO A LOCATION - Devices, methods, and systems for monitoring access to a location are described herein. One or more method embodiments include determining data associated with an access event associated with a location, determining whether the access event is an anomalous access event using the data associated with the access event and a statistical model of data associated with a number of non-anomalous access events associated with the location, and assessing, if the access event is determined to be an anomalous access event, the anomalous access event. In various embodiments, assessing the anomalous access event includes at least one of determining an anomaly type associated with the anomalous access event, determining an anomaly classification confidence associated with the anomalous access event, determining an anomaly severity associated with the anomalous access event, and determining a reliability associated with the statistical model. | 04-21-2016 |
| 20160110558 | CLIENT IDENTIFYING DATA (CID) TARGET-STATE-COMPLIANT COMPUTER-EXECUTABLE APPLICATIONS - An approach for facilitating client identifying data (CID) target-state-compliant computer-executable applications is disclosed. In some implementations, a CID questionnaire that includes one or more requests for information relating to CID exposure associated with an application may be provided to a first user. One or more inputs to the one or more information requests may be received from the first user. Current state information associated with the application may be determined based on the one or more inputs and one or more CID-related criteria. The current state information may include risk information indicating current CID exposure associated with the application. Target state information associated with the application may be received. Remediation information associated with the application may be provided to one or more users. The remediation information may be determined based on the current statement information and the target statement information. | 04-21-2016 |
| 20160110562 | SYSTEM FOR ENCODING CUSTOMER DATA - A system for transforming customer data includes a network interface and a processor. The network interface communicates a request for customer data associated with a determined set of customers. It also receives a customer profile code associated with the customer data, wherein the customer profile code comprises a first code segment and a second code segment. It further receives first and second rules associated with the customer profile code. The processor determines the set of customers, transforms the first and second code segments into customer data using the rules, and analyzes the customer data to determine an operations history for the set of customers. | 04-21-2016 |
| 20160110563 | SYSTEM FOR ENCODING CUSTOMER DATA - A system for encoding customer data includes a memory, a decision engine, a rules engine and an interface engine. The memory stores customer data associated with service levels and rules. The decision engine receives a request for customer data from a third party, determines that the third party is associated with a first service level, and retrieves the customer data associated with the first service level. The rules engine transforms customer data into first and second code segments by applying the rules. The rules engine combines at least the first code segment and the second code segment to form a customer profile code. An interface engine communicates the customer profile code to the third party. | 04-21-2016 |
| 20160110729 | SYSTEM FOR ENCODING CUSTOMER DATA - A rules engine stores customer data, a first rule comprising a first plurality of conditions, and a second rule comprising a second plurality of conditions, wherein the customer data is associated with a particular customer. The rules engine transforms a first portion of the customer data into a first code segment by applying the first rule and by satisfying a condition of the first plurality of conditions of the first rule. It also transforms a second portion of the customer data into a second code segment by applying the second rule and by satisfying a condition of the second plurality of conditions of the second rule. The rules engine further combines at least the first code segment and the second code segment to form a customer profile code. An interface engine communicatively coupled to the rules engine communicates the customer profile code to a third party. | 04-21-2016 |
| 20160110731 | SYSTEM FOR ENCODING CUSTOMER DATA - A system for authenticating a customer includes a network interface and a processor. The network interface communicates a request for customer data associated with a particular customer. It also receives a customer profile code associated with the customer, wherein the customer profile code comprises a first code segment and a second code segment. It further receives first and second rules associated with the customer profile code. The processor transforms the first and second code segments into customer data using the rules. It further authenticates the customer using the customer data. | 04-21-2016 |
| 20160110732 | SYSTEM FOR ENCODING CUSTOMER DATA - A system for transforming customer data includes a network interface and a processor. The network interface communicates a request for customer data associated with a particular geographical area. It also receives a customer profile code associated with the customer data, wherein the customer profile code comprises a first code segment and a second code segment. It further receives first and second rules associated with the customer profile code. The processor transforms the first and second code segments into customer data using the rules. It further analyzes the particular geographical area using the customer data. | 04-21-2016 |
| 20160112240 | FLEXIBLE RULES ENGINE FOR MANAGING CONNECTED CONSUMER DEVICES - A processing device executing a rules engine receives a notification of a first event on a first network-connected device. The processing device identifies a first rule associated with a first user account, wherein the first user account is further associated with the first network-connected device, and wherein the first event on the first network-connected device is an input for the first rule. The processing device determines that the first event satisfies a first criterion of the first rule and generates a first command for a second network-connected device also associated with the first user account. The processing device then transmits the first command to the second network-connected device on behalf of the first user account, wherein the first command causes the second network-connected device to perform an action. | 04-21-2016 |
| 20160112374 | METHOD AND SYSTEM FOR SECURING AND PROTECTING SMART DEVICES WITHIN THE INTERNET OF THINGS ECOSYSTEM - A gateway device including a network interface having wired and/or wireless connections to smart devices and a network access point. The gateway device also includes a processor and a memory device having a local database. The processor is configured to execute a network controller for connecting and communicating with the smart devices and the network access point, a firewall engine for enforcing firewall rules stored in the local database for filtering communication between the smart devices and the network access point, and a management interface. The management interface generates internal firewall rules based on device profile information received from a remote database. | 04-21-2016 |
| 20160112436 | A METHOD, A SERVER AND A CLIENT PROVIDING SECURED COMMUNICATION IN A POWER DISTRIBUTION COMMUNICATION NETWORK - A technique is provided that addresses how to provide secured communication in a power distribution communication network. Specifically, upon receipt of a request for an insertion of a new device to the power distribution communication network, checking a unique identifier of the new device received in the request against a list of stored new devices or suppliers stored in a data storage. Upon finding a matching entry, evaluating a predetermined device or supplier certificate against a certificate of the new device received in the request. Upon validation of the received certificate, checking to determine if the new device will fit into a predetermined network topology or relation table that indicates which messages are authorized messages. Configuring the power distribution communication network to include the new device in case the new device fits into the predetermined network topology or the relation table. | 04-21-2016 |
| 20160112440 | METHODS AND DEVICES FOR IDENTIFYING THE PRESENCE OF MALWARE IN A NETWORK - A device and a method for identifying whether a network node is infected by malware, including identifying indicator events for each of a plurality of anomaly indicators, by counting the number of occurrences of an anomaly indicator in at least one of a network node and an entire network during a predetermined time duration and if the number of occurrences of the anomaly indicator during the predetermined time duration is greater than a predetermined event threshold, identifying an indicator event associated with the anomaly indicator during the predetermined time duration and assigning an expiration duration for the indicator event, determining whether the identified indicator events fulfill at least one predetermined infection rule, and if the indicator events fulfill the at least one predetermined infection rule, identifying the network node as infected by malware. | 04-21-2016 |
| 20160112452 | NETWORK ACCESS CONTROL USING SUBNET ADDRESSING - A server responds to a DHCP request for an IP address by setting a subnet in accordance with whether the client's MAC address is recognized as previously having been authenticated or otherwise associated with a policy. If the client has not been authenticated, the server provides a captive portal to enforce authentication. A routing device positioned in the network between clients and the server controls access to network resources by routing communications from clients in accordance with subnet addressing, where each subnet is associated with a policy. | 04-21-2016 |
| 20160112453 | SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITH SECURITY ZONE FACILITIES - In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone. | 04-21-2016 |
| 20160112455 | Public and Private Hybrid Distributed Cloud Storage System and Cloud Storage Method - Public and private hybrid distributed cloud storage system and cloud storage method including an application system, a segmentation aggregation system, a public storage system and a private storage system. The application system provides original complete data and initiates an access request to the segmentation aggregation system. The segmentation aggregation system divides original complete data into data fragments and distributes to said public storage system and private storage system according to a preset storage proportion and receives the fragments returned by the public and private storage systems and aggregates them into the complete data, and transfers to said application system. The public storage system manages, authenticates and stores fragments. The private system manages, authenticates, counts, controls and stores fragments. The method, based on the cloud storage system, includes logging data and reading data. This invention solves problems of limited capacity private storage systems, inadequate bandwidth and security vulnerable public storage system. | 04-21-2016 |
| 20160112457 | METHOD AND SYSTEM FOR DYNAMIC AND COMPREHENSIVE VULNERABILITY MANAGEMENT - One or more relevant scanners used to identify asset vulnerabilities are identified, obtained, and logically arranged for deployment on an asset in accordance with a vulnerability management policy and a scanner deployment policy such that the relevant scanners are deployed at, or before, a determined ideal time to minimize the resources necessary to correct the vulnerabilities, if found. The relevant scanners are then automatically deployed in accordance with the scanner deployment policy and, if a vulnerability is identified, one or more associated remedies or remedy procedures are applied to the asset. At least one of the one or more relevant scanners are then re-deployed on the asset to determine if the identified vulnerability has been corrected and, if the vulnerability is not corrected at, or before, a defined time, protective measures are automatically taken. | 04-21-2016 |
| 20160112458 | ESTABLISHING TRUST BETWEEN APPLICATIONS ON A COMPUTER - Systems, methods and machine-readable media for providing a security service are disclosed. The methods include receiving a modification of the application object code to allow the software application to transmit a request for the security service; retrieving the modified application object code corresponding to the software application from memory; receiving, via a processor, the request for the security service from the modified application object code; and providing, via the processor, the security service. The systems and machine-readable media performing operations according to the methods disclosed. | 04-21-2016 |
| 20160112460 | CONFLICT DETECTION AND RESOLUTION METHODS AND APPARATUSES - Conflict detection and resolution methods and apparatuses relate to the field of communications technologies. The conflict detection method includes: acquiring, by a controller, a flow path of a data flow on a network, where the flow path is used to indicate a path along which the data flow reaches an address in a destination address range from an address in a source address range through at least two intermediate nodes on the network, a first flow table rule is added to or deleted from flow tables of the at least two intermediate nodes, and the first flow table rule is any flow table rule; and determining, by the controller, whether a conflict exists according to an address range of the flow path and an address range of a security policy. | 04-21-2016 |
| 20160117489 | SUPPORTING SECONDARY USE OF CONTENT OF ELECTRONIC WORK - A technique for supporting secondary use of content of an electronic work. This technique includes receiving, from a user terminal, a use request requesting secondary use of the content of the electronic work, in which a secondary use policy of an author of the electronic work is associated with the electronic work; determining whether the use request satisfies the secondary use policy specified by the author; and transmitting, to the user terminal, together with a unique identifier associated with the use request, content of the electronic work based on the determination or edited content based on the determination. | 04-28-2016 |
| 20160117495 | ACCESS BLOCKING FOR DATA LOSS PREVENTION IN COLLABORATIVE ENVIRONMENTS - Data loss prevention (DLP) systems may be implemented in conjunction with collaborative services that may be integrated with or work in coordination with productivity services. Administrators may be enabled to configure DLP policies in the collaborative service to mitigate their organization's information disclosure risks, along with the detection and remediation of sensitive information. Access blocking may be one feature of the DLP system, where provision of access blocking may include determining if a detected action associated with content processed by the collaborative service matches access blocking criteria defined by DLP policy rules. In response to the determination that the action matches at least one access blocking criterion defined by the DLP policy rules, a block access tag associated with the content may be activated, previously defined permissions associated with the content may be ignored or altered, and access to the content may be restricted to a number of predefined users. | 04-28-2016 |
