Abstract: According to one embodiment, a secure network portal includes a number of application servers coupled to one or more clients through a portal server. The application servers serve a number of secure services that may be consumed by clients. The portal server creates a login session with a graphical user interface in which the login session is associated with a particular authorization level. The portal server then displays a service access point for each of the plurality of secure services and restricts access to each of the secure services according to the authorization level of the login session.

Abstract: A data security system includes a single central processing unit (CPU), a plurality of different security zones corresponding to different levels of security classification, a plurality of operating systems, a communications interface, a global zone, and a memory coupled to the plurality of security zones and the global zone. The CPU includes a plurality of processing cores and each security zone is associated with a different one of the processing cores. The global zone is communicatively coupled to the communications interface and the plurality of security zones, and is associated with a different one of the processing cores than the plurality of security zones. The global zone directs communications between the communications interface and the plurality of security zones. Each processing core executes a separate one of the plurality of operating systems, thereby providing separate processing capability on the single CPU for each of the different levels of security classification.

Abstract: According to an embodiment, a system may comprise a mass storage device that is operable to be coupled to one or more processors. The mass storage device may comprise a base operating system that is operable to be executed by the one or more processors. The base operating system may be operable to implement a single security level. The mass storage device may also comprise a virtual operating system that is operable to be executed by the one or more processors. The virtual operating system may be executed using a virtualization tool that is executed by the base operating system. The virtual operating system may be operable to process information according to a plurality of security levels and communicate the information to one or more computing systems. The information may be communicated according to the plurality of security levels of the information.

Abstract: A computerized method of adjudicating text against a policy includes receiving one or more system policies, creating a system datastructure for each received system policy, receiving an input message comprising a text to be adjudicated, selecting a system policy from the one or more received system policies based on the input message, and processing the text to be adjudicated and the system datastructure corresponding to the selected system policy to determine if a prohibited word is present in the text to be adjudicated. The one or more system policies include one or more prohibited words and a first hit value corresponding to each prohibited word. The system datastructure includes a plurality of linked lists corresponding the letters of the alphabet and a head linked list operable to store one or more found prohibited words.

Abstract: A method for providing secure document management includes receiving a document from a user having an associated security access profile and generating a security label to be stored as an attribute of the document. The security label includes a clearance component selected from an authorized subset of clearance components that are determined based on the security access profile associated with the user, and also includes one or more secondary security components selected from an authorized subset of secondary security components that are determined based on the clearance component of the security label and the security access profile associated with the user. The method includes storing the document in a document repository storing a plurality of documents each having an associated security label, and determining whether a third-party user is authorized to access the document based on a comparison of a security access profile of the third-party user and the security label associated with the document.

Abstract: A method for dynamically generating rules for an enterprise intrusion detection system comprises receiving a packet flow from a sensor. The packet flow is dynamically processed to detect if the packet flow represents an attack on the enterprise system. A response message is automatically generated in response to the attack, the response message comprising a signature to identify the attack. The response message is automatically communicated to a response message file, the response message file comprising at least one response message.

Abstract: A data security system includes a single central processing unit (CPU), a plurality of different security zones corresponding to different levels of security classification, a plurality of operating systems, a communications interface, a global zone, and a memory coupled to the plurality of security zones and the global zone. The CPU includes a plurality of processing cores and each security zone is associated with a different one of the processing cores. The global zone is communicatively coupled to the communications interface and the plurality of security zones, and is associated with a different one of the processing cores than the plurality of security zones. The global zone directs communications between the communications interface and the plurality of security zones. Each processing core executes a separate one of the plurality of operating systems, thereby providing separate processing capability on the single CPU for each of the different levels of security classification.

Abstract: According to an embodiment, a system may comprise a mass storage device that is operable to be coupled to one or more processors. The mass storage device may comprise a base operating system that is operable to be executed by the one or more processors. The base operating system may be operable to implement a single security level. The mass storage device may also comprise a virtual operating system that is operable to be executed by the one or more processors. The virtual operating system may be executed using a virtualization tool that is executed by the base operating system. The virtual operating system may be operable to process information according to a plurality of security levels and communicate the information to one or more computing systems. The information may be communicated according to the plurality of security levels of the information.

Abstract: A computerized method of adjudicating text against a policy includes receiving one or more system policies, creating a system datastructure for each received system policy, receiving an input message comprising a text to be adjudicated, selecting a system policy from the one or more received system policies based on the input message, and processing the text to be adjudicated and the system datastructure corresponding to the selected system policy to determine if a prohibited word is present in the text to be adjudicated. The one or more system policies include one or more prohibited words and a first hit value corresponding to each prohibited word. The system datastructure includes a plurality of linked lists corresponding the letters of the alphabet and a head linked list operable to store one or more found prohibited words.

Abstract: A method for providing secure document management includes receiving a document from a user having an associated security access profile and generating a security label to be stored as an attribute of the document. The security label includes a clearance component selected from an authorized subset of clearance components that are determined based on the security access profile associated with the user, and also includes one or more secondary security components selected from an authorized subset of secondary security components that are determined based on the clearance component of the security label and the security access profile associated with the user. The method includes storing the document in a document repository storing a plurality of documents each having an associated security label, and determining whether a third-party user is authorized to access the document based on a comparison of a security access profile of the third-party user and the security label associated with the document.

Abstract: In certain embodiments, a method for providing information rights management (IRM) includes receiving, from a user having an associated security access profile, a request to access an object. The object has a corresponding IRM wrapper stored with the object both when the object is stored in a document management system (DMS) database and external to the DMS database, the IRM wrapper including an IRM profile and one or more IRM permission sets. The object also has encrypted data. The method further includes determining whether the user is authorized to access the object based on a comparison of the security access profile of the user and the IRM profile of the IRM wrapper corresponding to the object and communicating to the user, in response to a determination that the user is authorized to access the object, a decryption key associated with object.

Abstract: According to one embodiment, a secure network portal includes a number of application servers coupled to one or more clients through a portal server. The application servers serve a number of secure services that may be consumed by clients. The portal server creates a login session with a graphical user interface in which the login session is associated with a particular authorization level. The portal server then displays a service access point for each of the plurality of secure services and restricts access to each of the secure services according to the authorization level of the login session.

Abstract: A networking method includes receiving a first data packet from a computing node at a middleware process of a first computing system, adding, by the middleware process, a Common Internet Protocol Security Option (CIPSO) label to the data packet to form a modified packet, and transmitting, by a separation kernel, the modified packet to a second computing system. The first computing system includes an embedded operating system, and the computing node is coupled to the first computing system. The second computing system includes a CIPSO compliant operating system.

Abstract: A method for vertically extensible intrusion detection for an enterprise comprises receiving a first packet flow from a first node, the first packet flow comprising at least a portion of packet headers received at the first node during a first timeframe and receiving a second packet flow, the second packet flow comprising at least a portion of packet headers received at the second node during a second timeframe. The first and second packet flow are processed to detect an attack on the enterprise system. In response to the attack, an alert message is communicated to a master server, a response message is received from the master server, the response message comprising a signature to impede the attack, and the response message is automatically communicated to the first node and the second node.

Abstract: A method for interfacing with a user of an enterprise intrusion detection system, the method comprises receiving at least one packet flow, each packet flow originating from a unique node in the intrusion detection system and comprising descriptive information and a plurality of packet headers. The descriptive information of a first subset of the received packet flows is communicated to a user based at least in part on a filtering ruleset. A second subset of the received packet flows is concealed from the user based at least in part on the filtering ruleset. In response to receiving a command from the user, the plurality of packet headers for at least one packet flow in the first subset is communicated to the user.