Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: A technique is provided for continuous user authentication through real-time fusion and correlation of multiple factors. Monitored data is continuously obtained from a computer. The monitored data is related to user actions on the computer of a user. A server analyzes the monitored data of the computer to execute a windowing system event sequences modality, a network footprint modality, an application specific user actions modality, and/or a forensic linguistic analysis modality for the user. The user is authenticated on the computer based on a combination of the windowing system event sequences modality, the network footprint modality, the application specific user actions modality, and/or the forensic linguistic analysis modality.

Abstract: Using a stochastic queuing model to determine adjustments to be made to authentication system operation. In light of operational parameter values and the stochastic queuing model, a determination is made that adjusting the value of a particular parameter for handling authentication requests is likely to improve some aspect of system performance, and the request handling parameter is adjusted accordingly.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: A method (and structure) for enforcing authentication and authorization includes making a resource access request, by a client application being executed by a processor on a digital device, to invoke authentication and authorization services to evaluate the resource access request by the client application. A security application on the digital device is activated and executed, the security application being separate from the client application, the security application including instructions for processing a challenge-response protocol for the resource access request. The client application communicates outside the digital device using a primary communication channel and the security application uses a secondary communication channel that is out-of-band from the primary communication channel.

Abstract: Generating a resource access control decision is provided. A user trust value associated with a user identifier of a user requesting access to a protected resource is modulated based on an estimated risk value associated with a context of a resource access request. The resource access control decision is generated based on the modulated user trust value associated with the user requesting access to the protected resource.

Abstract: Systems and methods are presented for automatically determining the security requirements of program code during the creation or modification of that program code and for presenting the necessary security permissions to a developer of the program code at the time of the creation or modification of the program code. A cache is established containing program code segments including library calls and application program interfaces that require security permissions at runtime. The cache also includes the security permissions associated with the stored program code segments. Program code editing is monitored in real time during the editing, and instances of edits that add, modify or delete the stored program code segments from the program code being edited are identified. The security permissions associated with the program code segments that are modified by the edits are retrieved from the cache.

Abstract: Techniques are disclosed for multi-granularity hierarchical aggregate selection based on update, storage and response constraints. For example, for a temporal hierarchy of aggregation statistics associated with a plurality of database records, wherein the temporal hierarchy comprises two or more aggregation statistics levels and each level has a different temporal granularity associated therewith, a method comprises iteratively modifying the temporal hierarchy to at least one of: (a) minimize a storage usage cost while satisfying a temporal hierarchy update constraint and a query response time constraint; (b) reduce a temporal hierarchy update time and a query response time while satisfying a storage usage constraint; and (c) minimize a query response time for frequently applied queries that do not shift in time while satisfying the storage usage constraint, wherein the resulting temporal hierarchy that achieves at least one of (a), (b) and (c) is identified as an optimal temporal hierarchy.

Abstract: A unified program analysis framework that facilitates the analysis of complex multi-language software systems, analysis reuse, and analysis comparison, by employing techniques such as program translation and automatic results mapping, is presented. The feasibility and effectiveness of such a framework are demonstrated using a sample application of the framework. The comparison yields new insights into the effectiveness of the techniques employed in both analysis tools. These encouraging results yield the observation that such a unified program analysis framework will prove to be valuable both as a testbed for examining different language analysis techniques, and as a unified toolset for broad program analysis.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: Systems and methods for protecting a data item include, upon initiation of transfer of the data item from a server to a client device, determining a sensitivity score and a current protection level of the data item. A policy is applied to determine an appropriate protection for the data item based upon the sensitivity score and the current protection level. A protected data item is provided to the client device by applying the appropriate protection to the data item.

Abstract: A method and apparatus for type independent permission based access control are provided. The method and apparatus utilize object inheritance to provide a mechanism by which a large group of permissions may be assigned to a codesource without having to explicitly assign each individual permission to the codesource. A base permission, or superclass permission, is defined along with inherited, or subclass, permissions that fall below the base permission in a hierarchy of permissions. Having defined the permissions in such a hierarchy, a developer may assign a base permission to an installed class and thereby assign all of the inherited permissions of the base permission to the installed class. In this way, security providers need not know all the permission types defined in an application. In addition, security providers can seamlessly integrate with many applications without changing their access control and policy store semantics.

Abstract: A unified program analysis framework that facilitates the analysis of complex multi-language software systems, analysis reuse, and analysis comparison, by employing techniques such as program translation and automatic results mapping, is presented. The feasibility and effectiveness of such a framework are demonstrated using a sample application of the framework. The comparison yields new insights into the effectiveness of the techniques employed in both analysis tools. These encouraging results yield the observation that such a unified program analysis framework will prove to be valuable both as a testbed for examining different language analysis techniques, and as a unified toolset for broad program analysis.

Abstract: Techniques are disclosed for multi-granularity hierarchical aggregate selection based on update, storage and response constraints. For example, for a temporal hierarchy of aggregation statistics associated with a plurality of database records, wherein the temporal hierarchy comprises two or more aggregation statistics levels and each level has a different temporal granularity associated therewith, a method comprises iteratively modifying the temporal hierarchy to at least one of: (a) minimize a storage usage cost while satisfying a temporal hierarchy update constraint and a query response time constraint; (b) reduce a temporal hierarchy update time and a query response time while satisfying a storage usage constraint; and (c) minimize a query response time for frequently applied queries that do not shift in time while satisfying the storage usage constraint, wherein the resulting temporal hierarchy that achieves at least one of (a), (b) and (c) is identified as an optimal temporal hierarchy.

Abstract: A computer implemented method, information processing system, and computer program product manage web application firewall rule configuration. A web application is analyzed. A set of data elements within the web application is identified. Each data element in the set of data elements stores information that is sent from a web client to a web server. Each data element in the set of data elements is analyzed. A data type is associated with each data element in the set of data element. The data type describes a type of data stored by the data element. A web application firewall rule recommendation is automatically generated for each data element based at least on the data type associated therewith.

Abstract: A method for enforcing privacy policies associated with data. The method includes accessing a database to identify labeled data in the database, the labeled data associated with a privacy policy. An access node accessing the label data is determined. For the access node accessing the labeled data, it is determined whether the access node applies an authorization test as indicated by the privacy policy. An authorization test is associated with the access node if the access node does not apply necessary authorization indicated by the privacy policy.

Abstract: A digital rights management (DRM) system and methodology for a Java client implementing a Java Runtime Environment (JRE). The JRE comprises a Java Virtual Machine (JVM) and Java runtime libraries components and is capable of executing a player application for presenting content that can be presented through a Java program (e.g., a Java application, applet, servlet, bean, etc.) and downloaded from a content server to the client. The DRM system includes an acquisition component for receiving downloaded protected contents; and a dynamic rights management layer located between the JRE and player application for receiving requests to view or play downloaded protected contents from the player, and, in response to each request, determining the rights associated with protected content and enabling viewing or playing of the protected contents via the player application if permitted according to the rights.

Abstract: A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission.