WO2008073647A1 - Reputation-based authorization decisions - Google Patents
Reputation-based authorization decisions Download PDFInfo
- Publication number
- WO2008073647A1 WO2008073647A1 PCT/US2007/084057 US2007084057W WO2008073647A1 WO 2008073647 A1 WO2008073647 A1 WO 2008073647A1 US 2007084057 W US2007084057 W US 2007084057W WO 2008073647 A1 WO2008073647 A1 WO 2008073647A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- reputation
- actor
- authorization
- media
- value
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
Definitions
- Access control systems authorize programs and applications to perform operations, such as authorizing a software package downloaded via the Internet to read, write, or open a file located on a user's computer. Traditionally, access control systems decide whether or not to authorize an operation by referencing an access control list, a look-up list, or the like.
- This document describes tools capable of receiving reputation metadata effective to enable better decision making about whether or not to authorize operations in a computing system.
- the tools may build a reputation value from this reputation metadata and, based on this value and an authorization rule, better decide whether or not to authorize an operation requested by some program, application, or other actor.
- FIG. 1 illustrates an exemplary operating environment having a reputation value builder and in which various embodiments of the tools may operate.
- FIG. 2 illustrates another exemplary operating environment having a reputation provider and in which various embodiments of the tools may operate.
- Fig. 3 illustrates an exemplary reputation value builder configured to receive reputation metadata and output a reputation value.
- Fig. 4 illustrates an exemplary authorization input builder configured to receive a reputation value and create an authorization input.
- Fig. 5 illustrates an exemplary authorization module configured to receive a request and an authorization input and output an authorization decision.
- a fifth section entitled Authorization Module, discusses manners in which the tools may act to make authorization decisions based on the authorization input indicative of the actor's reputation value.
- a final section entitled Exemplary Implementation, describes one non-limiting way in which the claimed tools may collectively operate. This overview, including these section titles and summaries, is provided for the reader's convenience and is not intended to limit the scope of the claims or the entitled sections.
- Figure 1 illustrates one such operating environment generally at 100 in which a user 102 may operate a client device 104.
- Client device 104 is generally a computing device, such as a personal computer, and may include a local service provider 106.
- Local service provider 106 may be integral with, accessible by, or separate from client device 104.
- local service provider 106 may comprise a disk drive, flash memory drive, zip drive, or any other device capable of coupling to computer-readable media.
- local service provider 106 may comprise a CD/DVD drive, in which a computer-readable medium including a software application may be inserted and executed.
- Client device 104 may connect via a network 108 to a remote service provider 110.
- Remote service provider 110 may comprise a server or the like, from which the user and the client device may download a software application, program, or other actor capable of requesting an operation.
- the client device may also connect via the network to a reputation value builder 112.
- the reputation value builder may build a reputation value 114 usable in making an authorization decision.
- the reputation value builder may receive reputation metadata 116 from one or more reputation metadata providers 118.
- Reputation metadata 116 may comprise any information associated with a reputation metadata provider's estimation of an actor's reputation.
- An actor may include a software program, application, dynamically linked library, installation program, file, picture, document, applet, ActiveX control, or any other code capable of executing on software or hardware.
- Reputation metadata providers 118 may comprise any person or device capable of estimating, judging, or valuing the reputation of an actor.
- the reputation metadata provider may itself comprise a software program or the like, while another reputation metadata provider may comprise a person who has used the actor being judged. More specifically, a reputation metadata provider of the first type could comprise a security application, which could provide reputation metadata in response to an independent review and analysis of the actor being judged. The latter reputation metadata provider, meanwhile, could comprise a member of an online community. In this example, individual members of an online community may judge or vote on the reputation of a particular actor. If these members have had positive experiences with the actor, then these members may provide reputation metadata 116 that speaks positively to that actor's reputation. Of course, if these members have had negative experiences, then these members may provide reputation metadata 116 that speaks negatively about that actor.
- reputation value builder 112 may aggregate the reputation metadata.
- the reputation value builder creates and outputs a reputation value that represents an average of the received reputation metadata 116.
- multiple reputation value builders may exist and be utilized in making authorization decisions. In these instances, each reputation value may be compiled together to form an aggregate reputation value.
- the user may wish to allow an actor to run on client device 104. This actor may be run from the local service provider 106 or from remote service provider 110. In the former case, the actor may make a local request 120 to perform some operation on an object of client device 104.
- This object may comprise a file, document, picture, or any other data located on or accessible by client device.
- the actor may request via local request 120 to read, write, or open a file located on client device 104.
- the software application or the like is run from remote service provider 110, the actor may make a remote request 122 to perform some operation on some object located on or accessible by the client device.
- the client device may first seek to verify the reputation of the actor before granting or denying permission to the actor to perform the requested operation.
- the client device includes one or more processors 124 and one or more computer- readable media 126.
- computer-readable media 126 includes an access control module 128, which may serve to grant or deny access to actors seeking contact with certain objects located on or accessible by client device 104.
