Abstract: A method and arrangement for distributing a security policy to a communication terminal having an association with a home communication network, but being present in a visited communication network. The home communication network (106) generates its own preferred security policy Ph and the visited communication network (102) generates its own preferred security policy Pv. A communication network entity (104) in the visited communication network combines the security policies and selects security algorithms/functions to apply from the combined security policy. By generating a security policy vectors of both networks and combine them before the security algorithms are selected, enables both networks to influence the selection without affecting use of existing signalling messages.

Abstract: A method of controlling user access to contact information associated with public user identities (IMPUs) registered in respect of the user's subscription within an IP Multimedia Subsystem. The method comprises installing into a Serving Call/Session Control Function assigned to the user, one or more contact information access policies, the contact information access policy or policies defining if and under what circumstances the user can view or delete contact information. Upon a request by the user to view and/or modify said contact information, the Serving Call/Session Control Function evaluates and enforces these contact information policies.

Abstract: An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.

Abstract: A system and method for network authentication is provided. A network access device is operable to establish a communications with an internal network. A client device is operable to request and establish the communications over the internal network by interfacing with the network access device. A processor is operable to interface with the network access device to establish the communications between the client device and the internal network. The processor is also operable to establish a communications level for the communications based on the location of the client device.

Abstract: A system architecture and algorithm for automatically generating, installing and enforcing access control policies that correspond to an agreed specification of collaboration. A collaboration member enforces its access control policies using a dedicated access controller separate from a workflow engine. In one embodiment, each access control policy contains extensions which can direct an access controller to selectively enable or disable various access control policies upon authorization of an access request.

Abstract: A method and apparatus adapting a Virtual Router Redundancy Protocol (VRRP) between a set of physical SEGs that realize a V-SEG function towards a remote IPsec/IKE peer. In tandem with the VRRP, a new protocol, referred to herein as the IPsec/IKE SA Transfer Protocol (SATP), is introduced to exchange IKE and IPsec SA information between VRRP capable SEGs. SATP synchronizes all participating SEGs with respect to dynamic IPsec state information in near real time. Thus, in the event of a master VRRP SEG failure, one of the hot-standby SEGs takes over the V-SEG function. This allows the V-SEG function to remain functional despite the possible failure of one or more participating SEGs.

Abstract: There are provided an information transmission terminal, an information transmission method, an article information transmission system and an article information transmission method capable of including personal information under other users' control into items to be transmitted while protecting the user privacy. A user terminal 20 transfers a transmission request and a usage policy of personal information to the respective transfer destination terminals 30 in accordance with the kind of personal information requested from a personal information collecting server 10, and collects personal information transmitted from the respective transfer destination terminals 30 responding thereto to transmit to the personal information collecting server 10. In this process, the respective transfer destination terminals 30 can judge whether or not the transmission of the requested personal information based on the transferred usage policy violates the privacy of the users of the transfer destination terminals 30.

Abstract: The present invention provides a system, method, and computer-readable medium for identifying malware that is loaded in the memory of a computing device. Software routines implemented by the present invention track the state of pages loaded in memory using page table access bits available from a central processing unit. A page in memory may be in a state that is “unsafe” or potentially infected with malware. In this instance, the present invention calls a scan engine to search a page for malware before information on the page is executed.

Abstract: Method, apparatus and computer program for providing access to identity services of users. A Discovery Service DS server (100) stores for a set of users references (RO1A,ROnB) of identity services (IDSRV-A,IDSRV-B) available for them and usable to contact respectively with the Service Providers SPs (120,130) hosting each of said identity services. For a given identity service not yet registered for a given user, the DS server selects a SP (140) that is able to provide it, and stores a new resource offering (RO2X) that corresponds to the registration of said identity service. For selecting the appropriate SP, the DS server can check a service capability storage (103-2,301) that comprises information about what identity service(s) can be provided by a given SP, and which can be dynamically updated from SPs with the identity services they respectively support. The DS server can contact the user to collect SP preferences and/or service data.

Abstract: An information management system is described comprising one or more workstations running applications to allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyser, which monitors transmission data that the application is about to transmit to the network or about to receive from the network and which determines an appropriate action to take regarding that transmission data. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage in a database; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission data is in force, and determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made.

Abstract: A system for providing security policy for a Linux-based security operating system, which includes a template policy module configured to set an authority using policy information of a downloaded application so that the template policy module can set an access control rule for accessing a system resource of the application, a base policy module executing the access control rule for the system resource in accordance with the access control rule set by the template policy module, and a template policy module editor generating a custom application for the corresponding application using information output from the template policy module.

