Identifying sensitive data writes to data stores

US 10,114,960 B1
Filed: 03/20/2014
Issued: 10/30/2018
Est. Priority Date: 03/20/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, over a network and from a data access detection plugin running on a device with an application, a data access event notification corresponding to access by the application to a set of sensitive data;

creating a data event object, the data event object including at least one or more metadata items associated with the data access event notification;

writing, based at least in part on a determination by a policy service, a data log entry, the data log entry based at least in part on at least a subset of the data event object;

determining, based at least in part on a similar characteristic between the data log entry and one or more other entries in a computer system log, that the data log entry is correlated with the one or more other entries;

determining, based at least in part on the data log entry being correlated with the one or more other entries, a confidence value for a data access rule violation having occurred with the set of sensitive data;

determining a data store location based at least in part on a metadata item included in the data event object;

searching, in the data store location, for a set of data corresponding at least in part to a subset of the set of sensitive data; and

as a result of locating the set of data corresponding at least in part to the subset of the set of sensitive data, performing, based at least in part on the confidence value and a sensitivity of the set of sensitive data, one or more operations to mitigate further access to the set of sensitive data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting access to computer system data by applications running on a computer system are described herein. Data access event log entries are recorded, the log entries including one or more metadata items associated with how the computer system application accessed the computer system data. The log entries are analyzed using correlations with other computer system events and, if improper access is detected, one or more operations relating to the type of data accessed and the type of violation are performed to mitigate the improper data access.

Citations

21 Claims

1. A computer-implemented method, comprising:
- receiving, over a network and from a data access detection plugin running on a device with an application, a data access event notification corresponding to access by the application to a set of sensitive data;
  
  creating a data event object, the data event object including at least one or more metadata items associated with the data access event notification;
  
  writing, based at least in part on a determination by a policy service, a data log entry, the data log entry based at least in part on at least a subset of the data event object;
  
  determining, based at least in part on a similar characteristic between the data log entry and one or more other entries in a computer system log, that the data log entry is correlated with the one or more other entries;
  
  determining, based at least in part on the data log entry being correlated with the one or more other entries, a confidence value for a data access rule violation having occurred with the set of sensitive data;
  
  determining a data store location based at least in part on a metadata item included in the data event object;
  
  searching, in the data store location, for a set of data corresponding at least in part to a subset of the set of sensitive data; and
  
  as a result of locating the set of data corresponding at least in part to the subset of the set of sensitive data, performing, based at least in part on the confidence value and a sensitivity of the set of sensitive data, one or more operations to mitigate further access to the set of sensitive data.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the one or more operations include at least one of:
    - issuing an alarm,sending an email message,causing a popup window message to be generated,restricting access to the set of sensitive data,revoking permissions associated with the application,updating a data-access log, orterminating a service associated with the set of sensitive data.
  - 3. The computer-implemented method of claim 1, wherein the metadata item associated with data access event notification includes at least one of:
    - a date of a data access event associated with the data access event notification,a time of the data access event,a first uniform resource identifier of the application,a second uniform resource identifier of a service associated with the set of sensitive data,a third uniform resource identifier of a host machine of the application,an identifier associated with the data access event, orone or more data types associated with the set of sensitive data.
  - 4. The computer-implemented method of claim 1, wherein the one or more other entries include at least one of:
    - a disk access event entry,a clipboard access event entry,attaching a universal serial bus device,attaching a temporary storage device,a network storage access event entry,a file system write entry,a network data reception entry, ora network data transmission entry.