- Access control module 128 may include an authorization input builder 130 and an authorization module 132.
- Authorization input builder 130 may serve to receive reputation values 114, as well as other components discussed below, and create an authorization input for use in making authorization decisions.
- Authorization module 132 may include a rules module 134. Rules module 134 may implement local or remote authorization rules or policies for use in deciding whether or not to grant access to actors seeking permission.
- Authorization module 132 may receive the authorization input from authorization input builder 130 and compare the authorization input against one or more rules in the rules module. Depending upon the authorization input value as well as the configuration of the rules module, the authorization module may permit or deny the actor's request to perform a particular operation on a particular object requested.
- access control module 128 prompting the user to decide whether or not to allow the requested operation to occur.
- the access control module is shown to be part of the client device, it can also be located remotely, possibly comprising a portion of reputation value builder 112.
- an actor may make either a local or remote request to perform some operation on an object.
- client device 104 may request and reputation value builder 112 may provide a reputation value 114 indicative of the actor's reputation. This reputation value may then be provided to the access control module and possibly authorization input builder 130.
- the authorization input builder may then use this value, as well as other components discussed below, to build an authorization input indicative of the actor's reputation.
- the authorization input may then be provided to the authorization module, which may compare the authorization input against rules within rules module 134.
- Authorization module 132 may then output an access or authorization decision as to whether or not to grant access to the actor, or whether to allow user 102 to decide.
- the access control module comprises a portion of the reputation value builder 112
- the reputation value builder may itself simply provide the access or authorization decision to the client device.
- FIG. 2 illustrates another operating environment generally at 200 in which the claimed tools may also operate.
- Figure 2 comprises many of the same elements as illustrated in and described with reference to figure 1.
- a reputation provider 202 may take the place of reputation value builder 112 of environment 100. Similar to reputation value builder 112, reputation provider 202 may receive reputation metadata 116 from reputation metadata providers 118. Here, however, reputation provider 202 may also output reputation metadata 116, possibly in response to a request from client device 104. Again, while a single reputation provider is shown, multiple reputation providers may exist and be utilized in making authorization decisions.
- client device 104 may include one or more computer- readable media 204, which may itself include an access control module 206. Similar to access control module 128, access control module 206 may include authorization input builder 130, authorization module 132, and rules module 134. Access control module 206, however, may further include a reputation value builder 208. Reputation value builder 208 may function in a manner similar to that of reputation value builder 112. That is, the reputation value builder may receive reputation metadata 116 and create and output a reputation value. [0024] Therefore, in these embodiments, an actor such as a software application may request to perform some operation upon an object located on or accessible by client device 104.
- an actor such as a software application may request to perform some operation upon an object located on or accessible by client device 104.
- reputation metadata 116 compiled by reputation provider 202 may be provided to the client device. More specifically, reputation metadata 116 may be provided to reputation value builder 208, which may output a reputation value to authorization input builder 130. As discussed above, authorization input builder 130 may receive this reputation value and create an authorization input. The input may then be provided to authorization module 132, which may compare the input to one or more rules or policies within rules module 134. Authorization module 132 may then output an access or authorization decision, as discussed in detail below. Reputation Value Builder
- Figure 3 illustrates a computing device 300 including one or more computer-readable media 302, which may couple to a reputation value builder 304.
- the reputation value builder may be integral with, accessible by, or separate from the computer-readable media.
- the reputation value builder may function in many of the ways discussed above in regards to reputation value builders 112 and/or 208.
- FIG. 3 illustrates that reputation metadata 116 is provided remotely, reputation metadata may also be provided locally at client device 104.
- reputation value builder 304 may receive reputation metadata 116.
- reputation value builder 304 may create and output reputation value 114, which is indicative of an actor's reputation.
- reputation metadata 116 may come from one or more reputation metadata providers 118 or the like.
- Reputation metadata providers may be members of an online community or may be a software program capable of tracking actors' reputations via independent product review and analysis and operating on a computer entity.
- a reputation metadata provider 118 may also comprise a subscription program to which users must subscribe in order to receive reputation metadata 116 or reputation value 114.
- an actor's reputation may evolve over time, as more community members or computing entities provide input pertaining to the actor's reputation. It is to be understood that while a few specific ways of compiling reputation metadata 116 have been provided, this information may be compiled in any way operable to collect metadata indicative of actors' reputations.
- Reputation value builder 304 may either be located remotely in relation to a client device as shown in figure 1, or locally as shown in figure 2.
- the client device or some module running thereon may send a request for a reputation value pertaining to a certain actor.
- This request may include an attribute that uniquely identifies the actor for which a reputation value is desired.
- this attribute may comprise a digitally signed attribute, such as a cryptographic message authenticator.
- the reputation builder(s) may provide the local client with one or more reputation values.
- Each builder may have already aggregated multiple pieces of reputation metadata 116 into a reputation value 114. If multiple builders exist, then the client device may compile them into an aggregate reputation value.
- the local reputation value builder may instead request reputation metadata 116 from one or more reputation providers 202.