| 20160117506 | Security Controlled Multi-Processor System - Embodiments of the present disclosure provide systems and methods for implementing a secure processing system having a first processor that is certified as a secure processor. The first processor only executes certified and/or secure code. An isolated second processor executes non-secure (e.g., non-certified) code within a sandbox. The boundaries of the sandbox are enforced (e.g., using a hardware boundary and/or encryption techniques) such that code executing within the sandbox cannot access secure elements of the secure processing system located outside the sandbox. The first processor manages the memory space and the applications that are permitted to run on the second processor. | 04-28-2016 |
| 20160117525 | Mobile Privacy Information Proxy - An approach is provided for managing data being transmitted from a mobile device. The mobile device receives a request from a user to initiate a transmission of data. The mobile device determines whether the data includes person or business-related sensitive information based on a format of the data, and if so, the mobile device determines a country in which the mobile device is currently located, determines a privacy policy of the country in which the mobile device is currently located, and determines whether the privacy policy applies to a type of the data corresponding to the format of the data; and if so, the mobile device notifies the user of the privacy policy of the country, identifies to the user the type of the data for which the privacy policy applies, and queries the user whether to transmit the data as requested by the user. | 04-28-2016 |
| 20160119285 | SYSTEM AND METHOD FOR COMPLIANCE BASED AUTOMATION - This invention generally relates to a process and computer code for enabling users to create adapters that enable application automation processes that allow customers to define compliance boundaries using a rules-based compliance firewall for their service providers and allow service providers to perform automation on customer machines remotely while adhering to customer's compliance requirements. | 04-28-2016 |
| 20160119301 | POLICY SETTINGS CONFIGURATION WITH SIGNALS - Techniques and systems are disclosed for enabling device configuration using signals that encode device policy settings. A method of configuring policy settings on a host device can include receiving a signal that encodes at least one policy setting; interpreting the signal to determine the at least one policy setting; and applying the at least one policy setting to the host device at its own authority. | 04-28-2016 |
| 20160119327 | Confidence-based authentication discovery for an outbound proxy - A confidence-based authentication discovery scheme is implemented at a proxy. The scheme assumes that some level of unauthenticated browsing is allowed prior to enforcing authentication at the proxy. Once a known and trusted set of identity providers has been accessed and the user is required to authenticate at the proxy (e.g., as a result of policy), the proxy initiates Federated Single Sign-On (F-SSO) to one or more (or, preferably, all) known sites accessed by the browser. This F-SSO operation is performed seamlessly, preferably without the user's knowledge (after the user allows an initial trust decision between the proxy acting as a service provider and the external identity provider). The proxy collates the results and, based on the trust it has with those sites, produces a confidence score. That score is then used as input into policy around whether or not a user should be permitted to access a particular site. | 04-28-2016 |
| 20160119348 | SYSTEMS AND METHODS FOR SECURE RESOURCE ACCESS AND NETWORK COMMUNICATION - Systems and methods for secure resource access and network communication are provided. A plurality of policies are received on a client device, each policy comprising a respective resource and a respective permission for a respective action that can be performed by a user of the client device in regards to the resource. A first application, which is configured to store data in an encrypted repository on the client device, receives a request to open a resource. The first application determines that one of the policies prohibits access by the resource to the encrypted repository and, based thereon, selects a different second application to open the resource that does not have access to the encrypted repository. The second application then opens the resource. | 04-28-2016 |
| 20160119357 | Automated and Policy Driven Optimization of Cloud Infrastructure Through Delegated Actions - A system and method for optimizing a cloud environment using a workflow. | 04-28-2016 |
| 20160119360 | Method and System for Remote Data Access Using a Mobile Device - A system and method for securely storing, retrieving and sharing data using PCs and mobile devices and for controlling and tracking the movement of data to and from a variety of computing and storage devices. | 04-28-2016 |
| 20160119367 | METHOD, APPARATUS, AND SYSTEM FOR COOPERATIVE DEFENSE ON NETWORK - The present disclosure provides a method, an apparatus, and a system for cooperative defense on a network. Alarm information sent by a security device of a first subnet that is being attacked is received by a controller; the controller generates flow table information according to the alarm information, and forwards the flow table information to a switching device of the first subnet and a switching device of at least one second subnet, which is equivalent to that, after detecting an attack, a security device of a subnet generates alarm information, and shares, by using the controller, the alarm information with a switching device of the subnet and a switching device of another subnet that is not being attacked, to form networkwide cooperative defense, thereby enhancing network security. | 04-28-2016 |
| 20160119379 | SECURITY ORCHESTRATION FRAMEWORK - In an example, there is disclosed a computing apparatus, including: a network interface; one or more logic elements providing a security orchestration server engine operable for: receiving contextual data from a client via a network interface; providing the contextual data to a security orchestration state machine, the security orchestration state machine operable for deriving a policy decision from the contextual data; and receiving the policy decision from the policy orchestration state machine. There is also disclosed one or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions for providing a security orchestration engine, and a method of providing a security orchestration engine. | 04-28-2016 |
| 20160119380 | SYSTEM AND METHOD FOR REAL TIME DETECTION AND PREVENTION OF SEGREGATION OF DUTIES VIOLATIONS IN BUSINESS-CRITICAL APPLICATIONS - A system is configured for real time detection and prevention of segregation of duties violations in business-critical applications. The system includes a software application monitor, a Segregation of Duties (SoD) conflict detection engine, a processor and a memory. The software application monitor configured to monitor an action executed by a user in the software application in real-time. The SoD conflict detection engine receives an action notification from the software application monitor having an action and an associated user, and determines whether the action is associated with a conflict in a conflict rule database. The engine looks up the user and action and determines if the user has permission to execute the action and/or if the user has previously executed the action, and if so outputs a preventive alert indicating a segregation of duties violation. | 04-28-2016 |
| 20160119381 | Ensuring Health and Compliance of Devices - A compliance method and associated system is provided. The method includes generating backup devices for devices of a list of devices associated with a data storage environment. A device from the list of devices is selected and available credentials for connecting and authenticating the device are determined. Configuration and operational state data for the device are retrieved. A backup device associated with the device is selected and associated policies are loaded. Each policy is evaluated with respect to the backup devices, associated dependencies, and the configuration and operational state data. Compliant and non-compliant policies with respect to the backup devices are determined. | 04-28-2016 |
| 20160119382 | Applying Security Policy to an Application Session - Applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session. | 04-28-2016 |
| 20160119383 | DYNAMIC GENERATION OF POLICY ENFORCEMENT RULES AND ACTIONS FROM POLICY ATTACHMENT SEMANTICS - At least one set of enforceable policy provisions is identified within at least one defined service level policy to be enforced during runtime by a policy enforcement point (PEP). Each set of enforceable policy provisions includes a policy subject, a reference to a policy domain, and at least one assertion. Each identified set of enforceable policy provisions is transformed by the PEP into at least one runtime-executable processing rule that each includes at least one PEP processing action that each represents an atomic unit of policy enforcement level behavior executable by the PEP to enforce the respective at least one assertion against runtime objects associated with the policy subject within an area of runtime policy enforcement specified by the policy domain. | 04-28-2016 |
| 20160125186 | METHOD OF LOADING FILES INTO RANDOM ACCESS MEMORY IN AN ELECTRONIC DEVICE AND ASSOCIATED ELECTRONIC DEVICE - In an electronic device designed to function in a trusted execution environment (TEE), because of the execution of a trusted operating system by a processor of the electronic device, or in a rich execution environment (REE), a method of loading files into random access memory includes the following steps:
| 05-05-2016 |
| 20160125200 | METHODS AND SYSTEMS FOR NETWORK-BASED ANALYSIS, INTERVENTION, AND ANONYMIZATION - Systems and method for alerting a user device based on a proposed anonymization of a contribution to a conversation thread via one or several location-based anonymization rules are disclosed herein. The system can include a user device that can have location-determining features that can determine a physical location of the user device; a network interface that can exchange data with a server via a communication network; and an I/O subsystem that can convert electrical signals to user-interpretable outputs in a user interface. The system can include a server that can: receive a contribution from the user device; determine an anonymization level for applying to the contribution; identify a potential identifier in the content of the contribution; anonymize the potential identifier according to the determined anonymization level; and generate and provide an alert to the user device. | 05-05-2016 |
| 20160127318 | SECURITY SERVICES FOR END USERS THAT UTILIZE SERVICE CHAINING - Embodiments described herein provide security for end users of User Equipment (UE) that utilize service chaining for Service Data Flows (SDFs). One embodiment comprises a Policy and Charging Rules Function (PCRF) that determines that a service chain is enabled for a SDF requested by an end user of a UE. The PCRF identifies a service function implemented in the service chain that processes the SDF based on a generic security policy, and identifies a security rule for the end user for filtering the SDF by the service function. The PCRF provides the security rule to the service function for filtering the SDF within the service chain. | 05-05-2016 |
| 20160127319 | METHOD AND SYSTEM FOR AUTONOMOUS RULE GENERATION FOR SCREENING INTERNET TRANSACTIONS - A computer system for evaluating transactions in a network includes a storage medium, one or more processors coupled to said storage medium, and computer code stored in said storage medium. Computer code, when retrieved from said storage medium and executed by said one or more processor, causes the system to receive a plurality of transactions over the network, and automatically generating rules for evaluating the transactions, using the computer system. Each of the rules includes variables and partition of values of the variables, each partition having an assigned score. The computer system also automatically combining the rule scores to form a final score. | 05-05-2016 |
| 20160127365 | AUTHENTICATION TOKEN - The disclosed invention is a system and method that allows for authentication of a user to a network using a token. The token interacts with a device and authenticates the user to the system using lower power consumption and minimal bandwidth user for communication. The token may be part of the device or stand alone. The various aspects of the present invention capture a novel design for an authentication token that eliminates the need for user interaction with the token. | 05-05-2016 |
| 20160127377 | POLICY PARTIAL RESULTS - Technology for policies with reduced associated costs is disclosed. A policy may include an ordered rule set. When evaluated, the highest priority rule in the order that does not skip may control the policy outcome. Rules within a policy may have associated costs, such as data fetch and evaluation costs. In some contexts, it may be less important to evaluate every rule than to evaluate the policy quickly. Reduced policies that have one or more rules removed or that skip evaluation of some rules may be created for these contexts. When a rule of a policy is skipped, it may result in a possibility of a false allow or false deny. In some cases, rules may be duplicative. Removal or skipping of duplicative rules does not increase the possibility of a false allow or false deny. By using reduced policies in identified contexts, policy evaluation costs may be reduced. | 05-05-2016 |
| 20160127379 | SUPERVISED ONLINE IDENTITY - Technologies to facilitate supervision of an online identify include a gateway server to facilitate and monitor access to an online service by a user of a “child” client computer device. The gateway server may include an identity manager to receive a request for access to the online service from the client computing device, retrieve access information to the online service, and facilitate access to the online service for the client computing device using the access information. The access information is kept confidential from the user. The gateway server may also include an activity monitor module to control activity between the client computing device and the online service based on the set of policy rules of a policy database. The gateway server may transmit notifications of such activity to a “parental” client computing device for review and/or approval, which also may be used to update the policy database. | 05-05-2016 |
| 20160127407 | CERTIFICATION OF CORRECT BEHAVIOR OF CLOUD SERVICES USING SHADOW RANK - Determining potential harm associated with a network endpoint external to an enterprise includes receiving information about a network-based communication by a resource of the enterprise directed to the network endpoint external to the enterprise, and calculating a plurality of individual scores related to a risk associated with the network-based communication, wherein each individual score corresponds to a different category of risk. The determination also includes receiving data specifying a policy related to rules defined by the enterprise regarding usage of cloud services; calculating a composite risk score related to the network-based communication, wherein the composite risk score is based on the individual scores and the policy; and notifying an entity of the enterprise about the composite risk score. | 05-05-2016 |
| 20160127410 | SYSTEM AND METHODS FOR SCALABLY IDENTIFYING AND CHARACTERIZING STRUCTURAL DIFFERENCES BETWEEN DOCUMENT OBJECT MODELS - A security auditing computer system efficiently evaluates and reports security exposures in a target Web site hosted on a remote Web server system. The auditing system includes a crawler subsystem that constructs a first list of Web page identifiers representing the target Web site. An auditing subsystem selectively retrieves and audits Web pages based on a second list, based on the first. Retrieval is sub-selected dependent on a determined uniqueness of Web page identifiers relative to the second list. Auditing is further sub-selected dependent on a determined uniqueness of structural identifiers computed for each retrieved Web page, including structural identifiers of Web page components contained within a Web page. The computed structural identifiers are stored in correspondence with Web page identifiers and Web page component identifiers in the second list. A reporting system produces reports of security exposures identified through the auditing of Web pages and Web page components. | 05-05-2016 |
| 20160127416 | APPARATUS AND METHOD FOR CONTROLLING ACCESS TO SECURITY CONTENT USING NEAR FIELD NETWORK COMMUNICATION OF MOBILE DEVICES - Disclosed is an apparatus for controlling access to a security content using near field network communication of mobile devices. A policy issuance provider registration unit requests a content security policy for a first content, a security content, to a service server, receives the content security policy for the first content, requests to the service server for a first mobile device to be registered as a content security policy issuance provider, and receives a result of registration and a provider policy from the service server. A policy issuance provider converting unit converts the first mobile device to the content security policy issuance provider when receiving a request for access for browsing the first content through near-field network communication from another mobile device in which a DRM client application is being executed. A temporary content security policy issuance unit issues a temporary content security policy for the first content through near-field network communication to the second mobile device so that the second mobile device can browse the first content. | 05-05-2016 |
| 20160127417 | SYSTEMS, METHODS, AND DEVICES FOR IMPROVED CYBERSECURITY - Embodiments relate to systems, devices, and computing-implemented methods for initiating a secure network communication system using a response to a risk assessment template and one or more computer knowledge bases to determine a network security policy, network security controls, hardware and software devices, and commands for the hardware and software devices. Embodiments also relate to systems, devices, and computing-implemented methods for monitoring the secure network communication system by monitoring communications from user devices, determining to hold communications based on the network security policy, notifying users of held communications, and allowing the users, via their user devices, to adjust the network security policy for overridable controls to authorize held communications. | 05-05-2016 |
| 20160127418 | POLICY-GUIDED FULFILLMENT OF A CLOUD SERVICE - A model represents a cloud service to be provisioned over a cloud. A policy guides provisioning and subsequent management of the cloud service. The model is modified by introducing code corresponding to the policy into the model, the introduced code to perform at least one action with respect to a rule of the policy, the at least one action selected from among validating the rule and performing remediation with respect to the rule. Responsive to the modifying of the model, a set of instructions is generated including code for deploying an instance of the cloud service according to the model, and the introduced code to perform the at least one action with respect to the rule. | 05-05-2016 |
| 20160127419 | COMPUTERIZED SYSTEM AND METHOD FOR ADVANCED NETWORK CONTENT PROCESSING - A computerized system and method for processing network content in accordance with at least one content processing rule is provided. According to one embodiment, the network content is received at a first interface. A transmission protocol according to which the received network content is formatted is identified and used to intercept at least a portion of the received network content. The intercepted portion of the network content is redirected to a proxy, which buffers the redirected portion of network content. The buffered network content is scanned in accordance with a scanning criterion and processed in accordance with the at least one content processing rule based on the result of the scanning. The processed portion of network content may be forwarded using a second interface. | 05-05-2016 |
| 20160132678 | MANAGING SOFTWARE DEPLOYMENT - The method includes identifying an instance of software installed. The method further includes determining a fingerprint corresponding to the instance of software installed. The method further includes determining a security risk associated with the instance of software installed. The method further includes identifying a software management policy for the instance of software based upon the fingerprint, security risk, and designated purpose of the computing device. In one embodiment, the method further includes in response to identifying the software management policy, enforcing, by one or more computer processors, the software management policy on the instance of software installed on the computing device. | 05-12-2016 |
| 20160132689 | COMMUNICATION CONTROL DEVICE, DATA SECURITY SYSTEM, COMMUNICATION CONTROL METHOD, AND COMPUTER PRODUCT - A communication control device configured to access an information processing apparatus in which data is stored. The device and method acquires an operational condition of an information processing apparatus, and notifies the information processing apparatus of a security command for causing the information processing apparatus to execute a security process on the data in an event that an operational condition is activated and, in an event that the operational condition is a standby mode, a hibernate mode, or a shutdown mode, notifies the information processing apparatus of an activation command for activating the information processing apparatus, and notifies of a security command for causing the information processing apparatus to execute a security process on the data. | 05-12-2016 |
| 20160134611 | SKILL-BASED SECURE DYNAMIC CONTACT CENTER AGENT ACCESS - Methods, systems and computer readable media for providing skill-based, secure and dynamic contact center agent network access are described. | 05-12-2016 |
| 20160134659 | INSPECTION OF DATA CHANNELS AND RECORDING OF MEDIA STREAMS - In one implementation, two or more endpoints or client devices communication uses a peer-to-peer, browser based, real time communication protocol. One example of such a protocol is Web Real-Time Communication (WebRTC). An intermediary device receives from a first endpoint, a request for communication with a second endpoint, using the browser based real time communication. The intermediary device identifies a control protocol based on the request for communication, and receives one or more write keys from the first endpoint. The intermediary device monitors communication between the first endpoint and the second endpoint using the one or more write keys. Examples for the intermediary devices include servers, firewalls, and other network devices. | 05-12-2016 |
| 20160134660 | SECURELY OPERATING A PROCESS USING USER-SPECIFIC AND DEVICE-SPECIFIC SECURITY CONSTRAINTS - A method for enforcing secure processes between a user and a device involves determining that the user has initiated installation of a secure application, installing the RA part of the secure application, triggering a trusted UI session upon realization that the TA part of the secure application is not installed, receiving, via the trusted UI session, user credentials for authenticating the user and enforcing user-specific and device-specific security, cryptographically signing combined user credentials with a cryptographic signature to obtain an authentication object, passing the authentication object to a service provider associated with the secure application for extraction of the user credentials, and generating an authorization token permitting the installation of the TA part of the secure application upon verification of the cryptographically signed authentication object. | 05-12-2016 |
| 20160134661 | Operation of a Security Element with the Set of Operating Parameters Matched to the Selected Use Profile - A method for operating a security element which is part of a mobile end device, and a security element, have functionality depending on a set of operating parameters that is deposited on the security element. The method comprises the following steps: operating the security element with the set of operating parameters that is deposited on the security element; collecting data about the use of the security element and/or of the mobile end device; selecting a use profile on the basis of the collected data, with the use profile being assigned a set of operating parameters that is matched thereto; and operating the security element with the set of operating parameters that is matched to the selected use profile. | 05-12-2016 |
| 20160140328 | APPLICATION OF DIGITAL RIGHTS MANAGEMENT TO EMAILS BASED ON USER-SELECTED EMAIL PROPERTY SETTINGS - A method for automatically applying digital rights management (DRM) to outgoing emails based on a color category of the email set by the sending user. A plugin module on the user's computer interacts with the email application to extract the color category setting for the email and converts it to a category ID recognized by the digital rights management (RMS) server. The RMS server determines the DRM policy corresponding to the category ID using an association table, and applies that DRM policy to protect the email before sending the email to an exchange server. When a recipient receives the email, the application program on the recipient's computer cooperates with the RMS server to determine whether the recipient is allowed to access the email based on the DRM policy that has been applied to the email. | 05-19-2016 |
| 20160140353 | METHOD AND APPARATUS FOR PROTECTING LOCATION DATA EXTRACTED FROM BRAIN ACTIVITY INFORMATION - An approach is provided for protecting location data extracted from brain activity information. A privacy platform causes, at least in part, a mapping of brain activity information associated with at least one user to one or more locations visited by the at least one user. The privacy platform further determines one or more privacy policies associated with the one or more locations. The privacy platform then causes, at least in part, a transmission of at least the brain activity information, the one or more locations, or a combination thereof based, at least in part, on the one or more privacy policies. | 05-19-2016 |
| 20160140363 | PROGRAMMABLE UNIT FOR METADATA PROCESSING - A system and method for metadata processing that can be used to encode an arbitrary number of security policies for code running on a stored-program processor. This disclosure adds metadata to every word in the system and adds a metadata processing unit that works in parallel with data flow to enforce an arbitrary set of policies, such that metadata is unbounded and software programmable to be applicable to a wide range of metadata processing policies. This instant disclosure is applicable to a wide range of uses including safety, security, and synchronization. | 05-19-2016 |
| 20160142375 | TECHNIQUES TO AUTHENTICATE A CLIENT TO A PROXY THROUGH A DOMAIN NAME SERVER INTERMEDIARY - Techniques to authenticate a client to a proxy through a domain name server intermediary are described. In one embodiment, for example, a client apparatus may comprise a data store and a network access component. The data store may be operative to store a network configuration file, the network configuration file containing a client-specific secret. The network access component may be operative to transmit a communication request from the client device to a proxy server, the communication request directed to a destination server distinct from the proxy server, and to receive a response to the communication request from the destination server based on a determination by the proxy server that the client is authorized to use the proxy server, the determination based on the client having previously sent an encoding of a client-specific secret to a domain name server embedded within a lookup domain of a domain name request. Other embodiments are described and claimed. | 05-19-2016 |
| 20160142379 | ASSOCIATING ANONYMOUS INFORMATION TO PERSONALLY IDENTIFIABLE INFORMATION IN A NON-IDENTIFIABLE MANNER - The present disclosure provides a detailed description of techniques used in methods, systems, and computer program products for associating anonymous information to personally identifiable information without sharing any personally identifiable information. A method receives a specification record comprising one or more specified demographic attributes to be used in user record selection operations, the results of which operations include user records that comprise a user identifier and at least some non-personally-identifiable information. A candidate group is formed by applying a set of rules over the retrieved user records to reject-out one or more user records that comprise mutually-exclusive characteristics with respect to the other user records in the candidate group. An anonymity measure is calculated over the candidate group to satisfy a threshold of anonymity. If needed to satisfy the threshold of anonymity, additional user records are added to the group before any sharing operations. Anonymity of the users is preserved. | 05-19-2016 |
| 20160142419 | PROTECTING DOCUMENTS FROM CROSS-SITE SCRIPTING ATTACKS - In various implementations, an embedded document receives untrusted content from a containing document, where the embedded document is in the containing document. In some cases, the untrusted content is received by the containing document from a server and is forwarded to the embedded document without rendering the untrusted content in the containing document. Instead, the untrusted content is rendered in the embedded document. A sandbox policy is enforced on the embedded document such that the rendered untrusted content is restricted from accessing data associated with the containing document. The untrusted content may comprise malicious code that when rendered executes an XXS attack that attempts to access the data associated with the containing document. However, because the untrusted content is rendered in the embedded document, the malicious code may be denied access to the data, thereby preventing the XSS attack from succeeding. | 05-19-2016 |
| 20160142434 | AUTOMATED SECURITY TESTING - A method of automated security testing includes recording a macro. The recorded macro is played and a web request is intercepted while playing the macro. The web request may be attacked and sent to a web server. A response from the web server based on the web request is received, and the response of the web server is processed to determine any vulnerabilities. | 05-19-2016 |
