System and Methodology Providing Information Lockbox

US 20050005145A1
Filed: 10/15/2003
Published: 01/06/2005
Est. Priority Date: 07/02/2003
Status: Active Grant

First Claim

Patent Images

1. In a computer system, a method for protecting sensitive information, the method comprising:

receiving input of sensitive information from a user;

computing a data shadow of the sensitive information for storage in a repository;

based on the data shadow stored in the repository, detecting any attempt to transmit the sensitive information; and

blocking any detected attempt to transmit the sensitive information that is not authorized by the user.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system providing a secure lockbox methodology for protecting sensitive information is described. In one embodiment, the methodology includes steps of receiving input of sensitive information from a user; computing a data shadow of the sensitive information for storage in a repository; based on the data shadow stored in the repository, detecting any attempt to transmit the sensitive information; and blocking any detected attempt to transmit the sensitive information that is not authorized by the user.

212 Citations

55 Claims

1. In a computer system, a method for protecting sensitive information, the method comprising:
- receiving input of sensitive information from a user;
  
  computing a data shadow of the sensitive information for storage in a repository;
  
  based on the data shadow stored in the repository, detecting any attempt to transmit the sensitive information; and
  
  blocking any detected attempt to transmit the sensitive information that is not authorized by the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1, wherein said sensitive information comprises structured data.
  - 3. The method of claim 2, wherein said data shadow is computed for the structured data as a regular expression and a hash.
  - 4. The method of claim 3, wherein said hash comprises a MD-5 hash.
  - 5. The method of claim 2, wherein said structured data includes credit card number information.
  - 6. The method of claim 2, wherein said structured data includes Social Security number information.
  - 7. The method of claim 3, wherein said regular expression represents formatting information for said structured data.
  - 8. The method of claim 3, wherein said hash is computed after normalization of the structured data.
  - 9. The method of claim 8, wherein said normalization includes removing any formatting information before computing the hash.
  - 10. The method of claim 1, wherein said sensitive information comprises structured data and said detecting step includes:
    - initially detecting said structured data by matching a format for that structured data.
  - 11. The method of claim 1, wherein said sensitive information comprises literal data.
  - 12. The method of claim 11, wherein said data shadow is computed for the literal data as a length value plus at least one hash of the literal data.
  - 13. The method of claim 12, wherein said at least one hash includes an additional first pass hash or checksum value computed for the literal data.
  - 14. The method of claim 12, wherein said at least one hash includes a MD-5 hash computed for the literal data.
  - 15. The method of claim 1, wherein said at least one hash includes an optional checksum value computed for the literal data that allows relatively quick detection of the sensitive information and a MD-5 hash that allows subsequent verification.
  - 16. The method of claim 1, wherein said receiving input step includes:
    - receiving input indicating a type for the sensitive information.
  - 17. The method of claim 16, wherein said receiving input indicating a type includes:
    - receiving input indicating that the sensitive information is a password.
  - 18. The method of claim 16, wherein said receiving input indicating a type includes:
    - receiving input indicating that the sensitive information is a Social Security number.
  - 19. The method of claim 16, wherein said receiving input indicating a type includes:
    - receiving input indicating that the sensitive information is a credit card number.
  - 20. The method of claim 16, wherein said receiving input indicating a type includes:
    - receiving input indicating that the sensitive information is a personal identification number (PIN).
  - 21. The method of claim 1, further comprising:
    - automatically determining a type for the sensitive information that indicates formatting.
  - 22. The method of claim 21, wherein said step of automatically determining a type includes:
    - matching the input against a template for identifying a type.
  - 23. The method of claim 1, wherein said detecting step includes:
    - trapping an outbound buffer of data that may contain the sensitive information; and
      
      in instances where the sensitive information comprises structured data, performing a regular expression search on the outbound buffer.
  - 24. The method of claim 23, further comprising:
    - if a regular expression match is found, normalizing data from the match so as to remove formatting and thereafter computing a hash on it, for comparison with corresponding hash values stored in the repository.
  - 25. The method of claim 24, wherein said hash is a MD-5 hash.
  - 26. The method of claim 1, wherein said detecting step includes:
    - trapping an outbound buffer of data that may contain the sensitive information; and
      
      in instances where the sensitive information comprises literal data, performing a sliding window search on the outbound buffer.
  - 27. The method of claim 26, wherein said sliding window search includes performing an optional checksum calculation on successive blocks of bytes within the outbound buffer, for comparison with corresponding checksum values stored in the repository.
  - 28. The method of claim 27, further comprising:
    - if a match is found based on the checksum comparison, verifying the match with a MD-5 hash performed on data from the match.
  - 29. The method of claim 28, wherein said MD-5 hash performed on data from the match is compared against a corresponding MD-5 hash value stored in the repository.
  - 30. The method of claim 1, wherein said step of blocking includes:
    - referencing a stored policy indicating whether the sensitive information should be blocked from transmission.
  - 31. A computer-readable medium having processor-executable instructions for performing the method of claim 1.
  - 32. A downloadable set of processor-executable instructions for performing the method of claim 1.