- the local value builder may then compile and aggregate this metadata from one or more reputation providers 202 into a reputation value 114.
- Reputation value builder 304 may display transitive qualities in some instances.
- an actor requesting to perform some operation upon an object may merely comprise the leaf node of a chain of processes.
- reputation value builder 304 may traverse the entire branch of calling modules that are related to the leaf node. For instance, envision that a user of a client device clicks on a hyperlinked picture, which results in an actor requesting to perform an operation on a local object.
- Reputation value builder 112 may therefore not only provide a reputation value for the picture, but it may also analyze the parent and/or grandparent processes running previous to the picture. In some instances, an individual reputation value may be provided for each node, while in other instances an aggregate result may be given for the entire branch.
- reputation value 114 may be offered at varying levels of granularity.
- a reputation value of an actor may be one of "good”, “bad”, or “unknown”.
- these varying values may help determine whether or not the actor should be granted the requested access.
- reputation values may comprise these relatively simple values, they may also comprise a finer level of granularity.
- a reputation value of an actor could comprise one or more of the following:
- reputation value builder 304 may provide reputation value 114 to an authorization input builder.
- the reputation value may form a portion of an authorization input for use in determining whether or not access should be granted to a requesting actor.
- FIG. 4 illustrates a computing device 400 including one or more computer-readable media 402, which is shown to include an access control module 404.
- Access control module 404 may couple to an authorization input builder 406, which may be integral with, accessible by, or separate from computer-readable media 402 and/or access control module 404.
- Authorization input builder 406 may comprise many of the same features as those described above in regards to authorization input builder 130.
- authorization input builder 406 may receive reputation value 114, possibly from reputation value builders 112, 208 or 304.
- Authorization input builder 406 may also receive other inputs, such as a user identity 408, an actor type 410, and/or a system type 412.
- authorization input may comprise a result of these inputs and may be eventually compared to a rule or policy in order to determine whether or not an actor should be granted its requested access.
- User identity 408 represents the identity of a user (e.g., 102) operating the client device (e.g., 104). User identify 408 contributes to the resulting value of authorization input 414, as different users may have different permissions.
- Actor type 410 refers to the nature of the actor requesting access.
- the actor type may comprise one or more of the following types: software application; installation program; dynamically linked library and/or installation program. Other types may also exist based on an object's label.
- the actor type contributes to the resulting value of the authorization input 414, as different actor types may have different levels of permission.
- a File Transfer Protocol (FTP) actor type may be considered less trustworthy than an alternate software application such as a word processor.
- FTP File Transfer Protocol
- system type 412 refers to the type of system upon which the actor wishes to access.
- system type 412 could comprise a personal computer, a work-based server, an FTP server, or the like.
- FTP actor type 410 may be considered less trustworthy. If, however, the system type 412 is an FTP server, then the FTP actor 410 may be more considered more trustworthy.
- authorization input builder 406 may create authorization input 414.
- reputation value 114 alone may be input into authorization input builder 406.
- the resulting authorization input 414 is simply equal to the reputation value 114.
- reputation value 114 enters authorization input builder 406 along with one or more of the other illustrated inputs.
- the resulting authorization input 414 is based on some combination of these inputted values while still being indicative of an actor's reputation. Whatever its value may be, authorization input 414 may then be provided to an authorization module for comparison to one or more authorization rules or policies, as discussed immediately below.
- FIG. 5 illustrates a computing device 500 including one or more computer-readable media 502, which may include an access control module 504.
- access control module 504 includes an authorization module 506, which in turn includes a rules module 508.
- Authorization module 506 may function in many of the same ways as described above in regards to authorization module 132.
- rules module 508 may function in many of the same ways as rules module 134.
- Figure 5 also illustrates authorization module 506 receiving a request 510.
- An actor e.g., software application
- the actor may request to perform some operation (e.g., read, write, delete, open) on an object (e.g., file) located on or accessible by computing device 500.
- authorization module 506 may also receive authorization input 414.
- authorization input 414 is at least in part indicative of a reputation of the actor seeking to perform the operation on the object.
- other components may also provide input to authorization input 414.
- Authorization module 506 may compare authorization input 414 against rules created and/or implemented by rules module 508. This comparison may serve to determine whether or not the actor should be granted permission to perform request 510, which may be outputted in the form of authorization decision 512. In accordance with the rules or policies implemented by rules module 508, authorization decision 512 may grant the actor permission to perform the requested authorization, may deny the actor permission, or may prompt the user to decide whether or not to grant the actor permission.
- Exemplary rules for an installation package actor type may comprise the following:
- authorization input 414 may simply consist of reputation value 114.
- authorization decision 512 may grant the actor permission where the reputation value is "good", while denying the actor permission where the reputation value is "bad”.
- the authorization decision may prompt the user to decide where the reputation value is "unknown”.
- authorization module 506 may make automatic or pre-determined decisions based on the authorization input and the implemented rules, or the authorization module may defer to a user for a final decision.
