System and method for facilitating data leakage and/or propagation tracking

US 10,447,654 B2
Filed: 09/28/2017
Issued: 10/15/2019
Est. Priority Date: 02/23/2012
Status: Active Grant

First Claim

Patent Images

1. A system for facilitating data leakage and/or propagation tracking on a network, comprising:

a computer system one or more processors programmed to execute computer program instructions that, when executed, cause the computer system to;

obtain a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system;

determine an additional subset of hashes included in the set of hashes and not included in the reference set of hashes based on a comparison between the set of hashes and the reference set of hashes;

predict that a file is exclusive for one or more users or exclusive for one or more user systems, the file being associated with a hash included in the additional subset of hashes;

scan one or more other user systems to determine what files are on the other user systems, wherein each of the other user systems is assigned to one or more other users or is not one of the user systems; and

generate an alert indicating unauthorized activity, wherein the alert is generated responsive to the scan indicating that the other user systems contain the file predicted to be exclusive for the users or exclusive for the user systems.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system, may be obtained. An additional subset of hashes (included in the set of hashes and not included in the reference set of hashes) may be obtained based on a comparison between the set of hashes and the reference set of hashes. A file may be predicted to be exclusive for certain users or user systems, where the file is associated with a hash included in the additional subset of hashes. Other user systems may be scanned to determine what files are on the other user systems, where each of the other user systems is assigned to another user or is not one of the user systems. An alert indicating unauthorized activity may be generated based on the scan.

130 Citations

20 Claims

1. A system for facilitating data leakage and/or propagation tracking on a network, comprising:
- a computer system one or more processors programmed to execute computer program instructions that, when executed, cause the computer system to;
  
  obtain a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system;
  
  determine an additional subset of hashes included in the set of hashes and not included in the reference set of hashes based on a comparison between the set of hashes and the reference set of hashes;
  
  predict that a file is exclusive for one or more users or exclusive for one or more user systems, the file being associated with a hash included in the additional subset of hashes;
  
  scan one or more other user systems to determine what files are on the other user systems, wherein each of the other user systems is assigned to one or more other users or is not one of the user systems; and
  
  generate an alert indicating unauthorized activity, wherein the alert is generated responsive to the scan indicating that the other user systems contain the file predicted to be exclusive for the users or exclusive for the user systems.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the computer system is caused to:
    - obtain a set of names or paths that are associated with the files of the user system;
      
      obtain a reference set of names or paths associated with the files of the reference system; and
      
      determine an additional subset of names or paths included in the set of names or paths and not included in the reference set of names or paths based on a comparison between the set of names or paths and the reference set of names or paths,wherein predicting the file as being exclusive for the users or exclusive for the user systems is further based on the additional subset of names or paths.
  - 3. The system of claim 1, wherein the computer system is caused to:
    - obtain a set of names and paths that are associated with the files of the user system;
      
      obtain a reference set of names and paths associated with the files of the reference system; and
      
      determine an additional subset of names and paths included in the set of names and paths and not included in the reference set of names and paths based on a comparison between the set of names and paths and the reference set of names and paths,wherein predicting the file as being exclusive for the users or exclusive for the user systems is further based on the additional subset of names and paths.
  - 4. The system of claim 1, wherein the computer system is caused to:
    - observe traffic associated with the network to detect activity that changed, copied, moved, or accessed one or more files on user systems of the network; and
      
      generate, based on the detected activity, an audit trail associated with the files that were changed, copied, moved, or accessed, wherein the audit trail includes information to describe (i) one or more of the user systems at which the detected activity was observed, (ii) at least one user that owned the files associated with the detected activity, (iii) times when the users owned the files associated with the detected activity, and (iv) the detected activity.
  - 5. The system of claim 1, wherein the computer system is caused to:
    - obtain, based on the scan, hashes associated with files that are on the other user systems; and
      
      generate the alert responsive to a determination that at least one of the hashes obtained based on the scan matches the hash associated with the file predicted to be exclusive for the users or exclusive for the user systems.
  - 6. The system of claim 1, wherein the computer system is caused to:
    - generate the alert responsive to a determination that one or more files of a set of user systems of the network have different owners on more than one user system of the set of user systems.
  - 7. The system of claim 1, wherein the computer system is caused to:
    - identify one or more files or file sets having auditing or security significance, wherein one or more systems of the network are designated to store the files or file sets having the auditing or security significance; and
      
      generate the alert responsive to a determination that the files or file sets have been copied or moved off of the designated systems.
  - 8. The system of claim 1, wherein the computer system is caused to:
    - generate statistics that describe normal activities that at least one user perform to interact with at least some files of the user systems; and
      
      generate the alert responsive to a determination that interactions with the at least some files of the user systems deviate from the statistics describing the normal activities that the users perform to interact with the at least some files of the user systems.
  - 9. The system of claim 1, wherein the computer system is caused to:
    - generate statistics that describe normal activities that at least one user perform to interact with one or more directories or folders that contain at least some files of the user systems; and
      
      generate the alert responsive to a determination that interactions with the directories or folders deviate from the statistics describing the normal activities that the users perform to interact with the directories or folders.
  - 10. The system of claim 1, wherein the set of hashes associated with the files of the user system comprises one or more of checksums, complete cryptographic hashes, or partial cryptographic hashes.