33. In a computer system, a method for securing sensitive items from inappropriate access, the method comprising:
- receiving input from a user indicating that a particular sensitive item is to be protected from inappropriate access;
  
  storing metadata characterizing the particular sensitive item;
  
  based on the stored metadata, detecting whether the particular sensitive item is present in any transmission of outgoing data; and
  
  trapping any transmission of outgoing data that is detected to contain the particular sensitive item.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 34. The method of claim 33, further comprising:
    - a policy indicating what action the system should be taken upon trapping transmission of outgoing data that contains the particular sensitive item.
  - 35. The method of claim 34, wherein said action includes blocking any trapped transmission.
  - 36. The method of claim 34, wherein said action includes querying the user about whether the particular sensitive item may be transmitted.
  - 37. The method of claim 33, wherein said metadata includes a one-way hash of the particular sensitive item.
  - 38. The method of claim 37, wherein said one-way hash comprises a MD-5 hash.
  - 39. The method of claim 33, wherein said particular sensitive item comprises structured data, and wherein said metadata includes regular expression information characterizing a particular format for the structured data and includes a hash computed on unformatted data extracted from said structured data.
  - 40. The method of claim 39, wherein said trapping step includes:
    - locating the particular sensitive item by first performing a regular expression search on the outgoing data for finding a match based on formatting; and
      
      for any match found based on formatting, performing a hash on the match to determine whether it matches a corresponding hash stored as part of the metadata.
  - 41. The method of claim 33, wherein said particular sensitive item comprises literal data and wherein said metadata comprises as a length value plus at least one hash of the literal data.
  - 42. The method of claim 41, wherein said trapping step includes:
    - locating the particular sensitive item by first performing a sliding window search through the outgoing data for a block of bytes having a size equal to said length value and having a hash value equal to one of said at least one hash of the literal data.
  - 43. The method of claim 42, wherein said at least one hash includes a MD-5 message digest computation.
  - 44. The method of claim 43, wherein said at least one hash further includes an optional first pass hash or checksum as an optimization.
  - 45. A computer-readable medium having processor-executable instructions for performing the method of claim 33.
  - 46. A downloadable set of processor-executable instructions for performing the method of claim 33.

47. A system providing security for sensitive information, the system comprising:
- a data processing system receiving input of sensitive information;
  
  a secure lockbox module for storing a secure descriptor characterizing the sensitive information; and
  
  a security module for detecting, based on said secure descriptor, any attempted transmission of outgoing data that contains the sensitive information.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55)
- - 48. The system of claim 47, wherein said input includes an indication of a type for the sensitive information.
  - 49. The system of claim 48, wherein said indication of a type includes a selected one of structured data and literal data.
  - 50. The system of claim 49, wherein said structured data includes a credit card number.
  - 51. The system of claim 47, further comprising:
    - a security policy specifying what action is to be undertaken when the security module detects an attempt to transmit the sensitive information.
  - 52. The system of claim 51, wherein said security policy specifies an action of blocking any attempted transmission of the sensitive information.
  - 53. The system of claim 51, wherein said security policy specifies an action of prompting a user to allow or deny any attempted transmission of the sensitive information.
  - 54. The system of claim 47, wherein said sensitive information includes structured data, and wherein said secure descriptor includes regular expression information characterizing a particular format for the structured data and includes a hash computed on unformatted data extracted from said structured data.
  - 55. The system of claim 47, wherein said sensitive information includes literal data and wherein said secure descriptor includes a length value plus at least one hash of the literal data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Zone Labs Inc. (Check Point Software Technologies Limited)
Inventors
Teixeira, Steven L.

Granted Patent

US 7,788,726 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6245   Protecting personal data, e...

G06Q 20/382   insuring higher security of...

System and Methodology Providing Information Lockbox

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

212 Citations

55 Claims

Specification

Use Cases

Quick Links

Others

System and Methodology Providing Information Lockbox

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

212 Citations

55 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others