公开(公告)号：US20230177169A1

公开(公告)日：2023-06-08

申请号：US17643205

申请日：2021-12-08

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Muhammed Fatih Bulut ,  Abdulhamid Adebowale Adebayo ,  Lilian Mathias Ngweta ,  Ting Dai ,  Constantin Mircea Adam ,  Daby Mousse Sow ,  Steven Ocepek

IPC: G06F21/57 ,  G06F21/56 ,  G06N5/04

CPC classification number: G06F21/577 ,  G06F21/566 ,  G06N5/04 ,  G06F2221/034

Abstract: An apparatus, a method, and a computer program product are provided that combine policy compliance with vulnerability management to provide a more accurate risk assessment of an environment. The method includes training a policy machine learning model using a first training dataset to generate a policy machine learning model to produce mitigation technique classifications and training a vulnerability machine learning model using a second training dataset to generate a vulnerability machine learning model to produce weakness type classifications. The method also includes mapping the mitigation technique classifications to attack techniques to produce a policy mapping and mapping the weakness type classifications to the attack techniques to produce a vulnerability mapping. The method further includes producing a risk assessment of a vulnerability based on the policy mapping and the vulnerability mapping.

公开(公告)号：US20220357954A1

公开(公告)日：2022-11-10

申请号：US17307482

申请日：2021-05-04

Applicant: International Business Machines Corporation

Inventor： Constantin Mircea Adam ,  Shripad Nadgowda ,  James R. Doran ,  John Rofrano

IPC: G06F9/38 ,  G06F8/30

Abstract: Systems and techniques that facilitate compliance enforcement via service discovery analytics are provided. In various embodiments, a system can comprise a receiver component that can access one or more declarative deployment manifests associated with a computing application. In various instances, the system can comprise a dependency component that can build a dependency topology based on the one or more declarative deployment manifests. In various cases, the dependency topology can indicate dependencies among one or more computing objects that are declared by the one or more declarative deployment manifests. In various aspects, the system can comprise a compliance component that can determine, based on the dependency topology, whether the computing application satisfies one or more compliance standards.

公开(公告)号：US10803177B2

公开(公告)日：2020-10-13

申请号：US15653676

申请日：2017-07-19

Applicant: International Business Machines Corporation

Inventor： Constantin Mircea Adam ,  Nikolaos Anerousis ,  Jinho Hwang ,  Shripad Nadgowda ,  Maja Vukovic

IPC: G06F21/53 ,  G06F21/57 ,  G06F21/56 ,  G06F21/71 ,  G06F21/54

Abstract: Systems, computer-implemented methods and/or computer program products that facilitate compliance-aware runtime generation of containers are provided. In one embodiment, a computer-implemented method comprises: identifying, by a system operatively coupled to a processor, information used by a target application to containerize; determining whether one or more risk violations exist for the information within one or more defined thresholds; determining whether a compliance or a security violation exists in the information, wherein the determining whether the compliance or security violation exists is performed based on a determination by the risk assessment component that one or more risk violations do not exist; and generating a new container of components corresponding to defined components of the target application that allow the target application to execute without an underlying operating system, wherein the generating is based on a determination that no compliance or security violation exists in the information.

公开(公告)号：US20190173813A1

公开(公告)日：2019-06-06

申请号：US15832330

申请日：2017-12-05

Applicant: International Business Machines Corporation

Inventor： Constantin Mircea Adam ,  Muhammed Fatih Bulut ,  Richard Baxter Hull ,  Anup Kalia ,  Maja Vukovic ,  Jin Xiao

IPC: H04L12/58 ,  G06N5/02 ,  G06F17/27 ,  G06F17/30 ,  G06Q10/10

Abstract: Techniques facilitating maintenance of tribal knowledge for accelerated compliance control deployment are provided. In one example, a system includes a memory that stores computer executable components and a processor that executes computer executable components stored in the memory, wherein the computer executable components include a knowledge base generation component that generates a knowledge graph corresponding to respective commitments created via tribal exchanges, the knowledge graph comprising a semantic level and an operational level; a semantic graph population component that populates the semantic level of the knowledge graph based on identified parties to the respective commitments; and an operational graph population component that populates the operational level of the knowledge graph based on tracked status changes associated with the respective commitments.

公开(公告)号：US20190075082A1

公开(公告)日：2019-03-07

申请号：US15841915

申请日：2017-12-14

Applicant: International Business Machines Corporation

Inventor： Constantin Mircea Adam ,  Richard Jay Cohen ,  Robert Filepp ,  Milton H. Hernandez ,  Brian Peterson ,  Maja Vukovic ,  Sai Zeng ,  Guan Qun Zhang ,  Bhayna Agrawal

IPC: H04L29/06

Abstract: Users of an endpoint remediation system can be assigned to different roles, from which they can request exceptions, approve exceptions, and/or enable remediation on endpoint devices. The compliance scanning and enforcing process can be automated, while allowing entities to request and/or approve certain exceptions. Therefore, security compliance for customers can be actively managed to provide visibility to the endpoint device compliance state at any time.

公开(公告)号：US11829766B2

公开(公告)日：2023-11-28

申请号：US17307482

申请日：2021-05-04

Applicant: International Business Machines Corporation

Inventor： Constantin Mircea Adam ,  Shripad Nadgowda ,  James R. Doran ,  John Rofrano

IPC: G06F9/38 ,  G06F8/30 ,  G06F8/75 ,  G06F11/36

CPC classification number: G06F9/3838 ,  G06F8/30 ,  G06F8/75 ,  G06F11/3604

Abstract: Systems and techniques that facilitate compliance enforcement via service discovery analytics are provided. In various embodiments, a system can comprise a receiver component that can access one or more declarative deployment manifests associated with a computing application. In various instances, the system can comprise a dependency component that can build a dependency topology based on the one or more declarative deployment manifests. In various cases, the dependency topology can indicate dependencies among one or more computing objects that are declared by the one or more declarative deployment manifests. In various aspects, the system can comprise a compliance component that can determine, based on the dependency topology, whether the computing application satisfies one or more compliance standards.

公开(公告)号：US20230155984A1

公开(公告)日：2023-05-18

申请号：US17530185

申请日：2021-11-18

Applicant: International Business Machines Corporation

Inventor： Constantin Mircea Adam ,  Nerla Jean-Louis ,  Hubertus Franke ,  Edward Charles Snible ,  Abdulhamid Adebowale Adebayo

IPC: H04L29/06

CPC classification number: H04L63/0281

Abstract: Techniques for managing and processing of configuration changes associated with a service container associated with a service mesh are presented. An application management component can determine immutable configuration data (ICD) relating to configuration change processing for the service container based on policies received from an application owner. A message processing component (MMC) of a service proxy associated with the service container can receive, via a control plane, a message associated with an untrusted entity. MMC can determine whether the message comprises a configuration change request relating to interaction between the application and the service mesh, and, if so, can determine whether to allow the service proxy to process the configuration change based on analysis of the configuration change and ICD. If ICD indicates the configuration change is not allowed, service proxy can discard the request. If ICD indicates the configuration change is allowed, service proxy can implement the configuration change.

公开(公告)号：US11537602B2

公开(公告)日：2022-12-27

申请号：US15930273

申请日：2020-05-12

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Muhammed Fatih Bulut ,  Arun Kumar ,  Kuntal Dey ,  Constantin Mircea Adam ,  Milton H. Hernandez

IPC: G06F16/242 ,  G06F40/30 ,  G06N20/00 ,  G06F16/28 ,  G06F16/23 ,  G06F40/284

Abstract: Computer implemented reconstruction of compliance mapping due to an update in a regulation in the compliance mapping by a computing device includes comparing a first version of a regulation in the compliance mapping to a second, updated version of the first regulation. A change in the second version with respect to the first version is identified. The change may be an added control description, a deleted control description, or an updated control description. Upon determining that the change is an updated control description, the updated control description is analyzed to determine a type of update. The mapping of the regulation is reconstructed based on the change and, if the change is an updated control description, the type of update, using at least one of natural language processing and/or machine learning. The risk of the reconstructed mapping is assessed, and a service owner is notified about the risk of the changes.

公开(公告)号：US20220382876A1

公开(公告)日：2022-12-01

申请号：US17329448

申请日：2021-05-25

Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION

Inventor： Sai ZENG ,  Jinho HWANG ,  Virginia Mayo Policarpio ,  Lisa M. Chambers ,  Constantin Mircea Adam ,  Muhammed Fatih Bulut

IPC: G06F21/57

Abstract: A vulnerability management method includes analyzing a system environment to uncover one or more vulnerabilities. The method includes subsequently identifying one or more system weaknesses corresponding to the one or more uncovered vulnerabilities and analyzing a set of historical data to identify similar past vulnerabilities. The method further includes analyzing available information to extract one or more impacts of the identified similar past vulnerabilities and determining one or more impacts to the present system environment that would correspond to the extracted one or more impacts of the identified similar past vulnerabilities. The method additionally includes recommending one or more actions to remediate the uncovered vulnerabilities.

公开(公告)号：US20210133254A1

公开(公告)日：2021-05-06

申请号：US16675376

申请日：2019-11-06

Applicant: International Business Machines Corporation

Inventor： Constantin Mircea Adam ,  Muhammed Fatih Bulut ,  Milton H. Hernandez ,  Maja Vukovic

IPC: G06F16/93 ,  G06Q30/00 ,  G06F21/31 ,  H04L12/26

Abstract: Streamlining compliance reporting and remediation through clustering compliance deviations by receiving inspection scan compliance deviation report data, analyzing the inspection scan compliance deviation report data, in response to the analysis, creating normalized deviation report documents, comparing the normalized deviation report documents, in response to the comparisons, clustering the normalized deviation report documents, creating a common cluster deviation profile comprising clustered deviation reports, and generating a summary system asset compliance report comprising the common cluster deviation profile.