Preventing data loss over network channels by dynamically monitoring file system operations of a process
First Claim
Patent Images
1. A method comprising:
- detecting an application creating a network connection;
determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface;
upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application;
upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity;
evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises;
determining whether the file includes sensitive data; and
determining whether the network connection is to an unauthorized external location; and
based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are disclosed for performing data loss prevention (DLP) by monitoring file system activity of an application having a network connection. A DLP agent tracks file system activity (e.g., file open and read operations) being initiated by the application. The DLP agent intercepts the file system activity and evaluates a file specified by the file system operation to determine whether the file includes sensitive data. If so determined, the DLP agent prevents the sensitive data from being transmitted (e.g., by blocking the file system activity, redacting the sensitive data from the file, etc.).
37 Citations
20 Claims
-
1. A method comprising:
-
detecting an application creating a network connection; determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface; upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application; upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity; evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises; determining whether the file includes sensitive data; and determining whether the network connection is to an unauthorized external location; and based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium having instructions, which, when executed, perform an operation comprising:
-
detecting an application creating a network connection; determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface; upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application; upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity; evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises; determining whether the file includes sensitive data; and determining whether the network connection is to an unauthorized external location; and based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a processor; and a memory storing program code, which, when executed on the processor, performs an operation comprising; detecting an application creating a network connection; determining, in response to detecting the application creating the network connection, whether the application satisfies one or more criteria including whether the application has a common file dialog library and whether the application has a graphical user interface; upon determining that the application satisfies the one or more criteria, monitoring file system activity in the application; upon detecting a request from the application to perform the file system activity on a file, intercepting the file system activity; evaluating the file system activity according to a data loss prevention (DLP) policy, wherein the evaluation comprises; determining whether the file includes sensitive data; and determining whether the network connection is to an unauthorized external location; and based on the evaluation that the file includes sensitive data and the network connection is to the unauthorized external location, preventing the application from sending the sensitive data in the file over the network connection. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification