Abstract: Attributes relevant to at least one existing authorization system are identified. Noise removal from identified attributes of the at least one existing authorization system is performed. An attribute based access control (ABAC) policy is generated from remaining identified attributes to derive logical rules that grant or deny access.

Abstract: In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).

Abstract: A technique is provided for continuous user authentication through real-time fusion and correlation of multiple factors. Monitored data is continuously obtained from a computer. The monitored data is related to user actions on the computer of a user. A server analyzes the monitored data of the computer to execute a windowing system event sequences modality, a network footprint modality, an application specific user actions modality, and/or a forensic linguistic analysis modality for the user. The user is authenticated on the computer based on a combination of the windowing system event sequences modality, the network footprint modality, the application specific user actions modality, and/or the forensic linguistic analysis modality.

Abstract: Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network.

Abstract: An embodiment directed to a method is associated with a VPN that may be used to access resource servers. Upon determining that the VPN has been accessed by a specified client, resource servers are identified, which each has an address and may receive traffic routed from the client through the VPN. The method further comprises sending a message corresponding to each identified resource server to the client, wherein the message to corresponding to a given one of the identified resources is intended to cause a response to be sent from the client to the address of the given identified resource server. Responses to respective messages sent to the client are used to determine whether a route for traffic from the client to the VPN has been compromised.

Abstract: Generating role-based access control policies is provided. A user-permission relation is generated by extracting users and permissions assigned to each of the users from a stored access control policy. A user-attribute relation is generated by mapping the users to attributes describing the users. A permission-attribute relation is generated by mapping the permissions to attributes describing the permissions. The set of risk-averse roles, assignment of the set of risk-averse roles to the users, and assignment of the permissions to the set of risk-averse roles are determined based on applying a risk-optimization function to the generated user-permission relation, the generated user-attribute relation, and the generated permission-attribute relation. A role-based access control policy that minimizes a risk profile of the set of risk-averse roles, the assignment of the set of risk-averse roles to the users, and the assignment of the permissions to the set of risk-averse roles is generated.

Abstract: Generating role-based access control policies is provided. A user-permission relation is generated by extracting users and permissions assigned to each of the users from a stored access control policy. A user-attribute relation is generated by mapping the users to attributes describing the users. A permission-attribute relation is generated by mapping the permissions to attributes describing the permissions. The set of risk-averse roles, assignment of the set of risk-averse roles to the users, and assignment of the permissions to the set of risk-averse roles are determined based on applying a risk-optimization function to the generated user-permission relation, the generated user-attribute relation, and the generated permission-attribute relation. A role-based access control policy that minimizes a risk profile of the set of risk-averse roles, the assignment of the set of risk-averse roles to the users, and the assignment of the permissions to the set of risk-averse roles is generated.

Abstract: Generating communities of users and discovering the expertise of those users are provided. Identifications of a plurality of users that accessed resources via a network, types of actions performed by the plurality of users on the resources, and names of the resources accessed by the plurality of users are extracted from retrieved resource access logs. The plurality of users are grouped into a plurality of different sets of users based on which resources were accessed and which type of actions were performed by each particular user within the plurality of users. The communities of users are generated based on each different set of users having a similarity with regard to the resources that were accessed and the types of actions that were performed by a particular set of users.

Abstract: An embodiment directed to a method is associated with a VPN that may be used to access resource servers. Upon determining that the VPN has been accessed by a specified client, resource servers are identified, which each has an address and may receive traffic routed from the client through the VPN. The method further comprises sending a message corresponding to each identified resource server to the client, wherein the message to corresponding to a given one of the identified resources is intended to cause a response to be sent from the client to the address of the given identified resource server. Responses to respective messages sent to the client are used to determine whether a route for traffic from the client to the VPN has been compromised.

Abstract: Attributes relevant to at least one existing authorization system are identified. Noise removal from identified attributes of the at least one existing authorization system is performed. An attribute based access control (ABAC) policy is generated from remaining identified attributes to derive logical rules that grant or deny access.