Abstract: A method, an apparatus and a system for implementing policy control are disclosed. The method includes: an SPDF receives a service request that carries service property of a session from an AF, makes a service policy decision according to the service property of the session and policy pre-configuration parameters to obtain authorized service parameters; and determines a corresponding local network transmission PDF according to a type of an access network; the SPDF sends an access network resource authorization request that carries the authorized service parameters to the determined local network transmission PDF, to enable the local network transmission PDF to generate a local network transmission policy according to the authorized service parameters and deliver the policy to a corresponding policy enforcement point for enforcing. Through the embodiments of the present invention, the converged policy control can be implemented for different types of networks.

Abstract: The present invention discloses a method for selecting a policy and charging rules function server in a non-roaming scenario to achieve that the PCC policies for each IP-CAN session are determined only by one PCRF. The method comprises of a Diameter Routing Agent (DRA) establishing an association relationship table in which IP Connectivity Access Network (IP-CAN) session information and corresponding address information of a Policy and Charging Rules Function (PCRF) server are stored; and when a Policy and Charging Enforcement Function (PCEF) entity and a Gateway Control Function Entity (GWCF) requests the PCRF for or to update a Policy and Charging Control (PCC) policy of one IP-CAN session, or when an Application Function (AF) entity sends application information or service information down to the PCRF, obtaining the address information of the PCRF associated with said IP-CAN session from said DRA, then performing subsequent processing.

Abstract: Described is a technology by which a user (or other entity) may be temporarily granted or denied permissions with respect to performing an upcoming a database operation. A “before” security policy trigger is executed prior to executing the database statement, so as to modify the user's security context (e.g., to add a role) prior to execution if information associated with the operation meets criteria defined in the policy trigger. The existing security system uses the (possibly modified) security context to determine whether to execute the database statement. The security context is reverted after the successful or unsuccessful execution of the database statement. The security policy trigger may also cause an error to be raised.

Abstract: In one embodiment, local software code present in a computer system enables real-time detection of whether the computer system is properly protected against malicious attacks from harmful software. For example, software code such as one or more agents executing in the computer system support real-time protection validation based upon detection of the behavior of the computer system (as opposed to mere detection of the presence of resources or applications in the computer system). In response to detecting that the computer system or an application accesses or provides a particular type of resource and should be protected via one or more appropriate protection policies, if the computer system is not already protected, an agent of the computer system can provide immediate remediation (e.g., a security measure) to temporarily protect the computer system until the appropriate protection policy can be activated to protect the computer system against malicious software threats.

Abstract: Described herein is an implementation that produces a new representation of a digital good (such as an image) in a new defined representation domain. In particular, the representations in this new domain are based upon matrix invariances. In some implementations, the matrix invariances may, for example, heavily use singular value decomposition (SVD).

Abstract: A secure mechanism for transparent key recovery for a user who has changed authentication information is disclosed. A password manager agent intercepts requests by a user to access secure resources that require user credentials. Upon detecting changed authentication information for the user, the password manager agent automatically regenerates the components of a cryptographic key associated with the user that was previously used to encrypt user credentials for the user and then destroyed. After regeneration of the original cryptographic key, the password manager agent uses the key to decrypt the user credentials necessary for the requested application. The regenerated key is then destroyed and the user credentials are re-encrypted by the password manager agent using a new cryptographic key associated with the user made up of multiple components.

Abstract: Method, system, and computer code for implementing security and privacy policy in a web application having an execution environment in which a representation of each object handled by the execution environment accommodates data and an associated tag. An inbound tagging rule is established for tagging inbound objects according to a respective source of each of the inbound objects. A tag is assigned to an object being operated on by the execution environment based on the inbound tagging rule. A security/privacy rule is established for performing security/privacy actions on outbound objects according to a respective tag of each of the outbound objects. A security/privacy action is performed on the object being operated on by the execution environment based on the security/privacy rule.

Abstract: The present invention includes a request module that creates a user information request message and a communication module that transmits the user information request message to an attribute provider server, wherein the user information request message includes a privacy policy that represents at least one term of use subjects, use purposes, and use periods using a grade. With the present invention, the representation of the privacy policy can be simplified and the comparison of policies can be conveniently processed.

Abstract: Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.