5. A system, comprising:
- at least one computing device that implements one or more services, wherein the one or more services;
  
  receive a data access event notification over a network and from a library module running on a device with an application, as a result of the application accessing a set of data;
  
  record a log entry corresponding to the data access event notification in a data access log, the log entry based at least in part on a metadata item associated with the data access event notification;
  
  determine, based at least in part on a similar characteristic between the log entry and one or more other entries of computer system events, that the log entry is correlated with the one or more other entries;
  
  identify, based at least in part on the log entry being correlated with the one or more other entries, that a data access rule violation has occurred in accordance with a confidence value and a factor relating to a sensitivity of the set of data; and
  
  consequent to having identified the data access rule violation, perform one or more operations to mitigate further access to the set of data based at least in part on a result of a search of a data store location for data matching at least part of the set of data, the data store location depending at least in part on the metadata item associated with the data access event notification, the one or more operations depending at least in part on the data access rule violation.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The system of claim 5, wherein the library module is an application plugin.
  - 7. The system of claim 5, wherein the set of data includes at least a set of data specified as sensitive.
  - 8. The system of claim 5, wherein the one or more operations to mitigate further access to the set of data include one or more operations to send an alert to an investigation response team, the alert based at least in part on the data access rule violation.
  - 9. The system of claim 5, wherein the metadata item associated with the data access event notification includes a time of a data access event corresponding to the data access event notification.
  - 10. The system of claim 5, wherein the one or more computer system events include events corresponding to file system access by the application.
  - 11. The system of claim 5, wherein the data access rule violation is based at least in part on a correlation between a metadata item associated with the log entry and the one or more other entries, the correlation includes one of:
    - a time correlation, a correlation based at least in part on a target entity, or a content correlation.
  - 12. The system of claim 5, wherein the metadata item includes one or more metadata characteristics.
  - 13. The system of claim 12, wherein the one or more metadata characteristics comprise one or more of entropy characteristics.
  - 14. The system of claim 5, wherein the data access rule violation is based at least in part on a correlation between a metadata item associated with the log entry and the one or more other entries, the correlation includes one of:
    - a data size correlation, a permission correlation, an entropy correlation, a data hash correlation, or a compression correlation.

15. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to:
- record a data access event log entry, generated by a client, corresponding to a data access event notification, the data access event notification received over a network and from a library module running on a device with an application corresponding to one or more data accesses, by the application, to at least a subset of a set of data, the data access event log entry including at least a metadata item associated with the data access event notification;
  
  determine, based at least in part on a similar characteristic between the data access event log entry and one or more other entries in a computer system log of one or more computer system events, that the data access event log entry is correlated with the one or more other entries;
  
  determine, based at least in part on the data access event log entry being correlated with the one or more other entries, that one or more data access rule violations have occurred in accordance with a confidence value; and
  
  perform, based at least in part on the confidence value and an indication of sensitivity of at least a first subset of the set of data, one or more operations to mitigate further access to at least the first subset of the set of data, the first subset of the set of data based at least in part on a second subset of the set of data, the one or more operations based at least in part on a search in one or more data store locations for data matching at least part of the set of data, the one or more data store locations based at least in part on the metadata item associated with one or more data access events, the one or more operations depending at least in part on an evaluation of one or more data access rules, the one or more data access rules provided by a policy system.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the data access event notification are received from the library module associated with the application.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the set of data includes at least a set of data specified as sensitive.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the one or more operations to mitigate further access to the set of data include one or more operations to revoke one or more permissions associated with access to at least the subset of the set of data.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the metadata item associated with the data access event notification is one of:
    - a first uniform resource identifier of the application,a second uniform resource identifier of a service associated with the set of data, ora third uniform resource identifier of a host machine of the application.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the one or more computer system events include events corresponding to network access by the application.
  - 21. The non-transitory computer-readable storage medium of claim 15, wherein the data access event log entry being correlated with the one or more other entries include events corresponding to temporary storage access by the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McClintock, Jon Arron, Sethi, Tushaar, Van Horenbeeck, Maarten
Primary Examiner(s)
Edwards, Linglan E

Application Number

US14/220,880
Time in Patent Office

1,685 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/62   Protecting access to data v...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Identifying sensitive data writes to data stores

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying sensitive data writes to data stores

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links