Preventing data loss over network channels by dynamically monitoring file system operations of a process

US 10,148,694 B1
Filed: 10/01/2015
Issued: 12/04/2018
Est. Priority Date: 10/01/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting an application creating a network connection;

determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface;

upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application;

upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity;

evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises;

determining whether the file includes sensitive data; and

determining whether the network connection is to an unauthorized external location; and

based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for performing data loss prevention (DLP) by monitoring file system activity of an application having a network connection. A DLP agent tracks file system activity (e.g., file open and read operations) being initiated by the application. The DLP agent intercepts the file system activity and evaluates a file specified by the file system operation to determine whether the file includes sensitive data. If so determined, the DLP agent prevents the sensitive data from being transmitted (e.g., by blocking the file system activity, redacting the sensitive data from the file, etc.).

37 Citations

View as Search Results

20 Claims

1. A method comprising:
- detecting an application creating a network connection;
  
  determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface;
  
  upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application;
  
  upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity;
  
  evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises;
  
  determining whether the file includes sensitive data; and
  
  determining whether the network connection is to an unauthorized external location; and
  
  based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the application includes one or more open network connections.
  - 3. The method of claim 2, wherein the one or more open network connections are detected by enumerating one or more TCP tables.
  - 4. The method of claim 2, further comprising:
    - monitoring network activity of the application for the creation of one or more new network connections.
  - 5. The method of claim 1, wherein preventing the sensitive data in the file from being sent over the network connection comprises:
    - blocking the request.
  - 6. The method of claim 1, wherein preventing the sensitive data in the file from being sent over the network connection comprises:
    - redacting the sensitive data from the file; and
      
      granting the request after the redaction.
  - 7. The method of claim 1, further comprising:
    - upon determining, based on the evaluation, that the file does not contain sensitive data, granting the request.
  - 8. The method of claim 1, further comprising:
    - upon determining, based on the evaluation, that the file does contain sensitive data, generating an incident report.

9. A non-transitory computer-readable storage medium having instructions, which, when executed, perform an operation comprising:
- detecting an application creating a network connection;
  
  determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface;
  
  upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application;
  
  upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity;
  
  evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises;
  
  determining whether the file includes sensitive data; and
  
  determining whether the network connection is to an unauthorized external location; and
  
  based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer-readable storage medium of claim 9, wherein the application includes one or more open network connections.
  - 11. The computer-readable storage medium of claim 10, wherein the one or more open network connections are detected by enumerating one or more TCP tables.
  - 12. The computer-readable storage medium of claim 9, wherein preventing the sensitive data in the file from being sent over the network connection comprises:
    - blocking the request.
  - 13. The computer-readable storage medium of claim 9, wherein preventing the sensitive data in the file from being sent over the network connection comprises:
    - redacting the sensitive data from the file; and
      
      granting the request after the redaction.
  - 14. The computer-readable storage medium of claim 9, the operation further comprising:
    - upon determining, based on the evaluation, that the file does contain sensitive data, generating an incident report.

15. A system comprising:
- a processor; and
  
  a memory storing program code, which, when executed on the processor, performs an operation comprising;
  
  detecting an application creating a network connection;
  
  determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface;
  
  upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application;
  
  upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity;
  
  evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises;
  
  determining whether the file includes sensitive data; and
  
  determining whether the network connection is to an unauthorized external location; and
  
  based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the application includes one or more open network connections.
  - 17. The system of claim 16, wherein the one or more open network connections are detected by enumerating one or more TCP tables.
  - 18. The system of claim 15, wherein preventing the sensitive data in the file from being sent over the network connection comprises:
    - blocking the request.
  - 19. The system of claim 15, wherein preventing the sensitive data in the file from being sent over the network connection comprises:
    - redacting the sensitive data from the file; and
      
      granting the request after the redaction.
  - 20. The system of claim 15, the operation further comprising:
    - upon determining, based on the evaluation, that the file does contain sensitive data, generating an incident report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sarin, Sumit Manmohan, Jaiswal, Sumesh, Chaturvedi, Bishnu, Scomparin, Arnaud
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/873,046
Time in Patent Office

1,160 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

H04L 51/212   using filtering or selectiv...

H04L 63/0227   Filtering policies mail mes...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

H04W 12/02   Protecting privacy or anony...

Preventing data loss over network channels by dynamically monitoring file system operations of a process

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Preventing data loss over network channels by dynamically monitoring file system operations of a process

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others