- rules module 508 may contain rules of varying granularity levels. For instance, authorization module 506 and/or rules module 508 may also evaluate the nature of request 510 in making the authorization decision 512. To highlight, the following exemplary list comprises complex authorization rules that rules module 508 may implement when making the authorization decision:
- authorization decision 512 may be relatively more robust than embodiments that utilize simpler rules.
- the authorization decision may allow an actor to only perform certain operations on certain objects. More specifically, the authorization decision may conclude that a software application may open a user's file, but may not write or delete that file.
- objects located on or accessible by a client device may have differing security levels that allow increasingly granular authorization decisions. For instance, some objects (e.g., files) on a client device may be labeled "high privacy", while others may be labeled "low privacy”. A default label may be given to objects that are not explicitly labeled.
- authorization decision 512 may conclude that a software application should only have access to files labeled "low privacy". Furthermore, these authorization decision characteristics may act in unison in some instances. For example, one possible resulting authorization decision may be that a certain software application can only read "high privacy” files on a client device, but may perform read and write operations on "low privacy” files.
- access control module either receives or builds reputation value 114 for the calling application. Access control module 128 may then use this reputation value - and possibly other components such as system type - to build an authorization input with authorization input builder 130. In the current example, no other components are inputted and the authorization input merely comprises this reputation value.
- Authorization input builder 130 then provides the reputation- based authorization input to authorization module 132, which compares the reputation-based authorization input of the application against an authorization policy from rules module 134.
- the reputation value of the application may be labeled "bad” and the authorization policy may state that "bad" applications cannot open ports in the firewall. The application may therefore be prevented from opening the firewall port.
- the user may be visually notified of the denial via a user interface.
- This exemplary implementation highlights that the overall security and integrity of a client device, its operating system, its users, and its applications may increase with use of the above-described tools. More specifically, security and integrity may increase due to a client device's ability to automatically compare an actor's reputation to a set of authorization rules and use this comparison to determine whether to grant access to the actor, isolate or deny the actor, or run the actor with lower privileges.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Human Resources & Organizations (AREA)
- Economics (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Software Systems (AREA)
- Game Theory and Decision Science (AREA)
- Tourism & Hospitality (AREA)
- Development Economics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Educational Administration (AREA)
- General Business, Economics & Management (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
- Document Processing Apparatus (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
Claims
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP07871409A EP2126808A4 (en) | 2006-12-08 | 2007-11-08 | Reputation-based authorization decisions |
AU2007333444A AU2007333444B2 (en) | 2006-12-08 | 2007-11-08 | Reputation-based authorization decisions |
MX2009006025A MX2009006025A (en) | 2006-12-08 | 2007-11-08 | Reputation-based authorization decisions. |
CA002671031A CA2671031A1 (en) | 2006-12-08 | 2007-11-08 | Reputation-based authorization decisions |
BRPI0719035-2A BRPI0719035A2 (en) | 2006-12-08 | 2007-11-08 | REPUTATION-BASED AUTHORIZATION DECISIONS |
JP2009540360A JP5066578B2 (en) | 2006-12-08 | 2007-11-08 | Reputation-based authorization decisions |
NO20092560A NO20092560L (en) | 2006-12-08 | 2009-07-07 | Reputation-based authorization provision |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/608,757 US7991902B2 (en) | 2006-12-08 | 2006-12-08 | Reputation-based authorization decisions |
US11/608,757 | 2006-12-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2008073647A1 true WO2008073647A1 (en) | 2008-06-19 |
Family
ID=39499913
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2007/084057 WO2008073647A1 (en) | 2006-12-08 | 2007-11-08 | Reputation-based authorization decisions |
Country Status (13)
Country | Link |
---|---|
US (2) | US7991902B2 (en) |
EP (1) | EP2126808A4 (en) |
JP (1) | JP5066578B2 (en) |
KR (1) | KR20090087122A (en) |
CN (1) | CN101553833A (en) |
AU (1) | AU2007333444B2 (en) |
BR (1) | BRPI0719035A2 (en) |
CA (1) | CA2671031A1 (en) |
MX (1) | MX2009006025A (en) |
NO (1) | NO20092560L (en) |
RU (1) | RU2458393C2 (en) |
TW (1) | TW200836085A (en) |
WO (1) | WO2008073647A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016538614A (en) * | 2013-09-27 | 2016-12-08 | ビットディフェンダー アイピーアール マネジメント リミテッド | System and method for facilitating malware scanning using reputation indicators |
Families Citing this family (79)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7523490B2 (en) * | 2002-05-15 | 2009-04-21 | Microsoft Corporation | Session key security protocol |
CN101048898B (en) * | 2004-10-29 | 2012-02-01 | 麦德托尼克公司 | Lithium-ion battery and medical device |
US8615801B2 (en) * | 2006-08-31 | 2013-12-24 | Microsoft Corporation | Software authorization utilizing software reputation |
US8312536B2 (en) | 2006-12-29 | 2012-11-13 | Symantec Corporation | Hygiene-based computer security |
US8250657B1 (en) | 2006-12-29 | 2012-08-21 | Symantec Corporation | Web site hygiene-based computer security |
US8479254B2 (en) * | 2007-03-16 | 2013-07-02 | Apple Inc. | Credential categorization |
US20090228885A1 (en) * | 2008-03-07 | 2009-09-10 | Novell, Inc. | System and method for using workflows with information cards |
US20090077655A1 (en) * | 2007-09-19 | 2009-03-19 | Novell, Inc. | Processing html extensions to enable support of information cards by a relying party |
US20090178112A1 (en) * | 2007-03-16 | 2009-07-09 | Novell, Inc. | Level of service descriptors |
US20090077627A1 (en) * | 2007-03-16 | 2009-03-19 | Novell, Inc. | Information card federation point tracking and management |
US8151324B2 (en) | 2007-03-16 | 2012-04-03 | Lloyd Leon Burch | Remotable information cards |
US20090077118A1 (en) * | 2007-03-16 | 2009-03-19 | Novell, Inc. | Information card federation point tracking and management |
US20090249430A1 (en) * | 2008-03-25 | 2009-10-01 | Novell, Inc. | Claim category handling |
US20090204622A1 (en) * | 2008-02-11 | 2009-08-13 | Novell, Inc. | Visual and non-visual cues for conveying state of information cards, electronic wallets, and keyrings |
US8370919B2 (en) * | 2007-06-26 | 2013-02-05 | Microsoft Corporation | Host firewall integration with edge traversal technology |
US7707294B2 (en) | 2007-06-26 | 2010-04-27 | Microsoft Corporation | Edge traversal service dormancy |
JP5224748B2 (en) * | 2007-08-27 | 2013-07-03 | 任天堂株式会社 | Information processing apparatus, information processing system, information processing program, and information processing method |
US8019689B1 (en) | 2007-09-27 | 2011-09-13 | Symantec Corporation | Deriving reputation scores for web sites that accept personally identifiable information |
US8001582B2 (en) * | 2008-01-18 | 2011-08-16 | Microsoft Corporation | Cross-network reputation for online services |
US20090199284A1 (en) * | 2008-02-06 | 2009-08-06 | Novell, Inc. | Methods for setting and changing the user credential in information cards |
US20090204542A1 (en) * | 2008-02-11 | 2009-08-13 | Novell, Inc. | Privately sharing relying party reputation with information card selectors |
US20090205035A1 (en) * | 2008-02-11 | 2009-08-13 | Novell, Inc. | Info card selector reception of identity provider based data pertaining to info cards |
US8079069B2 (en) | 2008-03-24 | 2011-12-13 | Oracle International Corporation | Cardspace history validator |
US8499063B1 (en) | 2008-03-31 | 2013-07-30 | Symantec Corporation | Uninstall and system performance based software application reputation |
JP5108605B2 (en) * | 2008-04-23 | 2012-12-26 | 三洋電機株式会社 | Driving support system and vehicle |
US20090272797A1 (en) * | 2008-04-30 | 2009-11-05 | Novell, Inc. A Delaware Corporation | Dynamic information card rendering |
US8595282B2 (en) * | 2008-06-30 | 2013-11-26 | Symantec Corporation | Simplified communication of a reputation score for an entity |
US20100011409A1 (en) * | 2008-07-09 | 2010-01-14 | Novell, Inc. | Non-interactive information card token generation |
US8312539B1 (en) | 2008-07-11 | 2012-11-13 | Symantec Corporation | User-assisted security system |
US20100031328A1 (en) * | 2008-07-31 | 2010-02-04 | Novell, Inc. | Site-specific credential generation using information cards |
US8561172B2 (en) * | 2008-08-29 | 2013-10-15 | Novell Intellectual Property Holdings, Inc. | System and method for virtual information cards |
US9495538B2 (en) * | 2008-09-25 | 2016-11-15 | Symantec Corporation | Graduated enforcement of restrictions according to an application's reputation |
US8413251B1 (en) | 2008-09-30 | 2013-04-02 | Symantec Corporation | Using disposable data misuse to determine reputation |
US8353021B1 (en) * | 2008-09-30 | 2013-01-08 | Symantec Corporation | Determining firewall rules for an application on a client based on firewall rules and reputations of other clients |