Abstract: Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products configured to calculate an indicator of the likelihood that an entitlement exists in a first community relative to a second community. The calculated indicator is then used to determine the appropriateness of entitlements within the first community or after a transfer of a person from the first community to the second.

Abstract: A reconfigurable and scalable cryptography (encryption/decryption) system architecture and related method are described. The system utilizes a multiple-pass approach, each pass applying one cryptography algorithm with its own cryptography keys. The encrypted data can only be fully and correctly decrypted with the correct algorithms in the correct sequence (as determined by one or more security level parameters) and the correct cryptography keys. The system includes a multiple cryptography algorithm set section which is reconfigurable to perform multiple cryptography algorithms sequentially, and a cryptography controller which receives an input key set and a security level parameter. The cryptography controller reconfigures the multiple cryptography algorithm set section based on the security level parameter to perform multiple selected cryptography algorithms in a selected sequence.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products configured to determine communities within an organization dynamically based on the distribution of entitlements within the organization.

Abstract: A parental control system is used to verify the identity of parents, based on children's instant messaging aliases. A plurality of verified parental accounts is maintained, each of which includes the identity of the parents and their children, including the children's instant messaging aliases. When a first child wishes to electronically communicate with a second child, s/he makes a request which includes the second child's alias and additional information identifying the target party. Only if an account containing the alias is found and the additional information can be verified, an identity verification request is transmitted, disclosing the identity of the first child's parents, and requesting reciprocal identity verification. Only if the second child's parents disclose their identity is the instant messaging between the children permitted.

Abstract: A method and system for restricting at least partial usage of a wireless communication device (100), like a mobile telephone, includes attempting to establish a communication channel (105) across a data network, such as non-IMS VoIP communication channel over a wide area network (103) like the Internet. Where the device (100) has been subsidized by a voice over data protocol service provider (121), the method permits such communication only when data communication channels having service provider identifiers (123) corresponding to one or more permitted data access identification codes (201) are accessible. Where they are not, at least partial usage of the device (100) will be restricted.

Abstract: Systems and techniques are provided for controlling requests for resources from remote computers. A remote computer's ability to access a resource is determined based upon the computer's operating environment. The computer or computers responsible for controlling access to a resource will interrogate the remote computer to ascertain its operating environment. The computer or computers responsible for controlling access to a resource may, for example, download one or more interrogator agents onto the remote computer to determine its operating environment. Based upon the interrogation results, the computer or computers responsible for controlling access to a resource will control the remote computer's access to the requested resource.

Abstract: Embodiments of the inventions are generally directed to methods, apparatuses, and systems for the dynamic evaluation and delegation of network access control. In an embodiment, a platform includes a switch to control a network connection and an endpoint enforcement engine coupled with the switch. The endpoint enforcement engine may be capable of dynamically switching among a number of network access control modes responsive to an instruction received from the network connection.

Abstract: A method for access control is provided. A request is received from an administrator to modify a user role for a user. Whether the user is in a user group that belongs exclusively to the administrator is determined. Whether the administrator role permits the request is determined in response to a determination that the user is in the user group. The user role is modified based on the request in response to a determination that the administrator role permits the request, wherein the user accesses a resource based on the user role.

Abstract: A method, device and system for managing resources in networks are provided, which relate to the field of data communication. The method includes the following steps. A resource manager (RM) sends a first request message according to a received resource request message, to request an access node (AN) to perform admission control. After receiving an admission control result indicating whether a resource requested by the resource request message is admitted, the RM sends a response message of the resource request message. Therefore, when multicast/unicast connection admission control (CAC) that supports shared bandwidth is realized, flow fusions of user line configuration between the AN and a broadband remote access system (BRAS, and policy distribution between a resource and admission control subsystem (RACS) and the BRAS are guaranteed; and sharing of bandwidth resources is realized to avoid waste of the bandwidth resources.

Abstract: Methods and systems for controlling access of application programs to an adaptive input device are described herein. One exemplary computing system includes an application programming interface executable on a computing device for controlling said access to an adaptive input device having a plurality of display regions. The application programming interface is configured to receive a display request from one of the application programs to display formatted output on the composite display and is further configured to apply at least a display sharing policy based on application-specific policy settings received from the application program for defining an application-specific area including at least one of the display regions. Further, the application programming interface is configured to generate formatted output based on the application-specific policy settings, and to send the formatted output to the application-specific area for display.