| 20160142441 | CENTRALIZED OPERATION MANAGEMENT - A novel security framework that is part of an operating system of a device is provided. The framework includes a security assessor that performs security policy assessments for different operations that need to be performed with respect to an application executing on the device. Examples of such operations include the installation of the application, execution of the application, and the opening of content files (e.g., opening of documents) by the application. | 05-19-2016 |
| 20160142442 | System and Method for Intelligent State Management - A method is provided in one example embodiment and it includes receiving a state request and determining whether a state exists in a translation dictionary for the state request. The method further includes reproducing the state if it is not in the dictionary and adding a new state to the dictionary. In more specific embodiments, the method includes compiling a rule, based on the state, into a given state table. The rule affects data management for one or more documents that satisfy the rule. In yet other embodiments, the method includes determining that the state represents a final state such that a descriptor is added to the state. In one example, if the state is not referenced in the algorithm, then the state is released. If the state is referenced in the algorithm, then the state is replaced with the new state. | 05-19-2016 |
| 20160142443 | PERSONAL DEVICE NETWORK FOR USER IDENTIFICATION AND AUTHENTICATION - Established user habits in carrying multiple wirelessly detectable devices are used to provide or substantiate authentication. In some embodiments, simply detecting that expected devices are co-located within a limited spatial region is sufficient to establish that the devices are being carried by a single individual. In other embodiments, particularly where the potential for spoofing by multiple individuals is a concern, single-user possession of the devices may be confirmed by various corroborative techniques. This approach affords convenience to users, who may be working at a device that lacks the necessary modality (e.g., a fingerprint or vein reader) for strong authentication. | 05-19-2016 |
| 20160142444 | AUTHENTICATION POLICY USAGE FOR AUTHENTICATING A USER - A processor ascertains that a user is authorized to access a federated computing environment that includes at least two servers, which includes determining that input authentication information previously received from the user by a first server of the at least two conforms to at least one rule of an authentication policy of a second server having a highest relative priority among servers of the at least two servers whose authentication policy's at least one rule, in an authentication policy table within the first server, is conformed to by the received input authentication information. The authentication policy table within the first server includes (i) an authentication policy of each server of the at least two servers and (ii) a relative priority of each server in order of decreasing number of users registered in an authentication system of each server. | 05-19-2016 |
| 20160142445 | METHODS AND DEVICES FOR ANALYZING USER PRIVACY BASED ON A USER'S ONLINE PRESENCE - A method, non-transitory computer readable medium, and policy rating server device that receives a request from a client computing device for one or more privacy ratings. The request identifies at least one application, such as an application installed on the client computing device for example. A policy associated with the identified application is obtained. The obtained policy is analyzed to identify a plurality of key words or phrases associated with use by the at least one application of functionality of, or personal information stored on, the client computing device. One or more privacy ratings are generated based on numerical values assigned to each of the identified key words or phrases. The generated one or more privacy ratings are output to the client computing device in response to the request. | 05-19-2016 |
| 20160149860 | SECURE DATA REDACTION AND MASKING IN INTERCEPTED DATA INTERACTIONS - A method for modifying intercepted data interactions is provided in the illustrative embodiments. At a security application executing in a security data processing system, an intercepted packet of data arranged according to a protocol is received from an intercepting agent executing in an intercepting data processing system. A security policy is applied to the intercepted packet. In an instruction according to a coding grammar, a modification of the intercepted packet is encoded. The instruction is suited for the encoding under a circumstance of the modifying. The instruction is sent to the intercepting agent. The intercepting agent at the intercepting data processing system performs the modification according to the security policy and independently of the protocol. | 05-26-2016 |
| 20160149863 | METHOD AND SYSTEM FOR MANAGING A HOST-BASED FIREWALL - Disclosed herein are a system and method for managing a firewall of one or more host computing device associated with a customer, wherein each host computing device including a configurable firewall. In one arrangement, the system includes: a central management suite coupled to a first host computing device via a communications link, said central management suite including: a management portal for receiving instructions from said customer relating to a set of policies, wherein each policy defines a set of firewall rules; a storage device for storing said set of policies in a format inapplicable for configuring the firewall of the first host computing device; and a management policy module for retrieving from said stored set of policies a policy associated with said first host computing device. The system further includes: a first policy translator resident on said first host computing device for receiving said retrieved policy from said central management suite, via said communications link, and for translating said retrieved policy to a format applicable for configuring the firewall of the first host computing device to facilitate implementing a set of firewall rules defined by said retrieved policy. | 05-26-2016 |
| 20160149887 | SYSTEMS AND METHODS FOR MALICIOUS CODE DETECTION ACCURACY ASSURANCE - There is provided a method for authenticating an attempt at establishment of a network connection by allowed code, comprising: providing a dataset having previously observed stack trace templates each representing a stack trace pattern prevailing in stack traces recorded by monitoring stacks of clients executing an allowed code during a connection establishment process for establishing network connections related to the allowed code; receiving a new stack trace recorded during a new connection establishment process for a new network connection by a new client; measuring a similarity between the new stack trace and the plurality of stack trace templates to identify a match to a stack trace template; evaluating the matched stack trace template for a predefined rule requirement; and updating a rule-set database with the matched stack trace template to authenticate new network connection establishments associated with stack templates matching the matched stack trace template. | 05-26-2016 |
| 20160149920 | METHOD AND APPARATUS FOR SPECIFYING TIME-VARYING INTELLIGENT SERVICE-ORIENTED MODEL - A method and an apparatus for specifying a time-varying, intelligent service-oriented model are provided. A method implemented in a computer infrastructure having computer executable code embodied on a computer readable storage medium having programming instructions, includes defining information of a service which is to be provided to one or more users having access to a system storing the defined information. The method further includes defining policies associated with the defined information to allow and deny access to selected portions of the defined information, and exposing to a user of the one or more users the selected portions of the defined information based on the defined policies allowing access to the selected portions of the defined information. | 05-26-2016 |
| 20160149926 | Systems and Methods for Facilitating Access to Private Files Using a Cloud Storage System - A method for providing access to objects associated with a particular client in a cloud storage system is disclosed. The method includes the steps of establishing a connection with a user, providing a client namespace associated with the client to the user, where the client namespace represents objects stored on the cloud storage system and objects stored on a private storage system apart from the cloud storage system, receiving a request from the user to access an object stored on the private storage system, and providing information to the user to facilitate access to the object stored on the private storage system by said user. Other systems and methods are also disclosed. Important advantages of the present invention are facilitated by separating the logic for user access (control plane) from the actual storage (Storage plane). Private file system access can still be managed from the cloud, while keeping the client data private. | 05-26-2016 |
| 20160149930 | SYSTEMS AND METHODS FOR PROTECTING AGAINST UNAUTHORIZED NETWORK INTRUSIONS - The disclosed computer-implemented method for protecting against unauthorized network intrusions may include (1) identifying a signal received by one or more antennas of a network from a transceiver of a device attempting to access the network, (2) detecting one or more signal strengths of the signal received by the antennas of the network in connection with the attempt to access the network, (3) determining, based at least in part on the signal strengths of the signal, that the attempt to access the network is potentially malicious, and then in response to determining that the attempt to access the network is potentially malicious, (4) initiating at least one security measure to address the potentially malicious attempt to access the network. Various other methods, systems, and computer-readable media are also disclosed. | 05-26-2016 |
| 20160149952 | NETWORK-BASED SECURE INPUT/OUTPUT (I/O) MODULE (SIOM) - A Secure Input/Output (I/O) Module (SIOM) is networked-enabled providing secure communications with terminals and peripherals integrated into the terminals. Communications between devices are securely made through encrypted communication sessions provisioned, defined, and managed through a secure protocol using the network-based SIOM. In an embodiment, a single-tenant network-based SIOM is provided. In an embodiment, a hybrid dual single-tenant and multi-tenant network-based SIOM is provided. In an embodiment, a multi-tenant network-based SIOM is provided. In an embodiment, a cloud-based SIOM is provided. | 05-26-2016 |
| 20160149953 | CLIENT/SERVER POLYMORPHISM USING POLYMORPHIC HOOKS - Computer systems and methods in various embodiments are configured for improving the security and efficiency of client computers interacting with server computers through an intermediary computer using one or more polymorphic protocols. In an embodiment, a computer system comprises a memory; a processor coupled to the memory; a processor logic coupled to the processor and the memory, and configured to: intercept, from a server computer, a first file and a second file, wherein the first file defines a first object with a first identifier and the second file comprises a reference to the first object by the first identifier; generate a second identifier; replace the first identifier with the second identifier in the first file; add one or more first instructions to the first file; remove the reference to the first identifier from the second file; add, to the second file, one or more second instructions, which when executed cause the one or more first instructions to be executed and produce the second identifier. | 05-26-2016 |
| 20160149954 | SECURE DATA REDACTION AND MASKING IN INTERCEPTED DATA INTERACTIONS - A system, and computer program product for modifying intercepted data interactions are provided in the illustrative embodiments. At a security application executing in a security data processing system, an intercepted packet of data arranged according to a protocol is received from an intercepting agent executing in an intercepting data processing system. A security policy is applied to the intercepted packet. In an instruction according to a coding grammar, a modification of the intercepted packet is encoded. The instruction is suited for the encoding under a circumstance of the modifying. The instruction is sent to the intercepting agent. The intercepting agent at the intercepting data processing system performs the modification according to the security policy and independently of the protocol. | 05-26-2016 |
| 20160149955 | COMMUNICATIONS SECURITY SYSTEMS - A method of establishing secure communications between a first computer, eg a client computer, and a second computer, eg a web server, whereby the client computer receives one or more security policies relating to the web server. A client application examines the client computer and preferably configures one or more aspects of the client computer in order to make it comply with the security policies. Once the web server receives the results of this examination and/or configuration process, it can determine whether the secure communications are to be established and whether any restrictions need to be placed on this communication and/or the activity conducted via the communication. | 05-26-2016 |
| 20160149956 | MEDIA MANAGEMENT AND SHARING SYSTEM - The distribution of media clips stored on one or more servers is controlled using updateable permissions or rules defined by a content owner. The clip is made available from a server via a website, app or other source, for an end-user to view; the permissions or rules stored in memory are then updated; the permissions or rules are reviewed before the clip is subsequently made available, to ensure that any streaming or other distribution of the clip is in compliance with any updated permissions or rules. | 05-26-2016 |
| 20160149957 | SYSTEM AND METHOD OF MONITORING AND CONTROLLING APPLICATION FILES - A system and method for updating, monitoring, and controlling applications on a workstation. The workstation includes a workstation management module configured to detect the launch or request to access a network by an application. A workstation application server receives data associated with the application from the workstation. The application server module can determine one or more policies or categories to associate with the application by referencing an application inventory database. Once the application server module has the category or policy, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the application to control network access by the application. | 05-26-2016 |
| 20160149958 | SHARING DATA ACROSS PROFILES - Systems, methods, and software can be used to share data across profiles. In some aspects, a first request from a first application for application data associated with a second application is received at a first hybrid agent. The first application and the first hybrid agent are associated with a first profile on a mobile device. The second application is associated with a second profile. A second request for the application data is sent to a second hybrid agent. The second hybrid agent is associated with the second profile. The application data from the second hybrid agent is received from the second hybrid agent. The application data is sent to the first application. The application data is used by the first application to generate a graphical interface for presentation on the mobile device. The graphical interface includes a unified view of data associated with the first and second profiles. | 05-26-2016 |