US20100095372A1 (en) * | 2008-10-09 | 2010-04-15 | Novell, Inc. | Trusted relying party proxy for information card tokens |
US8726391B1 (en) * | 2008-10-10 | 2014-05-13 | Symantec Corporation | Scheduling malware signature updates in relation to threat awareness and environmental safety |
US8083135B2 (en) * | 2009-01-12 | 2011-12-27 | Novell, Inc. | Information card overlay |
US8632003B2 (en) * | 2009-01-27 | 2014-01-21 | Novell, Inc. | Multiple persona information cards |
US8904520B1 (en) | 2009-03-19 | 2014-12-02 | Symantec Corporation | Communication-based reputation system |
US20100251353A1 (en) * | 2009-03-25 | 2010-09-30 | Novell, Inc. | User-authorized information card delegation |
US8239953B1 (en) | 2009-03-26 | 2012-08-07 | Symantec Corporation | Applying differing security policies for users who contribute differently to machine hygiene |
US8381289B1 (en) | 2009-03-31 | 2013-02-19 | Symantec Corporation | Communication-based host reputation system |
US8312543B1 (en) | 2009-06-30 | 2012-11-13 | Symantec Corporation | Using URL reputation data to selectively block cookies |
US8201255B1 (en) | 2009-06-30 | 2012-06-12 | Symantec Corporation | Hygiene-based discovery of exploited portals |
US20110022518A1 (en) * | 2009-07-22 | 2011-01-27 | Ayman Hammad | Apparatus including data bearing medium for seasoning a device using data obtained from multiple transaction environments |
US10438181B2 (en) | 2009-07-22 | 2019-10-08 | Visa International Service Association | Authorizing a payment transaction using seasoned data |
US8566932B1 (en) | 2009-07-31 | 2013-10-22 | Symantec Corporation | Enforcing good network hygiene using reputation-based automatic remediation |
US8776168B1 (en) | 2009-10-29 | 2014-07-08 | Symantec Corporation | Applying security policy based on behaviorally-derived user risk profiles |
US8341745B1 (en) | 2010-02-22 | 2012-12-25 | Symantec Corporation | Inferring file and website reputations by belief propagation leveraging machine reputation |
US8839432B1 (en) * | 2010-04-01 | 2014-09-16 | Symantec Corporation | Method and apparatus for performing a reputation based analysis on a malicious infection to secure a computer |
US8510836B1 (en) | 2010-07-06 | 2013-08-13 | Symantec Corporation | Lineage-based reputation system |
US8931048B2 (en) * | 2010-08-24 | 2015-01-06 | International Business Machines Corporation | Data system forensics system and method |
FR2965081B1 (en) * | 2010-09-16 | 2014-08-08 | Gerwin | METHOD AND SYSTEM FOR QUALIFYING AN ELEMENT |
US8800029B2 (en) | 2010-10-04 | 2014-08-05 | International Business Machines Corporation | Gathering, storing and using reputation information |
US9317670B2 (en) * | 2012-05-22 | 2016-04-19 | Verizon Patent And Licensing Inc | Security based on usage activity associated with user device |
US9124472B1 (en) | 2012-07-25 | 2015-09-01 | Symantec Corporation | Providing file information to a client responsive to a file download stability prediction |
RU2536663C2 (en) * | 2012-12-25 | 2014-12-27 | Закрытое акционерное общество "Лаборатория Касперского" | System and method of protecting cloud infrastructure from illegal use |
US9519756B2 (en) | 2013-03-15 | 2016-12-13 | Microsoft Technology Licensing, Llc | Managing policy and permissions profiles |
US20150007330A1 (en) * | 2013-06-26 | 2015-01-01 | Sap Ag | Scoring security risks of web browser extensions |
US9319419B2 (en) * | 2013-09-26 | 2016-04-19 | Wave Systems Corp. | Device identification scoring |
WO2015047440A1 (en) * | 2013-09-29 | 2015-04-02 | Mcafee, Inc. | One-click reputation adjustment |
US9398036B2 (en) * | 2014-09-17 | 2016-07-19 | Microsoft Technology Licensing, Llc | Chunk-based file acquisition and file reputation evaluation |
US10083295B2 (en) * | 2014-12-23 | 2018-09-25 | Mcafee, Llc | System and method to combine multiple reputations |
US10659479B2 (en) * | 2015-03-27 | 2020-05-19 | Mcafee, Llc | Determination of sensor usage |
US9736165B2 (en) | 2015-05-29 | 2017-08-15 | At&T Intellectual Property I, L.P. | Centralized authentication for granting access to online services |
US20170063931A1 (en) * | 2015-08-28 | 2017-03-02 | Convida Wireless, Llc | Service Layer Dynamic Authorization |
US10679264B1 (en) | 2015-11-18 | 2020-06-09 | Dev Anand Shah | Review data entry, scoring, and sharing |
CN106960142A (en) | 2016-01-08 | 2017-07-18 | 阿里巴巴集团控股有限公司 | A kind of rights management and the method and device of resources control |
US11165797B2 (en) | 2016-04-22 | 2021-11-02 | Sophos Limited | Detecting endpoint compromise based on network usage history |
US10938781B2 (en) | 2016-04-22 | 2021-03-02 | Sophos Limited | Secure labeling of network flows |
US11277416B2 (en) * | 2016-04-22 | 2022-03-15 | Sophos Limited | Labeling network flows according to source applications |
US11102238B2 (en) | 2016-04-22 | 2021-08-24 | Sophos Limited | Detecting triggering events for distributed denial of service attacks |