Abstract: Methods and apparatus involve securely hosting workloads. Broadly, computing workloads are classified according to security concerns and those with common concerns are deployed together on common hardware platforms. In one instance, security tags are bi-modally attached or not to workloads meeting a predetermined security threshold. Those with tags are deployed on a common machine while those without tags are deployed on other machines. Tags may be embedded in meta data of open virtual machine formats (OVF). Considerations for re-booting computing devices are also contemplated as are multiplexing workloads. Computer program products are further disclosed.

Abstract: A method for establishing data connections on a mobile network, a mobile network, and a policy control entity are disclosed. The method includes: establishing a data channel between a user equipment (UE) and a gateway (GW), and allocating an Internet Protocol (IP) address to the UE according to an address allocation request or a data channel setup request sent from the UE; and triggering the policy control entity to establish or update a policy control session according to the IP address. By using the mobile network and the policy control entity under the present invention, after the data channel is established between the UE and the GW, the GW may trigger the policy control entity to establish or update a policy control session.

Abstract: An image display device is provided with a storage for storing an image, a display for displaying a preview of the image, a security setting receiving unit for receiving setting as to whether or not the preview of the image is to be displayed with security, an image processing unit for applying an image quality degradation process to the image for which the security setting receiving unit received the setting for displaying the preview of the image with security, and a preview display controlling unit for causing the image having the image quality degradation process applied by the image processing unit to be displayed at the time of the preview display of the image for which the setting for the security display was received.

Abstract: This invention is to safely and surely distribute authentication information to users or user terminals. This method includes: requesting authentication using predetermined authentication information for an access destination via a network; receiving a notification indicating an authentication failure from the access destination; acquiring currently valid authentication information from an authentication information manager by transmitting data to indicate own legitimacy, and storing the acquired currently valid authentication information into a storage device; and requesting the authentication using the acquired currently valid authentication information for the access destination via the network. Thus, by supposing that a failure in the authentication occurs, and by causing the user side to present the data to indicate own legitimacy for the authentication information manager, the currently valid authentication information is distributed, for example, after the encryption.

Abstract: A system, method, and computer program product for increasing security of grid enabled computing environments. The system, method, and computer program product include: scheduling execution of a computing job; determining if an edge policy exists for the computing job; tracking said execution of the computing job; dividing the computing job into portions; assigning the portions of the computing job according to the edge policy; determining if there is an attempt to violate the edge policy; and prohibiting a violation of the edge policy.

Abstract: The invention relates to a system and method for providing multiple assembly caches for storing shared application resources. Each assembly cache may be associated with a different security policies, locations, internal structures and management. An application may be determined to have access to an assembly cache based on the permission and security policy of the application and security policy of the assembly cache. Additionally, one or more assembly caches may have other policies for cache retention, resolution, and creation.

Abstract: An optical identification element. The optical identification element is associated with an object and includes encoded or stored information associated with the object. The optical identification element includes an optical assembly that generates electrical power in response to incident light from a reader. The generated electrical power is used by the optical identification element to at least retrieve the data and then transmit the data back to the reader optically.

Abstract: A system and method for determining effective policy profiles, is presented herein. The system includes one or more client devices configured to initiate a request for at least one effective policy profile, a server mechanism communicatively coupled to the one or more client devices and configured to receive the request for the at least one effective policy profile and determine the at least effective policy profiles for each of the requesting one or more client devices, and a policy data storage component communicatively coupled to the server mechanism and configured to store a plurality of policy profiles. The plurality of plurality of policy profiles includes an association between each of the one or more client devices and one or more of the plurality of policy profiles.

Abstract: Presented is an automated policy-provisioning method for a computing system having a service-oriented architecture. The system comprises at least one managed service and at least one policy enforcement point operable to enforce a runtime policy for the service. The method comprises: receiving in machine-readable form at least one semantic rule defining a condition imposed by a business policy; receiving machine-readable data describing a runtime policy enforcement capability of the at least one policy enforcement point; determining based on the at least one rule and the capability whether the at least one policy enforcement point can meet the condition; based on the determination, deriving a runtime policy suitable for enforcing the condition; and communicating the runtime policy to the at least one policy enforcement point.

Abstract: The present invention relates to a web service method and an apparatus therefor. A service apparatus in accordance with the present invention includes a message security gateway for security, an authentication server, an authorization server, a security policy server, a harmful site database, and an application server. User authentication employs SAML assertion of an SAML authority server. A service method in accordance with the present invention analyzes a message format and can employ security technologies although they have different message formats.