| 20160154965 | Transforming Policies to Enforce Control in an Information Management System | 06-02-2016 |
| 20160154973 | Security Policy for Device Data | 06-02-2016 |
| 20160156646 | SIGNAL TOKENS INDICATIVE OF MALWARE | 06-02-2016 |
| 20160156661 | Context-based cloud security assurance system | 06-02-2016 |
| 20160156662 | Deployment using a context-based cloud security assurance system | 06-02-2016 |
| 20160156663 | Cost-based configuration using a context-based cloud security assurance system | 06-02-2016 |
| 20160156664 | Administration of a context-based cloud security assurance system | 06-02-2016 |
| 20160156665 | Systems and Methods Involving Aspects of Hardware Virtualization such as hypervisor, detection and interception of code or instruction execution including API calls, and/or other features | 06-02-2016 |
| 20160156666 | Secure web container for a secure online user environment | 06-02-2016 |
| 20160156667 | Uniform Storage and Search of Security-Related Events Derived from Machine Data from Different Sources | 06-02-2016 |
| 20160156668 | DISTRIBUTED APPLICATION AWARENESS | 06-02-2016 |
| 20160156669 | IMAGE MONITORING FRAMEWORK | 06-02-2016 |
| 20160156670 | METHOD AND APPARATUS FOR TRANSFORMING APPLICATION ACCESS AND DATA STORAGE DETAILS TO PRIVACY POLICIES | 06-02-2016 |
| 20160156671 | METHOD AND APPARATUS FOR MULTI-TENANCY SECRETS MANAGEMENT IN MULTIPLE DATA SECURITY JURISDICTION ZONES | 06-02-2016 |
| 20160162689 | Basic Input/Output System (BIOS) Security Display - Methods and systems for generating and using a BIOS security display include determining whether a change in a BIOS user setting is associated with security of an information handling system. When the BIOS user setting is associated with security, a security level for the BIOS may be calculated based on weighted security values for BIOS user settings. Security levels for boot phases may also be individually calculated. The security levels may be displayed in the BIOS to the user when the BIOS user setting is changed. | 06-09-2016 |
| 20160162695 | METHOD, APPARATUS, AND COMPUTER-READABLE MEDIUM FOR DATA EXCHANGE - Presented are a method, apparatus, and computer-readable medium for data exchange. The method includes specifying, by a user equipment (UE), a first data, and creating, by the UE, a rule set, the rule set governing access to the first data. The method further includes uploading, by the UE, the first data with the rule set to a user selected server, the first data being accessible at the user selected server based on the rule set. | 06-09-2016 |
| 20160162704 | METHOD AND APPARATUS FOR GENERATING PRIVACY PROFILES - A privacy processing system may use privacy rules to filter sensitive personal information from web session data. The privacy processing system may generate privacy profiles or privacy metadata that identifies how often the privacy rules are called, how often the privacy rules successfully complete actions, and the processing time required to execute the privacy rules. The privacy profiles may be used to detect irregularities in the privacy filtering process that may be associated with a variety of privacy filtering and web session problems. | 06-09-2016 |
| 20160164835 | NETWORK CONSOLIDATION BY MEANS OF VIRTUALIZATION - An apparatus, comprising an enhanced function block and a stateless function block; main routing means for routing, based on a header of a data packet and an incoming port, the data packet to one of the enhanced function block and the stateless function block; wherein the enhanced function blocks comprises providing means for providing an information comprised in the data packet to a control device; an enhanced function means for executing an enhanced function on the data packet to obtain a first processed data packet addressed to a destination address, wherein the enhanced function is based on an instruction for the data packet received in response to the provided information; and a first routing means for routing the first processed data packet to the destination address; and the stateless function blocks comprises a stateless function means for executing a stateless function on the data packet, wherein the stateless function is not based on an instruction for the data packet received in response to providing information comprised in the data packet to a control device, in order to, thus, obtain a second processed data packet; and returning means for returning the second processed data packet to the main routing means. | 06-09-2016 |
| 20160164836 | SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION - A security device for processing network flows is described, including: one or more packet processors configured to receive incoming data packets associated with network flows where a packet processor is assigned as an owner of network flows and each packet processor processes data packets associated with flows for which it is the assigned owner; and a packet processing manager configured to assign ownership of network flows to the packet processors where the packet processing manager includes a global flow table containing global flow table entries mapping network flows to packet processor ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments. A predict flow entry includes a predict key and associated packet processor ownership assignment. The predict key includes multiple data fields identifying a predicted network flow where one or more of the data fields have a wildcard value. | 06-09-2016 |
| 20160164851 | AUTHENTICATING MOBILE APPLICATIONS USING POLICY FILES - Examples of techniques for authenticating mobile applications are described herein. A method includes receiving, at a first server, a key pair and a policy file associated with a mobile service on a second server, the policy file includes a plurality of security objects to be authenticated, a plurality of computing devices to authenticate the security objects, and an order of authentication. The method includes distributing the key pair and the policy file to a security device. The method also includes receiving, at the first server, an authentication request from a mobile application. The method further includes creating an authenticity challenge as specified in the policy file and sending the authenticity challenge with a response to the mobile application. | 06-09-2016 |
| 20160164866 | SYSTEM AND METHOD FOR APPLYING DIGITAL FINGERPRINTS IN MULTI-FACTOR AUTHENTICATION - A method for multi-factor authentication with a first client includes receiving a request associated with the first client, initiating an authentication transaction, generating a digital fingerprint based on a set of client properties collected in association with the first client, identifying a second client from data associated with the authentication transaction, analyzing a digital fingerprint based on a set of stored digital fingerprints; generating a concern metric based on the analysis; and notifying an entity that the login request may have originated from an unauthorized source. | 06-09-2016 |
| 20160164871 | FAIL-SAFE DISTRIBUTED ACCESS CONTROL SYSTEM - A distributed system includes two or more components, where at least one of the components is a Policy Decision Point (PDP). The PDP is capable of requesting information from another component of the distributed system, and the PDP is capable of executing an authorization process based on one or more policies defined in a policy language. The policy language includes a communicate command, an execution of which causes the PDP to request information from another component in the distributed system. The policy language also includes a fail operator, which defines handling of failures of the communicate command. An analysis tool for analyzing a result of an authorization process in a Policy Decision Point is also described. | 06-09-2016 |
| 20160164880 | Systems And Methods Of Transaction Authorization Using Server-Triggered Switching To An Integrity-Attested Virtual Machine - Described systems and methods allow a client system to carry out secure transactions with a remote service-providing server, in applications such as online banking and e-commerce. The server may evaluate each transaction to determine whether the transaction requires security clearance, according to criteria including, among others, a transaction amount, a location of the client system, and/or a history of transactions carried out for the respective user. In some embodiments, when the transaction requires security clearance, the server instructs the client system to switch to executing a secure virtual machine. In some embodiments, most transaction details (e.g., a selection of merchandise, an amount of a bank transfer, a delivery address) are sent to the server from a regular browser application, while a transaction authorization is sent to the server from within the secure virtual machine. | 06-09-2016 |
| 20160164887 | Malicious Program Finding And Killing Device, Method And Server Based On Cloud Security - Disclosed are a malicious program finding and killing device, method and server. The device comprises: one or more non-transitory computer readable medium configured to store computer-executable instructions; at least one processor to execute the computer-executable instructions to perform operations comprising: sending information to a server, and receiving information returned by the server; starting a scan task to scan an object to be scanned, calculating an index tag of a file scanned, send the index tag to the server, and receiving a script returned by the server, the script being found according to the index tag and corresponding to the file scanned; and executing the received script to find and kill the malicious program in the file scanned. | 06-09-2016 |
| 20160164891 | CLASSIFYING KILL-CHAINS FOR SECURITY INCIDENTS - Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat. | 06-09-2016 |
| 20160164895 | MANAGEMENT OF SECURITY ACTIONS BASED ON COMPUTING ASSET CLASSIFICATION - Systems, methods, and software described herein provide for responding to security threats in a computing environment based on the classification of computing assets in the environment. In one example, a method of operating an advisement computing system includes identifying a security threat for an asset in the computing environment, and identifying a classification for the asset in relation to other assets within the computing environment. The method further provides determining a rule set for the security threat based on the classification for the asset and initiating a response to the security threat based on the rule set. | 06-09-2016 |
| 20160164908 | CONTAINMENT OF SECURITY THREATS WITHIN A COMPUTING ENVIRONMENT - Systems, methods, and software described herein provide for identifying and implementing security actions within a computing environment. In one example, a method of operating an advisement system to provide security actions in a computing environment includes identifying communication interactions between a plurality of computing assets and, after identifying the communication interactions, identifying a security incident in a first computing asset. The method further provides identifying at least one related computing asset to the first asset based on the communication interactions, and determining the security actions to be taken in the first computing asset and the related computing asset. | 06-09-2016 |
| 20160164909 | LEARNING BASED SECURITY THREAT CONTAINMENT - Systems, methods, and software described herein provide action recommendations to administrators of a computing environment based on effectiveness of previously implemented actions. In one example, an advisement system identifies a security incident for an asset in the computing environment, and obtains enrichment information for the incident. Based on the enrichment information a rule set and associated recommended security actions are identified for the incident. Once the recommended security actions are identified, a subset of the action recommendations are organized based on previous action implementations in the computing environment, and the subset is provided to an administrator for selection. | 06-09-2016 |
| 20160164913 | ACCESS CONTROL TO FILES BASED ON SOURCE INFORMATION - The present invention is a security tool for protection of data on a mobile computing device. The security tool provides a plurality of security policies to be enforced based on source information for the data and a location associated with a network environment in which a mobile device is operating. The security tool may be either located at the mobile computing device or at the server. The security tool includes a file access module for determining whether files are visible or accessible. The file access module comprises a tag generator, an association module, and a policy enforcement module. The tag generator creates source information for the file being accessed and the policy enforcement module determines what actions, if any, can be performed on the file and under what conditions such as location and network environment, type of file and other factors. | 06-09-2016 |
| 20160164914 | METHODS AND APPARATUS FOR PROVIDING A SECURE OVERLAY NETWORK BETWEEN CLOUDS - A process capable of automatically establishing a secure overlay network (“SON”) across different clouds is disclosed. The process, in one aspect, receives a first request from a first node in a first cloud for establishing a SON. After receiving a second request for connecting to the SON from a second node in a second cloud, a first connection is established connecting between the first node and the second node utilizing a network security protocol such as Internet Protocol Security (“IPSec”). After receiving a third request for connecting to the SON from a third node in a third cloud, a second connection is used to connect between the first node and the third node. A third connection is used to connect between the second node and the third node. Each subsequent request for connecting to the SON from a new node results in new connections between the new node and each existing node in the SON forming a full-mesh. | 06-09-2016 |
| 20160164915 | PRIVACY POLICY RATING SYSTEM - A system includes a processor and a memory accessible to the processor. The memory stores instructions that, when executed by the processor, cause the processor to determine a privacy policy score for one of an application and a website and provide the privacy policy score to a device. | 06-09-2016 |
| 20160164916 | AUTOMATED RESPONSES TO SECURITY THREATS - Systems, methods, and software described herein provide security actions to computing assets of a computing environment. In one example, a method of operating an advisement system to manage security actions for a computing environment includes identifying a security incident for an asset in the environment, and obtaining enrichment information about the security incident. The method further includes identifying a rule set based on the enrichment information, identifying an action response based on the rule set, and initiating implementation of the action response in the computing environment. | 06-09-2016 |
