Abstract: Instrumented networks, computer systems and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Methods and systems are disclosed for calculating security risks by determining subject reputation scores. In an embodiment, a system receives a query for a reputation score of a subject, initiates directed queries to external information management systems to interrogate attributes associated with the subject, and analyzes responses. The system receives a hierarchical subject reputation score based on a calculus of risk and returns a reputation token.

Abstract: A method of security gateway policy definition to quickly infer a new policy based on event data extracted and analyzed using business logic and workflow from a gateway event log or behavior log. The method includes reading the components of a log record, translating the components into acceptable policy attributes, creating a new policy based on those attributes, and presenting the new policy to a system administrator for editing and approval.

Abstract: An evidence based cost modeling and predictive analysis system, and an incentives based plan to reduce healthcare costs are disclosed. An analytics system may generate incremental expenditures among overweight and obese individuals, predictive forecasts of future medical costs, and predictive forecast of cost reduction based on financial incentives to recipients. The forecasts may include statistical trends, prevalence of diseases based on body mass index, and medical evidence associated with specific illnesses. A computer based program may process and analyze dependent and independent variables in electronically stored information (for example insurance, health and medical records). A health insurance provider may provide an annual rebate on paid premiums to recipients based on a qualifying annual BMI as an incentive. The recipients may receive the rebates in a qualified health reimbursement account (HRA) managed by the recipients towards future healthcare related expenditures.

Abstract: A scannable integrated circuit (100) including a functional integrated circuit (P1, P2) having scan chains, multiple scan decompressors (120.1, 120.2), each operable to supply scan bits to some of the scan chains (101.k, 102.k), a shared scan-programmable control circuit (110, 300), a tree circuit (400) coupled with the functional integrated circuit (P1, P2), the shared scan-programmable control circuit (110, 300) coupled to control the tree circuit (400), and a selective coupling circuit (180) operable to provide selective coupling with the shared scan-programmable control circuit (110, 300) for scan programming through any of the multiple scan decompressors (120.1, 120.2). Other circuits, devices, systems, and processes of operation and manufacture are disclosed.

Abstract: An instrumented machine or platform having a target application thereon is disclosed. An attestation service may generate an application artifact having associated therewith a name and an application statement having at least one of a plurality of attribute value assertions describing the examined runtime local execution and introspection based derived security context. The application statements may represent the level of contextual trustworthiness, at near real time, of a running application on the instrumented target platform. A runtime process and network monitor may examine the local runtime execution context of the target application, and an identity provider may authenticate a user to the web application based on a web services query for attestation of the target application.

Abstract: An instrumented machine or platform having a target application thereon is disclosed. An attestation service may generate an application artifact having associated therewith a name and an application statement having at least one of a plurality of attribute value assertions describing the examined runtime local execution and introspection based derived security context. The application statements may represent the level of contextual trustworthiness, at near real time, of a running application on the instrumented target platform. A runtime process and network monitor may examine the local runtime execution context of the target application, and an identity provider may authenticate a user to the web application based on a web services query for attestation of the target application.

Abstract: A scannable integrated circuit (100) including a functional integrated circuit (P1, P2) having scan chains, multiple scan decompressors (120.1, 120.2), each operable to supply scan bits to some of the scan chains (101.k, 102.k), a shared scan-programmable control circuit (110, 300), a tree circuit (400) coupled with the functional integrated circuit (P1, P2), the shared scan-programmable control circuit (110, 300) coupled to control the tree circuit (400), and a selective coupling circuit (180) operable to provide selective coupling with the shared scan-programmable control circuit (110, 300) for scan programming through any of the multiple scan decompressors (120.1, 120.2). Other circuits, devices, systems, and processes of operation and manufacture are disclosed.

Abstract: A target device may have a target application and a web application thereon, and a trust broker may generate an application token having associated therewith a state attribute having at least one of a hash digest and a property value assertion, and weighted trust score. The application token may correspond to a level of trustworthiness, in near real time, of a running application instance of the target application. A trust monitor may monitor an execution state of the target application, and an authentication broker may authenticate a user to the web application and based upon a web services query for remote verification of the target application. A network access enforcer may control access of an authenticated user to the target application, and a trust evaluation server may interrogate the target application and generate a trust score.

Abstract: A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

Abstract: A method and system for managing access to resources on a secured network is disclosed. The method includes reading packet information in respective packets of a packet communication received at a security node and applying one of the plurality of access rules. The method also includes determining whether the security node is to block the respective packets and/or the packet communication from reaching a resource on the secured network based on the applied access rule. If the security node is to block the respective packets and/or the packet communication, it is determined whether the applied access rule is a simulated access rule. Responsive to the applied access rule being a simulated access rule, the respective packets and/or the packet communication are passed towards the resource on the secured network and a log event is generated that indicates the security node blocked the respective packets and/or the packet communication.

Abstract: A method or system for managing packet flow is disclosed. The packets each include an inserted application identifier identifying a registered application. The method includes receiving packets destined for one or more resources, determining, by a packet processor, the inserted application identifier for each of the respective packets received and managing the packet flow of each received packet sent from a security node based at least in part on the inserted application identifier of the received packet.

Abstract: A method of packet security management to ensure a secure connection from one network node to another. The method includes creating a security tag for each packet in a network session, selecting one of a number of possible tag locations within the packet, inserting the security tag at that location, transmitting the tagged packets from a sending node to the receiving node, authenticating the packets' security tags at the receiving node, and dropping non-authenticated packets. The method also includes determining best possible tag locations when sending a packet and locating a security tag when receiving a packet.

Abstract: A method of security gateway policy definition to quickly infer a new policy based on event data extracted and analyzed using business logic and workflow from a gateway event log or behavior log. The method includes reading the components of a log record, translating the components into acceptable policy attributes, creating a new policy based on those attributes, and presenting the new policy to a system administrator for editing and approval.

Abstract: Systems and methods are described for creating a globally unique identity for a user or user-container by performing an iterative join where each participating back-end data source. The systems and methods include an ID-Unify (IDU) that performs identity virtualization and creates or generates a globally unique identifier for a user in operational environments in which there is a pre-existing conflict caused by the existence of different identities for a user in different authentication data sources.