Method, apparatus, and program for identifying, restricting, and monitoring data sent from client computers

US 20030037138A1
Filed: 08/16/2001
Published: 02/20/2003
Est. Priority Date: 08/16/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method, in a computer system, for monitoring data sent from a computer, comprising:

detecting a request for an outgoing transfer of data from a program in the computer system to a destination;

determining whether the destination is a trusted site; and

performing a corrective action if the destination is not a trusted site.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A monitoring tool operates just before packets are sent out from a client computer. The monitoring tool identifies the destination of data being sent and determines whether the destination is a trusted site. The monitoring tool may also check the data itself. If the data is unencrypted, the tool may perform a string or binary pattern search on the data. However, if the data is encrypted the monitoring tool may check for the amount of data being sent. The monitoring tool may then warn the user or an administrator if the data being sent appears to be uncharacteristically high. The monitoring tool may also take corrective action, such as blocking the transmission or disabling the offending program. Alternatively, the monitoring tool may attempt to alter the final destination of the data to the client computer itself. If the program still works, the program may continue to operate.

68 Citations

View as Search Results

50 Claims

1. A method, in a computer system, for monitoring data sent from a computer, comprising:
- detecting a request for an outgoing transfer of data from a program in the computer system to a destination;
  
  determining whether the destination is a trusted site; and
  
  performing a corrective action if the destination is not a trusted site.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the step of determining whether the destination is a trusted site comprises matching the destination against a list of trusted sites.
  - 3. The method of claim 1, wherein the corrective action comprises blocking the outgoing transfer.
  - 4. The method of claim 1, wherein the corrective action comprises disabling the program.
  - 5. The method of claim 1, wherein the step of performing a corrective action comprises:
    - changing the destination of the outgoing transfer to the computer system; and
      
      determining whether the program operates in response to the changed destination.
  - 6. The method of claim 1, wherein the step of performing a corrective action comprises:
    - irreversibly encrypting the data; and
      
      determining whether the program operates in response to the encryption.
  - 7. The method of claim 6, wherein the step of irreversibly encrypting the data comprises injecting random numbers into the data.
  - 8. The method of claim 1, further comprising:
    - determining whether the amount of data for the outgoing transfer is uncharacteristically high; and
      
      performing a corrective action if the amount of data is uncharacteristically high.
  - 9. The method of claim 1, further comprising:
    - determining whether the data includes personal information; and
      
      performing a corrective action if the data includes personal information.
  - 10. The method of claim 9, wherein the step of determining whether the data includes personal information comprises performing a text string search or binary pattern search on the data.
  - 11. The method of claim 1, wherein the step of performing a corrective action comprises storing a log of the outgoing transfer.
  - 12. The method of claim 11, wherein the step of storing a log of the outgoing transfer comprises storing the data.
  - 13. The method of claim 11, further comprising transferring the log to a remote computer.

14. A method, in a computer system, for monitoring data sent from a computer, comprising:
- detecting a request for an outgoing transfer of data from a program in the computer system to a destination;
  
  determining whether the amount of the data is uncharacteristically high; and
  
  performing a corrective action if the amount of the data is uncharacteristically high.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The method of claim 14, wherein the corrective action comprises blocking the data transfer.
  - 16. The method of claim 14, wherein the corrective action comprises disabling the program.
  - 17. The method of claim 14, wherein the step of performing a corrective action comprises:
    - changing the destination of the outgoing transfer to the computer system; and
      
      determining whether the program operates in response to the changed destination.
  - 18. The method of claim 14, wherein the step of performing a corrective action comprises:
    - irreversibly encrypting the data; and
      
      determining whether the program operates in response to the encryption.
  - 19. The method of claim 18, wherein the step of irreversibly encrypting the data comprises injecting random numbers into the data.
  - 20. The method of claim 14, further comprising:
    - determining whether the data includes personal information; and
      
      performing a corrective action if the data includes personal information.
  - 21. The method of claim 20, wherein the step of determining whether the data includes personal information comprises performing a text string search or binary pattern search on the data.
  - 22. The method of claim 14, wherein the step of performing a corrective action comprises storing a log of the outgoing transfer.
  - 23. The method of claim 22, wherein the step of storing a log of the outgoing transfer comprises storing the data.
  - 24. The method of claim 22, further comprising transferring the log to a remote computer.