| 20160164917 | ACTION RECOMMENDATIONS FOR COMPUTING ASSETS BASED ON ENRICHMENT INFORMATION - Systems, methods, and software described herein provide security action recommendations to administrators of a computing environment. In one example, a method of operating an advisement system to provide action recommendations in a computing environment includes identifying a security incident for an asset in the computing environment. The method further includes, in response to identifying the security incident, gathering enrichment information about the security incident, and determining a rule set for the security incident based on the enrichment information. The method also provides recommending one or more actions to an administrator based on the rule set. | 06-09-2016 |
| 20160164918 | MANAGING WORKFLOWS UPON A SECURITY INCIDENT - Systems, methods, and software described herein provide for managing service level agreements (SLAs) for security incidents in a computing environment. In one example, an advisement system identifies a rule set for a security incident based on enrichment information obtained for the security incident, wherein the rule set is associated with action recommendations to be taken against the incident. The advisement system further identifies a default SLA for the security incident based on the rule set, and obtains environmental characteristics related to the security incident. Based on the environmental characteristics, the advisement system determines a modified SLA for the security incident. | 06-09-2016 |
| 20160164919 | INCIDENT RESPONSE AUTOMATION ENGINE - Systems, methods, and software described herein enhances how security actions are implemented within a computing environment. In one example, a method of implementing security actions for a computing environment comprising a plurality of computing assets includes identifying a security action in a command language for the computing environment. The method further provides identifying one or more computing assets related to the security action, and obtaining hardware and software characteristics for the one or more computing assets. The method also includes translating the security action in the command language to one or more action procedures based on the hardware and software characteristics, and initiating implementation of the one or more action procedures in the one or more computing assets. | 06-09-2016 |
| 20160164920 | AUTHENTICATING MOBILE APPLICATIONS USING POLICY FILES - Examples of techniques for authenticating mobile applications are described herein. A method includes receiving, at a first server, a key pair and a policy file associated with a mobile service on a second server, the policy file includes a plurality of security objects to be authenticated, a plurality of computing devices to authenticate the security objects, and an order of authentication. The method includes distributing the key pair and the policy file to a security device. The method also includes receiving, at the first server, an authentication request from a mobile application. The method further includes creating an authenticity challenge as specified in the policy file and sending the authenticity challenge with a response to the mobile application. | 06-09-2016 |
| 20160164921 | Service Channel Authentication Processing Hub - A computer system receives a service request over a service channel from a user device, initiates a challenge to the user device to provide authentication information based on a set of authenticators, and determines an initial level of authentication. When the initial level of authentication is not sufficient for the service channel or protected resource, the apparatus generates a challenge to the user device with at least one additional authenticator and determines an achieved level of authentication based on the further authentication information. When the achieved level of authentication reaches a target authentication level for the service channel, the apparatus continues processing the service request by the service channel. The computer may transfer the service request to another service channel with the authentication token obtained on the original service channel and further challenges the user device with additional authenticators when a higher level of authentication is necessary. | 06-09-2016 |
| 20160164922 | DYNAMIC ADJUSTMENT OF AUTHENTICATION POLICY - A computer-implemented method for managing an authentication policy for a user on a network of an organization includes determining at least one social media attribute of the user, and a social media risk value is assigned based on the at least one social media attribute of the user. The method further includes determining at least one network activity risk attribute of the user, and a network activity risk score is assigned based on the at least one network activity risk attribute. A current risk assessment score of the user is calculated based on the social media risk value and the network activity risk value. An authentication policy for the user is determined based on the current risk assessment score. | 06-09-2016 |
| 20160171206 | Hardware-Based Device Authentication | 06-16-2016 |
| 20160171234 | Approach For Managing Access To Electronic Documents On Network Devices Using Document Analysis, Document Retention Policies And Document Security Policies | 06-16-2016 |
| 20160171237 | IMPLEMENTATION OF DATA PROTECTION POLICIES IN ETL LANDSCAPES | 06-16-2016 |
| 20160171240 | METHOD OF PRIVACY PRESERVING DURING AN ACCESS TO A RESTRICTED SERVICE | 06-16-2016 |
| 20160173465 | TECHNOLOGIES FOR VERIFYING AUTHORIZED OPERATION OF SERVERS | 06-16-2016 |
| 20160173485 | SYSTEM AND METHOD FOR RECOGNIZING MALICIOUS CREDENTIAL GUESSING ATTACKS | 06-16-2016 |
| 20160173531 | CONTEXT BASED DYNAMICALLY SWITCHING DEVICE CONFIGURATION | 06-16-2016 |
| 20160173532 | ELECTRONIC DEVICE AND METHOD FOR SUGGESTING RESPONSE MANUAL IN OCCURRENCE OF DENIAL | 06-16-2016 |
| 20160173533 | Systems and Methods for Assessing the Compliance of a Computer Across a Network | 06-16-2016 |
| 20160173534 | PROTECTED APPLICATION STACK AND METHOD AND SYSTEM OF UTILIZING | 06-16-2016 |
| 20160173535 | CONTEXT-AWARE NETWORK SERVICE POLICY MANAGEMENT | 06-16-2016 |
| 20160179554 | METHODS, SYSTEMS AND APPARATUS TO INITIALIZE A PLATFORM | 06-23-2016 |
| 20160180093 | PROVISIONING LOCATION-BASED SECURITY POLICY | 06-23-2016 |
| 20160182491 | METHODS, SYSTEMS AND APPARATUS TO MANAGE AN AUTHENTICATION SEQUENCE | 06-23-2016 |
| 20160182516 | PRESENTING AUTHORIZED DATA TO A TARGET SYSTEM | 06-23-2016 |
| 20160182524 | SYSTEM PLATFORM FOR CONTEXT-BASED CONFIGURATION OF COMMUNICATION CHANNELS | 06-23-2016 |
| 20160182525 | SECURITY AND PERMISSION ARCHITECTURE | 06-23-2016 |
| 20160182529 | SYSTEMS AND METHODS FOR SECURE LOCATION-BASED DOCUMENT VIEWING | 06-23-2016 |
| 20160182531 | INPUT VERIFICATION | 06-23-2016 |
| 20160182534 | RELIABLE SELECTION OF SECURITY COUNTERMEASURES | 06-23-2016 |
| 20160182557 | MULTI-DIMENSIONAL GEOMETRY FOR ENHANCEMENT OF SIMULATIONS OF NETWORK DEVICES | 06-23-2016 |
| 20160182559 | POLICY-BASED NETWORK SECURITY | 06-23-2016 |
| 20160182561 | ROUTE MONITORING SYSTEM FOR A COMMUNICATION NETWORK | 06-23-2016 |
| 20160182565 | LOCATION-BASED NETWORK SECURITY | 06-23-2016 |
| 20160182567 | Techniques to Deliver Security and Network Policies to a Virtual Network Function | 06-23-2016 |
| 20160182568 | METHOD AND SYSTEM FOR PORTING GATEWAY FUNCTIONALITY ASSOCIATED WITH A USER FROM A FIRST GATEWAY TO ONE OR MORE OTHER GATEWAYS | 06-23-2016 |
| 20160182569 | Real-Time Module Protection | 06-23-2016 |
| 20160182570 | SYSTEM AND METHOD FOR IMPLEMENTING DATA MIGRATION WHILE PRESERVING SECURITY POLICIES OF A SOURCE FILER | 06-23-2016 |
| 20160182663 | MOBILE CONTENT MANAGEMENT FOR OFFLINE CONTENT ACCESS | 06-23-2016 |
| 20160188871 | Managing Opt-In and Opt-Out for Private Data Access - Concepts and technologies disclosed herein are for managing opt-in and opt-out for private data access. According to one aspect disclosed herein, a mobile device can receive a request to obtain private data associated with a user of the mobile device and, in response to the request, determine whether an application program associated with the request is permitted to access the private data based upon a rule. The mobile device, in response to determining that the application program is permitted to access the private data based upon the rule, can instruct the application program to proceed to obtain the private data. The mobile device, in response to determining that the application program is not permitted to access the private data based upon the rule, can instruct the application program to avoid obtaining the private data. | 06-30-2016 |
| 20160188891 | ENTITLEMENT SECURITY AND CONTROL - A system, apparatus, and method are provided for entitlement security and control. An example method includes granting an entitlement permission after an entitlement request for the computer user has been determined to satisfy one or more predetermined entitlement rules for one or more computer resources of a computing device. Also, an audit trail is generated, comprising information relating to the computer user receiving the entitlement permission. In addition, a change to one or more user characteristics of the computer user in one or more data sources is tracked. The audit trail is automatically updated to reflect the change to the one or more data sources. Other embodiments are described and claimed. | 06-30-2016 |
| 20160188903 | CONTROLLING ESSENTIAL LIFE DATA - A computer-implemented method for controlling essential life data including estate content to at least one user according to the respective user's predefined directions. The computer-implemented method includes receiving essential life data including estate content and recording as digital data; providing a secure digital storage for receiving and storing the digital data; receiving predefined directions data indicative of the predefined directions of the respective at least one user including identity of a trusted person; selecting predefined access specific data in accordance with predefined access parameters, including in relation to the predefined directions data providing the predefined access specific data in accordance with predefined access parameters to the trusted person and the at least one user. Accordingly the trusted person and the at least one user have access to the digital data from the secure storage according to the predefined access parameters. | 06-30-2016 |
| 20160191465 | FIREWALL TECHNIQUES FOR COLORED OBJECTS ON ENDPOINTS - Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility. | 06-30-2016 |
| 20160191466 | DYNAMICALLY OPTIMIZED SECURITY POLICY MANAGEMENT - Methods and systems for dynamically optimized rule-based security policy management are provided. A request is received by a network security management device to add a new traffic flow policy rule to multiple existing policy rules managed by the network security management device. Dependencies of the new traffic flow policy rule on the existing policy rules are automatically determined. An updated set of policy rules is formed by incorporating the new traffic flow policy rule within the existing policy rules based on the dependencies. The updated set of policy rules is then optimized by grouping, reordering and/or deleting a sub-set of policy rules of the updated set of policy rules based on one or more of weights assigned to particular types of traffic, preference settings, priority settings, network traffic characteristics and usage statistics for each policy rule of the updated set of policy rules. | 06-30-2016 |
| 20160191521 | INTROSPECTION METHOD AND APPARATUS FOR NETWORK ACCESS FILTERING - Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g., application associated with a particular URL request). Hence, in some embodiments, this method seamlessly processes granular user-aware URL filtering rules (e.g., members of the sales organization can access social networking sites but not other members). This approach requires no additional configuration on networking infrastructure. | 06-30-2016 |
| 20160191526 | PEER TO PEER ENTERPRISE FILE SHARING - Disclosed are various embodiments for facilitating the distribution of files from a file repository. Files from a file repository can be distributed via peer to peer transmissions where the peer devices can perform authentication functions. The authentication can be performed based upon metadata associated with the files as well as based upon authentication requests submitted to an authentication server. | 06-30-2016 |
| 20160191539 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR PUBLICLY PROVIDING WEB CONTENT USING A MULTI-TENANT SYSTEM - In accordance with embodiments, there are provided mechanisms and methods for publicly providing web content of a tenant using a multi-tenant on-demand database service. These mechanisms and methods for publicly providing web content of a tenant using a multi-tenant on-demand database service can allow the web content to be published by a tenant using the multi-tenant on-demand database service for use by non-tenants of the multi-tenant on-demand database service. | 06-30-2016 |
| 20160191545 | SYSTEMS AND METHODS FOR MONITORING VIRTUAL NETWORKS - The disclosed computer-implemented method for monitoring virtual networks may include (1) identifying a virtual network containing at least one virtualized switching device that routes network traffic from a source port within the virtual network to a destination port, (2) providing, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy, (3) intercepting, at the source port, a packet destined for the destination port, (4) determining that at least one characteristic of the packet satisfies at least one of the rules, and (5) in response to determining that the characteristic of the packet satisfies at least one of the rules, forwarding a copy of the packet to a virtual tap port that analyzes the packet for security threats. Various other methods, systems, and computer-readable media are also disclosed. | 06-30-2016 |
| 20160191550 | MICROVISOR-BASED MALWARE DETECTION ENDPOINT ARCHITECTURE - A threat-aware microvisor may be deployed in a malware detection endpoint architecture and execute on an endpoint to provide exploit and malware detection within a network environment. Exploit and malware detection on the endpoint may be performed in accordance with one or more processes embodied as software modules or engines configured to detect suspicious and/or malicious behaviors of an operating system process (object), and to correlate and classify the detected behaviors as indicative of malware. Detection of suspicious and/or malicious behaviors may be performed by static and dynamic analysis of the object. Static analysis may perform examination of the object to determine whether it is suspicious, while dynamic analysis may instrument the behavior of the object as the operating system process runs via capability violations of, e.g. operating system events. A behavioral analysis logic engine and a classifier may thereafter cooperate to perform correlation and classification of the detected behaviors. | 06-30-2016 |
| 20160191556 | BLOCKING INTRUSION ATTACKS AT AN OFFENDING HOST - A method, apparatus, and program product are provided for protecting a network from intrusions. An offending packet communicated by an offending host coupled to a protected network is detected. In response to the detection, a blocking instruction is returned to the offending host to initiate an intrusion protection operation on the offending host, where the blocking instruction inhibits further transmission of offending packets by the offending host. At the offending host, a blocking instruction is received with a portion of an offending packet. The offending host verifies that the offending packet originated from the host. In response to the verification of the offending packet originating from the host, an intrusion protection operation is initiated on the host thereby inhibiting transmission of a subsequent outbound offending packet by the host. | 06-30-2016 |
