Inferring content sensitivity from partial content matching

US 20050091537A1
Filed: 09/24/2004
Published: 04/28/2005
Est. Priority Date: 10/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising the steps of:

determining content of monitored data;

determining if the monitored data content is entirely included in a first set of content associated with a first classification, and if so, then classifying the monitored data as the first classification; and

performing a first action if the monitored data is classified as the first classification, and performing a second action otherwise.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Monitored content is analyzed to determine full and partial matches to previously classified content. Monitored content matching previously classified public content is classified as public, even if the monitored content is also found to match previously classified private content. In other words, public classification “overrides” potentially private classification. Monitored content matching only previously classified private content is classified as private. All remaining otherwise unclassified monitored content is classified as unknown. Monitored content is analyzed with respect to a session. If any content in a session is private, then the session is classified as private. If all content in a session is public, then the session is classified as public. Otherwise, the session is classified as unknown. In a related aspect, a set of policies are searched for a first match in part according to the classification, and a designated action taken if the first match is found.

Citations

55 Claims

1. A method comprising the steps of:
- determining content of monitored data;
  
  determining if the monitored data content is entirely included in a first set of content associated with a first classification, and if so, then classifying the monitored data as the first classification; and
  
  performing a first action if the monitored data is classified as the first classification, and performing a second action otherwise.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - if the monitored data is not classified as the first classification, then classifying the monitored data as a second classification.
  - 3. The method of claim 2, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification;
      
      the first action is no action; and
      
      the second action comprises a flagging action.
  - 4. The method of claim 3, wherein:
    - the second action further comprises writing information to a log.

5. A method comprising the steps of:
- determining content of monitored data;
  
  determining if the monitored data content is entirely included in a first set of content associated with a first classification, and if so, then classifying the monitored data as the first classification;
  
  determining if the monitored data content is entirely included in a second set of content associated with a second classification, and if so, then classifying the monitored data as a second classification;
  
  if the monitored data is not the first classification and the monitored data is not the second classification, then classifying the monitored data as a third classification; and
  
  performing a first action if the monitored data is classified as the first classification, and performing a second action otherwise.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 6. The method of claim 5, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification;
      
      the first action is no action; and
      
      the second action comprises a flagging action.
  - 7. The method of claim 6, wherein:
    - the second action further comprises writing information to a log.
  - 8. The method of claim 5, wherein:
    - the second action comprises performing a third action if the monitored data is classified as the second classification, and performing a fourth action otherwise.
  - 9. The method of claim 8, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification;
      
      the third classification is an unknown classification;
      
      the first action is no action;
      
      the third action comprises a first flagging action; and
      
      the fourth action comprises a second flagging action.
  - 10. The method of claim 5, wherein:
    - the act of determining content of the monitored data comprises linguistically analyzing the monitored data.
  - 11. The method of claim 10, wherein:
    - the act of linguistically analyzing the monitored data includes producing a set of data keys corresponding to the monitored data content.
  - 12. The method of claim 11, wherein:
    - the monitored data content is entirely included in the first set of content if all of the data keys are present in a first set of keys associated with the first set of content.
  - 13. The method of claim 12, wherein:
    - the monitored data content is entirely included in the second set of content if all of the data keys are present in a second set of keys associated with the second set of content.
  - 14. The method of claim 13, wherein:
    - at least a portion of the first set of keys are present in the second set of keys.
  - 15. The method of claim 10, wherein:
    - the act of linguistically analyzing the monitored data comprises tokenizing.
  - 16. The method of claim 15, wherein:
    - the act of tokenizing includes identifying significant words, and discarding any combination of white space, punctuation, articles, and conjunctions.
  - 17. The method of claim 15, wherein:
    - the act of linguistically analyzing the monitored data further comprises splitting results of the tokenizing into non-overlapping sections.
  - 18. The method of claim 17, wherein:
    - the act of producing a set of data keys includes computing a hash function for each section, and the data keys include results of the hash function computation.
  - 19. The method of claim 15, wherein:
    - the act of linguistically analyzing the monitored data further comprises splitting results of the tokenizing into overlapping sections.
  - 20. The method of claim 19, wherein:
    - the overlapping sections are formed by advancing one token at a time.
  - 21. The method of claim 19, wherein:
    - the overlapping sections are formed by advancing more than one token at a time.