25. An apparatus for monitoring data sent from a computer system, comprising:
- detection means for detecting a request for an outgoing transfer of data from a program in the computer system to a destination;
  
  determination means for determining whether the destination is a trusted site; and
  
  correction means for performing a corrective action if the destination is not a trusted site.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 26. The apparatus of claim 25, wherein the determination means comprises means for matching the destination against a list of trusted sites.
  - 27. The apparatus of claim 25, wherein the corrective action comprises blocking the outgoing transfer.
  - 28. The apparatus of claim 25, wherein the corrective action comprises disabling the program.
  - 29. The apparatus of claim 25, wherein the correction means comprises:
    - means for changing the destination of the outgoing transfer to the computer system; and
      
      means for determining whether the program operates in response to the changed destination.
  - 30. The apparatus of claim 25, wherein the correction means comprises:
    - encryption means for irreversibly encrypting the data; and
      
      means for determining whether the program operates in response to the encryption.
  - 31. The apparatus of claim 30, wherein the encryption means comprises means for injecting random numbers into the data.
  - 32. The apparatus of claim 25, further comprising:
    - means for determining whether the amount of data for the outgoing transfer is uncharacteristically high; and
      
      means for performing a corrective action if the amount of data is uncharacteristically high.
  - 33. The apparatus of claim 25, further comprising:
    - means for determining whether the data includes personal information; and
      
      means for performing a corrective action if the data includes personal information.
  - 34. The apparatus of claim 33, wherein the means for determining whether the data includes personal information comprises means for performing a text string search or binary pattern search on the data.
  - 35. The apparatus of claim 25, wherein the step of performing a corrective action comprises storage means for storing a log the outgoing transfer.
  - 36. The apparatus of claim 35, wherein the storage means comprises means for storing the data.
  - 37. The apparatus of claim 35, further comprising means for transferring the log to a remote computer.

38. An apparatus for monitoring data sent from a computer system, comprising:
- detection means for detecting a request for an outgoing transfer of data from a program in the computer system to a destination;
  
  determination means for determining whether the amount of the data is uncharacteristically high; and
  
  correction means for performing a corrective action if the amount of the data is uncharacteristically high.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46)
- - 39. The apparatus of claim 38, wherein the corrective action comprises blocking the data transfer.
  - 40. The apparatus of claim 38, wherein the corrective action comprises disabling the program.
  - 41. The apparatus of claim 38, wherein the correction means comprises:
    - means for changing the destination of the outgoing transfer to the computer system; and
      
      means for determining whether the program operates in response to the changed destination.
  - 42. The apparatus of claim 38, wherein the correction means comprises:
    - encryption means for irreversibly encrypting the data; and
      
      means for determining whether the program operates in response to the encryption.
  - 43. The apparatus of claim 42, wherein the encryption means comprises means for injecting random numbers into the data.
  - 44. The apparatus of claim 38, further comprising:
    - means for determining whether the data includes personal information; and
      
      means for performing a corrective action if the data includes personal information.
  - 45. The apparatus of claim 44, wherein the means for determining whether the data includes personal information comprises means for performing a text string search or binary pattern search on the data.
  - 46. The apparatus of claim 38, wherein the correction means comprises storage means for storing a log the outgoing transfer.

48. The apparatus of claim 48, further comprising means for transferring the log to a remote computer.
- View Dependent Claims (47)
- - 47. The apparatus of claim 48, wherein the storage means comprises means for storing the data.

49. A computer program product, in a computer readable medium, for monitoring data sent from a computer system, comprising:
- instructions for detecting a request for an outgoing transfer of data from a program in the computer system to a destination;
  
  instructions for determining whether the destination is a trusted site; and
  
  instructions for performing a corrective action if the destination is not a trusted site.

50. A computer program product, in a computer readable medium, for monitoring data sent from a computer system, comprising:
- instructions for detecting a request for an outgoing transfer of data from a program in the computer system to a destination;
  
  instructions for determining whether the amount of the data is uncharacteristically high; and
  
  instructions for performing a corrective action if the amount of the data is uncharacteristically high.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dutta, Rabindranath, Paolini, Michael A., Brown, Michael Wayne

Application Number

US09/931,300
Publication Number

US 20030037138A1
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Method, apparatus, and program for identifying, restricting, and monitoring data sent from client computers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, and program for identifying, restricting, and monitoring data sent from client computers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links