US10986109B2 (en) | 2016-04-22 | 2021-04-20 | Sophos Limited | Local proxy detection |
US10528725B2 (en) | 2016-11-04 | 2020-01-07 | Microsoft Technology Licensing, Llc | IoT security service |
US10972456B2 (en) | 2016-11-04 | 2021-04-06 | Microsoft Technology Licensing, Llc | IoT device authentication |
US11086985B2 (en) * | 2017-12-04 | 2021-08-10 | Microsoft Technology Licensing, Llc | Binary authorization based on both file and package attributes |
KR102285799B1 (en) * | 2019-03-04 | 2021-08-05 | 어드밴스드 뉴 테크놀로지스 씨오., 엘티디. | Asset management system utilizing blockchain network |
CN113392385B (en) * | 2021-06-28 | 2023-07-14 | 中山大学 | User trust measurement method and system in cloud environment |
US20230015789A1 (en) * | 2021-07-08 | 2023-01-19 | Vmware, Inc. | Aggregation of user authorizations from different providers in a hybrid cloud environment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998026385A2 (en) * | 1996-12-13 | 1998-06-18 | Certco, Llc | Reliance server for electronic transaction system |
KR20010094702A (en) * | 2000-04-06 | 2001-11-01 | 최진영 | Electronic commerce system and method thereof |
KR20050101500A (en) * | 2004-04-19 | 2005-10-24 | 한국신용평가정보주식회사 | Method for issuing the certificate contained the link information of one's credit information and record media recorded the certificate issued by the above method |
KR20060096278A (en) * | 2005-03-04 | 2006-09-11 | 마이크로소프트 코포레이션 | Method and system for integrating multiple identities, identity mechanism and identity provides in a single user paradigm |
Family Cites Families (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2301912A (en) * | 1995-06-09 | 1996-12-18 | Ibm | Security for computer system resources |
US6167521A (en) | 1997-08-29 | 2000-12-26 | International Business Machines Corporation | Securely downloading and executing code from mutually suspicious authorities |
US6330549B1 (en) | 1997-10-30 | 2001-12-11 | Xerox Corporation | Protected shareware |
US6256393B1 (en) | 1998-06-23 | 2001-07-03 | General Instrument Corporation | Authorization and access control of software object residing in set-top terminals |
US6321334B1 (en) * | 1998-07-15 | 2001-11-20 | Microsoft Corporation | Administering permissions associated with a security zone in a computer system security model |
US6473800B1 (en) * | 1998-07-15 | 2002-10-29 | Microsoft Corporation | Declarative permission requests in a computer system |
US6651168B1 (en) | 1999-01-29 | 2003-11-18 | International Business Machines, Corp. | Authentication framework for multiple authentication processes and mechanisms |
JP3546787B2 (en) * | 1999-12-16 | 2004-07-28 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Access control system, access control method, and storage medium |
US20020046041A1 (en) | 2000-06-23 | 2002-04-18 | Ken Lang | Automated reputation/trust service |
US7073062B2 (en) | 2000-12-19 | 2006-07-04 | International Business Machines Corporation | Method and apparatus to mutually authentication software modules |
US6954792B2 (en) | 2001-06-29 | 2005-10-11 | Sun Microsystems, Inc. | Pluggable authentication and access control for a messaging system |
WO2003021467A1 (en) * | 2001-08-13 | 2003-03-13 | Qualcomm, Incorporated | Using permissions to allocate device resources to an application |
RU2282311C2 (en) * | 2001-11-29 | 2006-08-20 | Сименс Акциенгезелльшафт | Method for using a pair of open keys in end device for authentication and authorization of telecommunication network user relatively to network provider and business partners |
US7017051B2 (en) | 2003-02-24 | 2006-03-21 | Bea Systems, Inc. | System and method for enterprise authentication |
US7216169B2 (en) * | 2003-07-01 | 2007-05-08 | Microsoft Corporation | Method and system for administering personal computer health by registering multiple service providers and enforcing mutual exclusion rules |
US7437718B2 (en) * | 2003-09-05 | 2008-10-14 | Microsoft Corporation | Reviewing the security of trusted software components |
JP2005115487A (en) * | 2003-10-03 | 2005-04-28 | Sharp Corp | Recording and reproducing device, and file access method |
US7668951B2 (en) | 2004-05-25 | 2010-02-23 | Google Inc. | Electronic message source reputation information system |
US8819639B2 (en) * | 2004-09-15 | 2014-08-26 | Lakeside Software, Inc. | System for selectively blocking execution of applications on a computer system |
US20060106788A1 (en) * | 2004-10-29 | 2006-05-18 | Microsoft Corporation | Computer-implemented system and method for providing authoritative answers to a general information search |
WO2006101549A2 (en) * | 2004-12-03 | 2006-09-28 | Whitecell Software, Inc. | Secure system for allowing the execution of authorized computer program code |
US7887419B2 (en) * | 2004-12-07 | 2011-02-15 | Microsoft Corporation | Game achievements system |