11. A method for facilitating data leakage and/or propagation tracking on a network, the method being implemented on a computer system that includes one or more processors executing computer program instructions that, when executed, perform the method, the method comprising:
- obtaining a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system;
  
  determining an additional subset of hashes included in the set of hashes and not included in the reference set of hashes based on a comparison between the set of hashes and the reference set of hashes;
  
  predicting that a file is exclusive for one or more users or exclusive for one or more user systems, the file being associated with a hash included in the additional subset of hashes;
  
  scanning one or more other user systems to determine what files are on the other user systems, wherein each of the other user systems is assigned to one or more other users or is not one of the user systems; and
  
  generating an alert indicating unauthorized activity, wherein the alert is generated responsive to the scan indicating that the other user systems contain the file predicted to be exclusive for the users or exclusive for the user systems.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, further comprising:
    - obtaining a set of names or paths that are associated with the files of the user system;
      
      obtaining a reference set of names or paths associated with the files of the reference system; and
      
      determining an additional subset of names or paths included in the set of names or paths and not included in the reference set of names or paths based on a comparison between the set of names or paths and the reference set of names or paths;
      
      wherein predicting the file as being exclusive for the users or exclusive for the user systems is further based on the additional subset of names or paths.
  - 13. The method of claim 11, further comprising:
    - obtaining a set of names and paths that are associated with the files of the user system;
      
      obtaining a reference set of names and paths associated with the files of the reference system; and
      
      determining an additional subset of names and paths included in the set of names and paths and not included in the reference set of names and paths based on a comparison between the set of names and paths and the reference set of names and paths,wherein predicting the file as being exclusive for the users or exclusive for the user systems is further based on the additional subset of names and paths.
  - 14. The method of claim 11, further comprising:
    - observing traffic associated with the network to detect activity that changed, copied, moved, or accessed one or more files on user systems of the network; and
      
      generating, based on the detected activity, an audit trail associated with the files that were changed, copied, moved, or accessed, wherein the audit trail includes information to describe (i) one or more of the user systems at which the detected activity was observed, (ii) at least one user that owned the files associated with the detected activity, (iii) times when the users owned the files associated with the detected activity, and (iv) the detected activity.
  - 15. The method of claim 11, further comprising:
    - obtaining, based on the scan, hashes associated with files that are on the other user systems; and
      
      generating the alert responsive to a determination that at least one of the hashes obtained based on the scan matches the hash associated with the file predicted to be exclusive for the users or exclusive for the user systems.
  - 16. The method of claim 11, further comprising:
    - generating the alert responsive to a determination that one or more files of a set of user systems on the network have different owners on more than one user system of the set of user systems.
  - 17. The method of claim 11, further comprising:
    - identifying one or more files or file sets having auditing or security significance, wherein one or more systems of the network are designated to store the files or file sets having the auditing or security significance; and
      
      generating the alert responsive to a determination that the files or file sets have been copied or moved off of the designated systems.
  - 18. The method of claim 11, wherein the sets of hashes associated with the files of the user systems comprises one or more of checksums, complete cryptographic hashes, or partial cryptographic hashes.

19. A non-transitory, computer-readable media storing machine-readable instructions that, when executed, by a data processing apparatus cause the data processing apparatus to perform operations comprising:
- obtaining a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system;
  
  determining an additional subset of hashes included in the set of hashes and not included in the reference set of hashes based on a comparison between the set of hashes and the reference set of hashes;
  
  predicting that a file is exclusive for one or more users or exclusive for one or more user systems, the file being associated with a hash included in the additional subset of hashes;
  
  scanning one or more other user systems to determine what files are on the other user systems, wherein each of the other user systems is assigned to one or more other users or is not one of the user systems; and
  
  generating an alert indicating unauthorized activity, wherein the alert is generated responsive to the scan indicating that the other user systems contain the file predicted to be exclusive for the users or exclusive for the user systems.
- View Dependent Claims (20)
- - 20. The computer-readable media of claim 19, wherein the operations comprise:
    - obtaining, based on the scan, hashes associated with files that are on the other user systems; and
      
      generating the alert responsive to a determination that at least one of the hashes obtained based on the scan matches the hash associated with the file predicted to be exclusive for the users or exclusive for the user systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Inventors
Gula, Ron, Ranum, Marcus
Primary Examiner(s)
Choudhury, Azizul

Application Number

US15/718,370
Publication Number

US 20180019971A1
Time in Patent Office

747 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0864   using pseudo-associative me...

G06F 16/137   Hash-based content-based in...

G06F 16/152   using file content signatur...

G06F 21/64   Protecting data integrity, ...

H04L 63/0236   Filtering by address, proto...

H04L 63/0876   based on the identity of th...

H04L 63/1408   by monitoring network traff...

System and method for facilitating data leakage and/or propagation tracking

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

130 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for facilitating data leakage and/or propagation tracking

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links