| 20160191567 | REAL-TIME MOBILE SECURITY POSTURE - In an example, a system and method for real-time mobile security posture updates is provided. A mobile device management (MDM) agent may run on the mobile device, and may register with the operating system one or more mobile security posture change events that may affect the mobile security posture. These may include, for example, installation of an MDM agent, uninstallation of a program, connecting to a secured or unsecured network, or similar. When any such event occurs, the OS lodges the event with the MDM agent, which then communicates with an MDM server engine to potentially receive new security instructions. Lodging the event may include providing a joint user-and-device authentication to the MDM server, such as via SAML. | 06-30-2016 |
| 20160191568 | SYSTEM AND RELATED METHOD FOR NETWORK MONITORING AND CONTROL BASED ON APPLICATIONS - A network architecture system that expands the control network administrators have on existing networks. The system provides application identification and usage data, by user, by device and network location. Dynamic traffic mirroring of the system allows for the efficient use of a tool to identify computer applications running on the network. The system includes the ability to embed the tool where needed rather than pervasively based on the use of the dynamic mirroring to bring the packets to the tool. The architecture implemented functions allow the ability to start small with a single application identification tool added to a network management server, examine flows from throughout the network (via mirroring) and upgrade policy control based on real application identification data and usage, then grow to pervasive deployment where virtually all new flows could be identified and controlled via policy. This architecture enables substantially complete application visibility and control. | 06-30-2016 |
| 20160191569 | DISTRIBUTED SECURE CONTENT DELIVERY - Techniques for distributed and secure content delivery are provided. Requests for content are routed to a centralized service where the requestors are authenticated for access to the content. The centralized service generates access statements for the requestors. The requestors are redirected to particular distributed content services having access to the desired content. The distributed content services verify the access statements and vend the desired content to the requestors. | 06-30-2016 |
| 20160191570 | METHOD AND APPARATUS FOR DISTRIBUTING FIREWALL RULES - Some embodiments of the invention provide a novel method for specifying firewall rules. In some embodiments, the method provides the ability to specify for a particular firewall rule, a set of network nodes (also called a set of enforcement points below) at which the particular firewall should be enforced. To provide this ability, the method of some embodiments adds an extra tuple (referred to below as the AppliedTo tuple) to a firewall rule. This added AppliedTo tuple lists the set of enforcement points at which the firewall rule has to be applied (i.e., enforced). | 06-30-2016 |
| 20160191571 | APPLICATIONS PROCESSING IN A NETWORK APPARATUS - A method and system for distributing flows between a multiple processors. The flows can be received from an external source such as a network, by a front-end processor that recognizes the flow and the associated request, and identifies at least one internal applications processor to process the request/flow. The front-end processor utilizes a flow scheduling vector related to the identified applications processor(s), and the flow scheduling vector can be based on intrinsic data from the applications processor(s) that can include CPU utilization, memory utilization, packet loss, and queue length or buffer occupation. In some embodiments, applications processors can be understood to belong to a group, wherein applications processors within a group can be configured identically. A flow schedule vector can be computed for the different applications processor groups. | 06-30-2016 |
| 20160196424 | SECURING DATA ON UNTRUSTED DEVICES | 07-07-2016 |
| 20160196432 | OPERATING SYSTEM INTEGRATED DOMAIN MANAGEMENT | 07-07-2016 |
| 20160196446 | LIMITING EXPOSURE TO COMPLIANCE AND RISK IN A CLOUD ENVIRONMENT | 07-07-2016 |
| 20160196447 | Secure personal content server | 07-07-2016 |
| 20160197883 | FIREWALL POLICY MANAGEMENT | 07-07-2016 |
| 20160197884 | POLICY-BASED CONFIGURATION OF INTERNET PROTOCOL SECURITY FOR A VIRTUAL PRIVATE NETWORK | 07-07-2016 |
| 20160197936 | POLICY TRACKING IN A NETWORK THAT INCLUDES VIRTUAL DEVICES | 07-07-2016 |
| 20160197956 | APPLYING GROUP POLICIES | 07-07-2016 |
| 20160197957 | APPARATUS FOR MEASURING SIMILARITY BETWEEN INTRUSION DETECTION RULES AND METHOD THEREFOR | 07-07-2016 |
| 20160197958 | ISSUING SECURITY COMMANDS TO A CLIENT DEVICE | 07-07-2016 |
| 20160197959 | ASSURED FEDERATED RECORDS MANAGEMENT | 07-07-2016 |
| 20160197960 | IC CHIP, INFORMATION PROCESSING APPARATUS, SYSTEM, METHOD, AND PROGRAM | 07-07-2016 |
| 20160197961 | INTER-DOMAIN REPLICATION OF SERVICE INFORMATION | 07-07-2016 |
| 20160197963 | APPLICATION LAYER-BASED SINGLE SIGN ON | 07-07-2016 |
| 20160197964 | System and Method of Generating Verification Code | 07-07-2016 |
| 20160203321 | DATA DETECTION AND PROTECTION POLICIES FOR E-MAIL | 07-14-2016 |
| 20160203331 | PROTECTING PRIVATE INFORMATION IN INPUT UNDERSTANDING SYSTEM | 07-14-2016 |
| 20160205071 | PROVIDING A FAST PATH BETWEEN TWO ENTITIES | 07-14-2016 |
| 20160205085 | DYNAMIC ADJUSTMENT OF AUTHENTICATION MECHANISM | 07-14-2016 |
| 20160205099 | COMMUNICATION SYSTEM, CONTROL INSTRUCTION APPARATUS, COMMUNICATION CONTROL METHOD AND PROGRAM | 07-14-2016 |
| 20160205101 | Distributed Storage and Distributed Processing Query Statement Reconstruction in Accordance with a Policy | 07-14-2016 |
| 20160205115 | MANAGED SOFTWARE REMEDIATION | 07-14-2016 |
| 20160205128 | ADAPTIVE SECURITY INDICATOR FOR WIRELESS DEVICES | 07-14-2016 |
| 20160205129 | NETWORK APPLIANCE FOR VULNERABILITY ASSESSMENT AUDITING OVER MULTIPLE NETWORKS | 07-14-2016 |
| 20160205133 | TRANSPARENT DENIAL OF SERVICE PROTECTION | 07-14-2016 |
| 20160205137 | VISUALIZATION AND ANALYSIS OF COMPLEX SECURITY INFORMATION | 07-14-2016 |
| 20160205138 | REAL-TIME POLICY DISTRIBUTION | 07-14-2016 |
| 20160205139 | SECURED MOBILE COMMUNICATIONS DEVICE | 07-14-2016 |
| 20160205140 | Distributed Storage Processing Statement Interception and Modification | 07-14-2016 |
| 20160205141 | POLICY ENFORCEMENT BY END USER REVIEW | 07-14-2016 |
| 20160205142 | SECURITY-CONNECTED FRAMEWORK | 07-14-2016 |
| 20160205143 | ADAPTIVE NETWORK SECURITY POLICIES | 07-14-2016 |
| 20160205194 | METHOD FOR DETECTING FRAUDULENT FRAME SENT OVER AN IN-VEHICLE NETWORK SYSTEM | 07-14-2016 |
| 20160253354 | VIRTUAL PRIVATE CLOUD THAT PROVIDES ENTERPRISE GRADE FUNCTIONALITY AND COMPLIANCE | 09-01-2016 |
| 20160253483 | SYSTEMS, METHODS, AND APPARATUS FOR FACILITATING CLIENT-SIDE DIGITAL RIGHTS COMPLIANCE | 09-01-2016 |
| 20160253499 | SYSTEM AND METHOD OF MONITORING AND CONTROLLING APPLICATION FILES | 09-01-2016 |
| 20160253509 | IMPLEMENTING FILE SECURITY SETTINGS BASED ON CONTEXT | 09-01-2016 |
| 20160254954 | LOCATION-BASED DOCK FOR A COMPUTING DEVICE | 09-01-2016 |
| 20160255050 | SYSTEM, METHOD, APPARATUS AND MACHINE-READABLE MEDIA FOR ENTERPRISE WIRELESS CALLING | 09-01-2016 |
| 20160255051 | Packet processing in a multi-tenant Software Defined Network (SDN) | 09-01-2016 |
| 20160255062 | METHOD AND SYSTEM FOR IPSEC SECURITY FOR IPP-USB DATA | 09-01-2016 |
| 20160255082 | Identifying & storing followers, following users, viewers, users and connections for user | 09-01-2016 |
| 20160255087 | Method and Apparatus for Providing Network Security Using Role-Based Access Control | 09-01-2016 |
| 20160255095 | REALIZED TOPOLOGY SYSTEM MANAGEMENT DATABASE | 09-01-2016 |
| 20160255097 | Providing Geographic Protection To A System | 09-01-2016 |
| 20160255112 | MESSAGE FLOODING PREVENTION IN MESSAGING NETWORKS | 09-01-2016 |
| 20160255113 | Trusted Third Party Broker for Collection and Private Sharing of Successful Computer Security Practices | 09-01-2016 |
| 20160255114 | Lateral account mapping | 09-01-2016 |
| 20160255115 | Quantitative Security Improvement System Based on Crowdsourcing | 09-01-2016 |
| 20160255116 | ENFORCING COMPLIANCE WITH A POLICY ON A CLIENT | 09-01-2016 |
| 20160255117 | MOBILE DEVICE SECURITY, DEVICE MANAGEMENT, AND POLICY ENFORCEMENT IN A CLOUD BASED SYSTEM | 09-01-2016 |
| 20160255118 | NETWORK TRAFFIC CONTROL DEVICE, AND SECURITY POLICY CONFIGURATION METHOD AND APPARATUS THEREOF | 09-01-2016 |
| 20160378956 | SECURE MANAGEMENT OF HOST CONNECTIONS - An access gateway monitors a communication session to a first host for commands entered by a user. For example, commands entered in a command line terminal by the user. When a command is received, the access gateway receives information about an effect caused by the command on the first host. The access gateway determines if the effect results in an attempt to establish a communication session between the first host and a second host. For example, to copy files from the second host. In response to determining that the effect results in an attempt to establish a communication session between the first host and the second host, an action is generated. For example, the action may be to block the attempt to establish the communication between the first host and the second host. | 12-29-2016 |
| 20160378987 | SELF-REPAIR AND DISTRIBUTED-REPAIR OF APPLICATIONS - A method is provided to instrument applications with an instrumentation policy that is visually configurable and allows for run-time modifications of the policy. Instrumentation is achieved without modifying the source code of the applications. Modification of the instrumentation policy of an application is applied without re-compiling, re-deploying, and re-provisioning the application. The instrumentation tracks the flow of values at run time throughout the execution of an application and fixes any security violation automatically by dynamically modifying any value that violates integrity or confidentiality. | 12-29-2016 |
| 20160378994 | SYSTEMS AND METHODS OF RISK BASED RULES FOR APPLICATION CONTROL - In various embodiments, an agent on a digital device may comprise a monitor module, an application identification module, a vulnerability module, a rules database, and a rule module. The monitor module may be configured to monitor a device for an instruction to execute a legitimate application. The application identification module may be configured to identify one or more attributes of the legitimate application. The vulnerability module may be configured to retrieve risk information based on the one or more attributes of the legitimate application. The risk information may be determined from known vulnerabilities of the legitimate application. The rules database may be for storing a rule associated with the risk information. The rule module may be configured to retrieve the rule from the rule database based on the risk information and to control the legitimate application based on the rule. | 12-29-2016 |
| 20160379010 | MASKING SENSITIVE DATA IN MOBILE APPLICATIONS - In an approach to masking data in a software application associated with a mobile computing device, one or more computer processors receive a request to display data in a software application on a mobile computing device. The one or more computer processors determine whether one or more masking rules apply to the data, where determining whether one or more masking rules apply to the data is performed by an instrumentation of application binary of the software application. In response to determining that one or more masking rules apply to the data, the one or more computer processors mask, based on the one or more masking rules, the data, where masking is performed by the instrumentation of application binary of the software application. | 12-29-2016 |
| 20160379012 | POLICY ENFORCEMENT DELAYS - A request to cancel a change to a policy is received. Based at least in part on delay information for the change, determine that the change is currently delayed, where the delay information is associated with a condition precedent for the change to become effective under a policy change policy. A determination is made regarding whether cancellation is allowed by a set of conditions for the changes, and the proposed policy change is caused to be cancelled prior to a time indicated by the delay information. | 12-29-2016 |
| 20160380827 | TECHNIQUES FOR PASSIVELY GLEANING PROPERTIES OF COMPUTING ENTITIES - In response to communications between one or more given networks and one or more other networks, a network protection appliance discovers one or more computing resources of the one or more given networks from a plurality of protocol layers of the received communications. The network protection appliance also gleans properties of the one or more discovered computing resources of the one or more given networks from the plurality of protocol layers of the received communications. The network protection appliance maps the gleaned properties of the one or more discovered computing resources of the one or more given networks to a plurality of network protection policies. The network protection appliance also determines an applicable network protection policy for processing a corresponding received communication from the mapping of the gleaned properties of the one or more discovered given computing resources of the one or more given networks to the plurality of network protection policies. Thereafter, the network protection appliance applies the applicable network protection policies to the corresponding received communication between a computing resource of a given network and a computing resource of the other network. | 12-29-2016 |
| 20160380972 | METHOD AND APPARATUS FOR APPLICATION AWARENESS IN A NETWORK - A method for enforcing a network policy is described herein. In the method, a network socket event request from an application executing in a first context is intercepted by an agent prior to the request reaching a transport layer in the first context. A context refers to virtualization software, a physical computer, or a combination of virtualization software and physical computer. In response to the interception of the request, the agent requests a decision on whether to allow or deny the network socket event request to be communicated to a security server executing in a second context that is distinct from the first context. The request for a decision includes an identification of the application. The agent then receives from the security server either an allowance or a denial of the network socket event request, the allowance or denial being based at least in part on the identification of the application and a security policy. The agent blocks the network socket event from reaching the transport layer when the denial is received from the security server. In one embodiment, the method is implemented using a machine readable medium embodying software instructions executable by a computer. | 12-29-2016 |
| 20160381020 | COMBINED KEY SECURITY - Embodiments of the present invention disclose a method, system, and computer program product for a combined key security program. A computer receives an access request from a resource (or a device associated with the resource) which includes a combined key detailing factors corresponding to users and resources involved in the request. The computer references an access policy of the resource to which access is requested and determines whether the access policy requires state keys necessary to indicate a time, place, or other current state information. If a state key is necessary, the computer retrieves the required state key and adds it to the combined key. The computer then determines whether the combined key satisfies the referenced access policy, and if so, grants the access request, else the access request is denied. | 12-29-2016 |
| 20160381021 | USER MANAGED ACCESS SCOPE SPECIFIC OBLIGATION POLICY FOR AUTHORIZATION - A method sends a request for a delegated authorization grant data set, receives a delegated authorization grant data set that defines the delegated authorization grant scope, with respect to a resource. The delegated authorization grant data set includes a scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device. The scope controls access to the resource in a manner limited by the scope of the delegated authorization grant defined by the delegated authorization grant data set. | 12-29-2016 |
| 20160381072 | TRUST OVERLAYS FOR DISAGGREGATED INFRASTRUCTURES - Trust characteristics attributable to components associated with a disaggregated infrastructure environment are obtained. A trust policy of an application to be hosted in the disaggregated infrastructure environment is obtained. The trust characteristics are compared to the trust policy. One or more of the components associated with the disaggregated infrastructure environment are selected based on the comparison step. A compute node is formed from the selected components. | 12-29-2016 |
| 20160381073 | CONTROLLING ACCESS TO CATEGORIZED MESSAGES - Controlling access to categorized messages includes categorizing a message into a number of categories according to a message objective. The message objective informing user association, message association, and message access rules for each of the number of categories. Controlling access to categorized messages includes determining, based on the message objective, a number of users allowed access to the message. Controlling access to categorized messages includes allowing the number of users to access the message according to the message objective. | 12-29-2016 |
| 20160381074 | ACTIVITY-BASED RISK SELECTION OF OPEN WI-FI NETWORKS - For activity-based risk assessment of open Wi-Fi networks, an activity occurring at a consumer application is analyzed to determine that a connection with a first open Wi-Fi network is to be used in conjunction with the activity. From an entry representing the activity in a risk profile, a risk level of the activity is selected. Whether an overall risk value of the first network exceeds the risk level of the activity is determined. When the overall risk value of the first network exceeds the risk level of the activity, the connection with the first network is terminated. A second open Wi-Fi network with a second overall risk value that does not exceed the risk level of the activity is selected. A second connection with the second network is established. The activity is allowed to proceed using the second connection with the second network. | 12-29-2016 |
| 20160381076 | SERVICE LEVEL AGREEMENTS AND APPLICATION DEFINED SECURITY POLICIES FOR APPLICATION AND DATA SECURITY REGISTRATION - According to one embodiment, a method includes determining one or more communication requirements for an application or application instance operating on a server in a network using an ADPL. The method also includes providing, by the ADPL, one or more communication and security policies to at least one security appliance in the network based on the one or more communication requirements of the application or application instance. The method may also include registering, by the ADPL, a new application or application instance and sending details of the new application or application instance to a policy orchestrator. Moreover, the method may include receiving, by the ADPL from the policy orchestrator, feedback pursuant to a service level agreement for an application group to which the new application or application instance belongs. | 12-29-2016 |
| 20160381078 | AUTHENTICATOR FOR USER STATE MANAGEMENT - Different types of soft-lockout policies can be associated with different organizations (or groups) in an identity management system. Each soft-lockout policy can indicate different parameters such as a number of login attempts allowed and an amount of time that a user account will be locked-out if the maximum allowed attempts are exceeded unsuccessfully. Users can be associated with the different organizations. For each user, the soft-lockout policies for the organization with which that user is associated are applied to that user when that user attempts to log in. Thus, different groups of users can be handled with different security behaviors regarding unsuccessful login attempts. If, for example, a user were to become moved from one organization to another, then the soft-lockout policies associated with the user's new organization would become applicable to that user. | 12-29-2016 |
| 20160381080 | SYSTEMS AND METHODS FOR FLEXIBLE, EXTENSIBLE AUTHENTICATION SUBSYSTEM THAT ENABLED ENHANCE SECURITY FOR APPLICATIONS - The present disclosure is directed towards systems and methods of authenticating a client. A device intermediary to clients servers that provide one or more resources can receive a request from a client to access a resource of the one or more resources. The device can select a login schema associated with the request that includes a definition of a login form. The login schema may correspond to an authentication protocol. The device can generate the login form responsive to the request. The login form can be constructed according to the definition provided by the selected login schema. The device can provide the login form for display via the client. The device can receive information inputted into the login form via the client. The device can establish access to the resource responsive to authentication of the client based on the information and the authentication protocol. | 12-29-2016 |
| 20160381081 | System, Apparatus And Method For Access Control List Processing In A Constrained Environment - In one embodiment, a method includes receiving a first request from a first device to access a first resource of the system and determining whether to grant access to the first resource based on a first access control list stored in the system, the first access control list associated with the first device, the first device having a first relevance value, and based on the determination, granting the access to the first resource; and receiving a second request from a second device to access a second resource of the system and forwarding the second request to an access manager service coupled to the system to determine whether to grant access to the second resource based on a second access control list stored in the access manager service associated with the second device, the second device having a second relevance value, receive an access grant from the access manager service and based thereon, granting the access to the second resource. | 12-29-2016 |
| 20160381558 | Policy-Based Protection of Non-Informing Spectrum Operations - A spectrum access system (SAS) and policy engine (PE) application are provided that facilitates the detection, classification and protection of a non-informing spectrum user in a spectrum sharing environment. The SAS may contain a policy database. Wireless access points with an embedded PE software application may retrieve a spectrum policy configuration specific to their immediate location and capabilities and may use the policy configuration to efficiently detect, classify and protect a non-informing spectrum user from radio frequency interference without disclosing details about the detected spectrum operations. | 12-29-2016 |
| 20170235956 | CONTROLLED SECURE CODE AUTHENTICATION | 08-17-2017 |
| 20170235958 | METHODS, SYSTEMS AND APPARATUS TO INITIALIZE A PLATFORM | 08-17-2017 |
| 20170235965 | PREVENTION OF A PREDETERMINED ACTION REGARDING DATA | 08-17-2017 |
| 20170237745 | ENFORCING LABEL-BASED RULES ON A PER-USER BASIS IN A DISTRIBUTED NETWORK MANAGEMENT SYSTEM | 08-17-2017 |
| 20170237776 | SUSPICIOUS MESSAGE PROCESSING AND INCIDENT RESPONSE | 08-17-2017 |
| 20170237778 | CONTINUOUS SECURITY DELIVERY FABRIC | 08-17-2017 |
| 20170238185 | MANAGING APPLICATIONS ACROSS MULTIPLE MANAGEMENT DOMAINS | 08-17-2017 |
| 20170238186 | METHOD FOR CONTROL AND ENFORCEMENT OF POLICY RULE AND EUICC | 08-17-2017 |
| 20180025180 | EXTERNAL RESOURCE CONTROL OF MOBILE DEVICES | 01-25-2018 |
| 20180026827 | Functionality Management via Application Modification | 01-25-2018 |
| 20180026988 | On-Demand Security Policy Activation | 01-25-2018 |
| 20180027008 | DEVICE ACTIVITY AND DATA TRAFFIC SIGNATURE-BASED DETECTION OF MOBILE DEVICE HEALTH | 01-25-2018 |
| 20180027019 | PRIVACY-PRESERVING USER-EXPERIENCE MONITORING | 01-25-2018 |
| 20180027020 | AUTOMATIC PORT VERIFICATION AND POLICY APPLICATION FOR ROGUE DEVICES | 01-25-2018 |
| 20180027021 | MANAGING SECURITY POLICY | 01-25-2018 |
| 20180027022 | Application-based security rights in cloud environments | 01-25-2018 |
| 20180027023 | SYSTEM AND METHOD FOR SUPPORTING WEB SERVICES IN A MULTITENANT APPLICATION SERVER ENVIRONMENT | 01-25-2018 |
| 20180027024 | INTEGRATING POLICIES FROM A PLURALITY OF DISPARATE MANAGEMENT AGENTS | 01-25-2018 |
| 20190147176 | SYSTEM AND METHOD FOR RECEIVING USER DATA USING A DATA ENTRY MECHANISM ACTIVATED FOR AN APPLICATION | 05-16-2019 |
| 20190147177 | SYSTEM AND METHOD FOR ACTIVATING A DATA ENTRY MECHANISM FOR AN APPLICATION BASED ON SECURITY REQUIREMENTS | 05-16-2019 |
| 20190147180 | Resource-free prioritizing in high availability external security systems | 05-16-2019 |
| 20190149531 | IDENTITY EXPERIENCE FRAMEWORK | 05-16-2019 |
| 20190149553 | METHOD, DEVICE AND SERVER FOR MANAGING USER LOGIN SESSIONS | 05-16-2019 |
| 20190149556 | ACCESS POLICY UPDATES IN A DISPERSED STORAGE NETWORK | 05-16-2019 |
| 20190149568 | DEVICE ACTIVITY AND DATA TRAFFIC SIGNATURE-BASED DETECTION OF MOBILE DEVICE HEALTH | 05-16-2019 |
| 20190149579 | IDENTITY EXPERIENCE FRAMEWORK | 05-16-2019 |
| 20190149580 | USING INDICATIONS OF COMPROMISE FOR REPUTATION BASED NETWORK SECURITY | 05-16-2019 |
| 20190149581 | METHOD AND SYSTEM FOR INTRODUCING IN-NETWORK SERVICES IN AN END-TO-END COMMUNICATION PATH | 05-16-2019 |
| 20220138337 | ONLINE SOFTWARE PLATFORM (OSP) EXTRACTING DATA OF CLIENT FOR IMPROVED ON-BOARDING OF THE CLIENT ONTO THE OSP - A novel architecture of connections and Graphical User Interfaces (GUIs) is used to facilitate extracting a client business's data that is stored in some locations, and copying it to other locations for further processing according to digital rules. | 05-05-2022 |
| 20220141182 | TRANSPORT LAYER SIGNALING SECURITY WITH NEXT GENERATION FIREWALL - Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy. | 05-05-2022 |
| 20220141220 | DEVICE RISK LEVEL BASED ON DEVICE METADATA COMPARISON - An authentication system determines a risk level for a client device impersonating a client device enrolled in authentication services by comparing device metadata for the impersonating client device to device metadata for the enrolled client device. As part of enrolling the enrolled client device, the authentication system associates one or more authentication credentials with the enrolled client device. In order to authenticate access requests associated with a client device identified as the enrolled client device, the authentication system obtains an authentication token from the client device generated using the authentication credentials and also obtains device metadata corresponding to the client device. Based on the device metadata comparison during authentication, the authentication system detects device metadata anomalies and uses detected device metadata anomalies to determine a risk level for the client device. Based on the risk level, the authentication system authorizes or denies the client device from accessing requested services. | 05-05-2022 |
| 20220141221 | Smart Computing Device Implementing Network Security and Data Arbitration - Aspects of the disclosure provide for a method implemented by a smart device executing an artificial intelligence electronic assistant application. In at least some examples, the method includes receiving a request from an appliance in a same local network as the smart device, the request to transfer first data from the appliance to a first device located outside the local network. The method also includes facilitating the transfer of the first data from the appliance to the first device based at least in part on security policies of the smart device and content of the first data. | 05-05-2022 |
| 20220141228 | Dynamic Authorization Rule Stacking and Routing Across Multiple Systems - A system includes a hardware processor that executes a software code to receive an authorization request on behalf of a user for a stacked resource including resources offered separately by multiple resource providers, determine resource provider computers associated with the stacked resource, and send a look-up request including an electronic identity of the user to those computers, where the electronic identity is used as a look-up key for determining user attribute(s) of the user. The software code further receives the user attribute(s) from the resource provider computers, generates an accumulated access profile of the user based on the user attribute(s), applies the profile to a rules engine to determine a stacked access result, and routes the authorization request and the stacked access result to one of the resource provider computers, where that computer completes an authorization process for access to the stacked resource based on the stacked access result. | 05-05-2022 |
| 20220141256 | METHOD AND SYSTEM FOR PERFORMING SECURITY MANAGEMENT AUTOMATION IN CLOUD-BASED SECURITY SERVICES - A method of performing a security management automation in an Interface to Network Security Functions (I2NSF) system is disclosed. The method comprises receiving a high-level security policy via a consumer-facing interface; translating the high-level security policy into a low-level security policy based on an automatic mapping model; transmitting the low-level security policy to a network security function (NSF) via an NSF-facing interface, wherein the low-level security policy is applied to a system of the NSF; receiving monitoring data for a network security from the NSF; reconfiguring a security policy based on the monitoring data; and transmitting the reconfigured security policy to the NSF via the NSF-facing interface. The reconfigured security policy is updated to a system of the NSF. | 05-05-2022 |
| 20220141257 | DATA PROCESSING SYSTEMS FOR DATA-TRANSFER RISK IDENTIFICATION, CROSS-BORDER VISUALIZATION GENERATION, AND RELATED METHODS - In particular embodiments, a Cross-Border Visualization Generation System is configured to: (1) identify one or more data assets associated with a particular entity; (2) analyze the one or more data assets to identify one or more data elements stored in the identified one or more data assets; (3) define a plurality of physical locations and identify, for each of the identified one or more data assets, a respective particular physical location of the plurality of physical locations; (4) analyze the identified one or more data elements to determine one or more data transfers between the one or more data systems in different particular physical locations; (5) determine one or more regulations that relate to the one or more data transfers; and (6) generate a visual representation of the one or more data transfers based at least in part on the one or more regulations. | 05-05-2022 |