Abstract: This invention is directed to provide a method for enabling an administrator to monitor and selectively limit the computer functions available to a user. The method is carried out on a personal computer by an administrator, and administrator decisions can be enforced on other personal computers in a local network. The invention enables an administrator to restrict a user's logon hours, logon duration, access to computer functions, and access to applications based on content rating. In addition, the administrator may temporarily restrict or extend normally allowed access privileges. The invention also allows for the monitoring, auditing, and reporting of a user's computer function usage to an administrator.

Abstract: A facility for setting and revoking policies is provided. The facility receives a request from a controlling process a request to set a policy on a controlled process, and determines whether the controlling process has privilege to set the policy on the controlled process. If the facility determines that the controlling process has privilege to set the policy on the controlled process, the facility sets the policy on the controlled process, which causes the policy to be applied to the controlled process to determine whether the controlled process has authorization to access one or more resources.

Abstract: A method, system, and program for user controlled anonymity when evaluating into a role are provided. An anonymous authentication controller enables a user to control anonymity of the user's identity for role based network accesses to resources, without requiring reliance on any single third party to maintain user anonymity. First, a role authentication certificate is received from a role authenticator, wherein the role authentication certificate certifies that the holder of the role authentication certificate is a member of a particular role without allowing the role authenticator issuing the role authentication certificate the ability to track an identity of a user holding the role authentication certificate.

Abstract: A routing policy compiler generates a configuration data abstraction layer of a routing policy which maps configuration to an intermediate layer comprising fields, operators and arguments. A policy repository verifies the intermediate layer against a set of verification rules for one or more client protocols including versions thereof. The policy repository may generate compiled policy transmission language for use by one or more client protocols including versions thereof. The policy compiler supports multiple software versions of client protocols with differing capabilities as well as differing client protocols. In some embodiments, an optimization may be performed on a compiled policy so that route updates are processed more efficiently. The policy compiler may permit the addition of new attributes to a routing protocol without having to recompile. Policy statements may be verified for more that one client protocol including more than one version of a client protocol.

Abstract: A network of routers is monitored by a monitoring server. Each router implements various security mechanisms to secure the operation of the routers. For example, each router comprises control logic that implements a security protocol dictated, at least in part, by contents of at least two separate external storage devices, each storage device separate from, but coupled to, one of the ports of said router.

Abstract: Hosted content received from media hosts is used to generate a set of fingerprints representing the hosted content. The fingerprints representing the hosted content are compared to a set of fingerprints representing reference content submitted by content owners to generate one or more match metrics. Based on the match metrics, the media host may provide indication that they accept policy terms specified by the content owners, including revenue sharing terms. If the media host accepts the revenue sharing terms, the media host may provide advertising content to viewers in association with the hosted content matching the reference content. Funds received from providing advertising content are distributed to the media host and the content owner according to the revenue sharing terms.

Abstract: A system for processing electronic transactions according to policies is disclosed. The system includes a user module configured to store computer-readable information related to a user, and a policy module configured to store a plurality of policies for electronic transactions. Each policy for an electronic transaction includes a permission to access a physical space or item by a user. The system also includes a processor configured to receive a request to complete an electronic transaction by the user, and configured to dynamically apply, upon receipt of the request by the processor, the plurality of policies to the user based on the request to complete the electronic transaction. Methods and machine-readable mediums are also disclosed.

Abstract: An arrangement for declaration of security level of transport paths/routes in one or more data networks where the arrangement at least comprises: an entity (3) configured to interrogate nodes in said at least one data network with respect to said nodes security level and/or said nodes possessed certificates, at least one database where said database comprises information about strength of certificates and issuers' of certificates, at least a mechanism configured to retrieve information from domain name servers (2), and an interface configured to receive request for declaration from one or more senders (1). The present invention also discloses a corresponding method for declarations of security level of transport paths/routes in one or more data networks.

Abstract: A security method in a server-based mobile IP system is provided. Specifically, in the security method, general data is securely exchanged in addition to a control message that is exchanged between a mobile node and a server or between mobile nodes. Specifically, provided is a method of securely exchanging data by using a mobile node including an mPAK execution module generating necessary keys by exchanging key information with the server while performing a mutual authentication process and negotiating the security policy; and a security module setting a security policy that is negotiated with the corresponding node and applying the security policy to data according to the set security policy when transmitting the data.