Abstract: Applications of machine learning techniques such as Latent Dirichlet Allocation (LDA) and author-topic models (ATM) to the problems of mining of user roles to specify access control policies from entitlement as well as logs which contain record of the usage of these entitlements are provided. In one aspect, a method for performing role mining given a plurality of users and a plurality of permissions is provided. The method includes the following steps. At least one generative machine learning technique, e.g., LDA, is used to obtain a probability distribution ? for user-to-role assignments and a probability distribution ? for role-to-permission assignments. The probability distribution ? for user-to-role assignments and the probability distribution ? for role-to-permission assignments are used to produce a final set of roles, including user-to-role assignments and role-to-permission assignments.

Abstract: A method for detecting abnormal behavior of users is disclosed. Processors identify from a log of user activity, a first number of actions performed by a user over a first time period that match a pattern of user activity for a task associated with one or more roles of the users. Processors also identify from the log of user activity, a second number of actions performed by the user over a second time period that match the pattern of user activity. Processors calculate an amount of deviation between the first number of actions and the second number of actions. The deviation identifies a difference between amounts of time spent in the one or more roles. Processors then determine whether the amount of deviation between the first number of actions and the second number of actions exceeds a threshold for abnormal behavior.

Abstract: An apparatus for detecting abnormal behavior of users is disclosed. The apparatus identifies from a log of user activity, a first number of actions performed by a user over a first time period that match a pattern of user activity for a task associated with one or more roles of the users. The apparatus also identifies from the log of user activity, a second number of actions performed by the user over a second time period that match the pattern of user activity. The apparatus calculates an amount of deviation between the first number of actions and the second number of actions. The deviation identifies a difference between amounts of time spent in the one or more roles. The apparatus then determines whether the amount of deviation between the first number of actions and the second number of actions exceeds a threshold for abnormal behavior.

Abstract: Sanitizing a virtual machine image of sensitive data is provided. A label for a sensitivity level is attached to identified sensitive data contained within each software component in a plurality of software components of a software stack in a virtual machine image based on labeling policies. In response to receiving an input to perform a sanitization of the identified sensitive data having attached sensitivity level labels contained within software components of the software stack in the virtual machine image, the sanitization of the identified sensitive data having the attached sensitivity level labels contained within the software components of the software stack in the virtual machine image is performed based on sanitization policies.

Abstract: Sanitizing a virtual machine image of sensitive data is provided. A label for a sensitivity level is attached to identified sensitive data contained within each software component in a plurality of software components of a software stack in a virtual machine image based on labeling policies. In response to receiving an input to perform a sanitization of the identified sensitive data having attached sensitivity level labels contained within software components of the software stack in the virtual machine image, the sanitization of the identified sensitive data having the attached sensitivity level labels contained within the software components of the software stack in the virtual machine image is performed based on sanitization policies.

Abstract: In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).

Abstract: In one aspect, a method for managing a security policy having multiple policy items includes the steps of: (a) mapping permissions to the policy items which apply to usage of the permissions so as to determine which of the permissions are granted to groups of users by each of the policy items; (b) identifying at least one of the policy items mapped in step (a) that is in violation of least privilege based on a comparison of an actual permission usage with the security policy; (c) identifying at least one of the policy items mapped in step (a) that increases operational risk; (d) verifying that policy constructs in the security policy are consistent with policy constructs inferred from the actual permission usage; and (e) identifying optimizations of the security policy based on output from one or more of steps (a)-(d).

Abstract: A method and computer program product for enabling authentication of an OpenID user when a requested identity provider is unavailable. A relying party receives a login request from the OpenID user, where the login request includes a username. The relying party reads a list of trusted identity providers that are associated with the received username and selects one of those identity providers. The relying party generating an OpenID identifier using an identification (e.g., Uniform Resource Locator) of the selected identity provider and the username. The relying party transmits an authentication request (request to authenticate the OpenID user) to the selected identity provider using the formed OpenID identifier. If the selected identity provider is unavailable, then the relying party selects another identity provider from the list of identity providers that are associated with the received username and repeats the above process.

Abstract: Automatically estimating a sensitivity level of an information technology (IT) asset in one aspect may obtain information about an asset. Characteristics of the asset assigned based on the information may be compared with stored characteristics of known sensitive assets. A sensitivity level of the asset may be determined based on the comparing.

Abstract: Automatically estimating a sensitivity level of an information technology (IT) asset in one aspect may obtain information about an asset. Characteristics of the asset assigned based on the information may be compared with stored characteristics of known sensitive assets. A sensitivity level of the asset may be determined based on the comparing.