US8739291B2 (en) * | 2005-01-27 | 2014-05-27 | Nokia Corporation | System and method for providing access to OMA DRM protected files from java application |
JPWO2006087780A1 (en) * | 2005-02-17 | 2008-07-03 | 富士通株式会社 | Vulnerability audit program, vulnerability audit device, vulnerability audit method |
US20070256133A1 (en) * | 2006-04-27 | 2007-11-01 | Garbow Zachary A | Blocking processes from executing based on votes |
-
2006
- 2006-12-08 US US11/608,757 patent/US7991902B2/en not_active Expired - Fee Related
-
2007
- 2007-11-08 MX MX2009006025A patent/MX2009006025A/en active IP Right Grant
- 2007-11-08 EP EP07871409A patent/EP2126808A4/en not_active Withdrawn
- 2007-11-08 KR KR1020097014129A patent/KR20090087122A/en not_active IP Right Cessation
- 2007-11-08 CN CNA2007800454163A patent/CN101553833A/en active Pending
- 2007-11-08 CA CA002671031A patent/CA2671031A1/en not_active Abandoned
- 2007-11-08 AU AU2007333444A patent/AU2007333444B2/en not_active Ceased
- 2007-11-08 WO PCT/US2007/084057 patent/WO2008073647A1/en active Application Filing
- 2007-11-08 RU RU2009126155/08A patent/RU2458393C2/en not_active IP Right Cessation
- 2007-11-08 JP JP2009540360A patent/JP5066578B2/en not_active Expired - Fee Related
- 2007-11-08 BR BRPI0719035-2A patent/BRPI0719035A2/en not_active IP Right Cessation
- 2007-12-07 TW TW096146913A patent/TW200836085A/en unknown
-
2009
- 2009-07-07 NO NO20092560A patent/NO20092560L/en unknown
-
2011
- 2011-06-21 US US13/165,504 patent/US20110252483A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998026385A2 (en) * | 1996-12-13 | 1998-06-18 | Certco, Llc | Reliance server for electronic transaction system |
KR20010094702A (en) * | 2000-04-06 | 2001-11-01 | 최진영 | Electronic commerce system and method thereof |
KR20050101500A (en) * | 2004-04-19 | 2005-10-24 | 한국신용평가정보주식회사 | Method for issuing the certificate contained the link information of one's credit information and record media recorded the certificate issued by the above method |
KR20060096278A (en) * | 2005-03-04 | 2006-09-11 | 마이크로소프트 코포레이션 | Method and system for integrating multiple identities, identity mechanism and identity provides in a single user paradigm |
Non-Patent Citations (1)
Title |
---|
See also references of EP2126808A4 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016538614A (en) * | 2013-09-27 | 2016-12-08 | ビットディフェンダー アイピーアール マネジメント リミテッド | System and method for facilitating malware scanning using reputation indicators |
Also Published As
Publication number | Publication date |
---|---|
TW200836085A (en) | 2008-09-01 |
EP2126808A4 (en) | 2011-11-23 |
JP2010512576A (en) | 2010-04-22 |
US7991902B2 (en) | 2011-08-02 |
NO20092560L (en) | 2009-07-07 |
AU2007333444A1 (en) | 2008-06-19 |
EP2126808A1 (en) | 2009-12-02 |
US20110252483A1 (en) | 2011-10-13 |
KR20090087122A (en) | 2009-08-14 |
BRPI0719035A2 (en) | 2013-11-05 |
MX2009006025A (en) | 2009-06-16 |
RU2458393C2 (en) | 2012-08-10 |
AU2007333444B2 (en) | 2012-02-09 |
CN101553833A (en) | 2009-10-07 |
US20080141366A1 (en) | 2008-06-12 |
JP5066578B2 (en) | 2012-11-07 |
CA2671031A1 (en) | 2008-06-19 |
RU2009126155A (en) | 2011-01-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7991902B2 (en) | Reputation-based authorization decisions | |
US10581919B2 (en) | Access control monitoring through policy management | |
US10691814B2 (en) | Method and system for improving security and reliability in a networked application environment | |
US9485100B2 (en) | Trust management systems and methods | |
KR101076911B1 (en) | System and method for providing security to an application | |
US7421500B2 (en) | Grid computing control system | |
WO2013053393A1 (en) | Multi-repository key storage and selection | |
Krautsevich et al. | Risk-aware usage decision making in highly dynamic systems | |
CN100586123C (en) | A safe audit method based on role management and system thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200780045416.3 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07871409 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2671031 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: MX/A/2009/006025 Country of ref document: MX |
|
ENP | Entry into the national phase |
Ref document number: 2009540360 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007871409 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007333444 Country of ref document: AU Ref document number: 1020097014129 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 3984/CHENP/2009 Country of ref document: IN |
|
ENP | Entry into the national phase |
Ref document number: 2009126155 Country of ref document: RU Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2007333444 Country of ref document: AU Date of ref document: 20071108 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: PI0719035 Country of ref document: BR Kind code of ref document: A2 Effective date: 20090520 |