22. A method comprising the steps of:
- dividing monitored data into sections;
  
  classifying each section selectively as one of a group of classifications including a first and a second classification;
  
  if at least one of the sections is classified as the second classification, then classifying the monitored data as the second classification;
  
  if none of the sections are classified as the second classification, and all of the sections are classified as the first classification, then classifying the monitored data as the first classification; and
  
  wherein classifying each section comprises if the respective section is a subset of content designated as the first classification, then classifying the respective section as the first classification, if the respective section is not a subset of content designated as the first classification, and the respective section is a subset of content designated as the second classification, then classifying the respective section as the second classification.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The method of claim 22, wherein:
    - the group of classifications includes a third classification;
      
      the act of classifying each section further comprises if the respective section is not a subset of content designated as the first classification, and the respective section is not a subset of content designated as the second classification, then classifying the respective section as the third classification.
  - 24. The method of claim 23, further comprising:
    - if none of the sections are classified as the first classification, and none of the sections are classified as the second classification, then classifying the monitored data as the third classification.
  - 25. The method of claim 23, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification; and
      
      the third classification is an unknown classification.
  - 26. The method of claim 22, further comprising:
    - performing a first action if the monitored data is classified as the first classification, and performing a second action otherwise.
  - 27. The method of claim 26, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification;
      
      the first action is no action; and
      
      the second action comprises a flagging action.
  - 28. The method of claim 27, wherein:
    - the second action further comprises writing information to a log.

29. A method comprising the steps of:
- dividing monitored data into sections;
  
  classifying each section selectively as one of a first, second, and third classification;
  
  combining the classification of each of the sections into an overall monitored data classification; and
  
  wherein classifying each section comprises if the section is a subset of content designated as the first classification, then classifying the section as the first classification, if the section is not a subset of content designated as the first classification, and the section is a subset of content designated as the second classification, then classifying the section as the second classification, and if the section is not classified as the first classification and the section is not classified as the second classification, then classifying the section as the third classification.
- View Dependent Claims (30, 31)
- - 30. The method of claim 29, wherein:
    - the act of combining the classification of each of the sections comprises if at least one of the sections is classified as the second classification, then classifying the monitored data as the second classification;
      
      if none of the sections are classified as the second classification, and all of the sections are classified as the first classification, then classifying the monitored data as the first classification; and
      
      if none of the sections are classified as the second classification, and at least one of the sections is not classified as the first classification, then classifying the monitored data as the third classification.
  - 31. The method of claim 30, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification; and
      
      the third classification is an unknown classification.

32. A content appliance including:
- a processor adapted to execute software;
  
  a network interface coupled to the processor; and
  
  wherein the software includes functions enabling collecting network traffic via the network interface, analyzing content of the collected traffic to determine if it is entirely included in a first set of content associated with a first classification, and if so, then classifying the collected content as the first classification, and otherwise classifying the collected content as a second classification, and performing a first action if the collected content is classified as the first classification, and performing a second action otherwise.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 33. The content appliance of claim 32, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification;
      
      the first action is no action; and
      
      the second action comprises a flagging action.
  - 34. The content appliance of claim 33, wherein:
    - the second action further comprises writing information to a log.
  - 35. The content appliance of claim 32, further including:
    - a hardware accelerator adapted to improve performance; and
      
      wherein the analyzing content of the collected traffic is accelerated by use of the hardware accelerator.
  - 36. The content appliance of claim 32, wherein:
    - the analyzing content of the collected traffic includes linguistically analyzing the collected traffic.
  - 37. The content appliance of claim 36, wherein:
    - the linguistically analyzing the collected traffic includes producing a set of traffic keys corresponding to the collected traffic content.
  - 38. The content appliance of claim 37, wherein:
    - the collected traffic content is entirely included in the first set of content if all of the traffic keys are present in a first set of keys associated with the first content.
  - 39. The content appliance of claim 38, further including:
    - storage coupled to the processor; and
      
      wherein the first set of keys are stored in the storage.
  - 40. The content appliance of claim 37, wherein:
    - the producing a set of traffic keys includes tokenizing the collected traffic.
  - 41. The content appliance of claim 40, wherein:
    - the tokenizing the collected traffic includes identifying significant words, and discarding any combination of white space, punctuation, articles, and conjunctions.
  - 42. The content appliance of claim 40, wherein:
    - the producing a set of traffic keys further includes splitting results of tokenizing into non-overlapping sections.
  - 43. The content appliance of claim 42, wherein:
    - the producing a set of traffic keys further includes computing a hash function for each section, and the traffic keys include results of the hash function computation.

44. A content appliance including:
- a processor adapted to execute software;
  
  a network interface coupled to the processor; and
  
  wherein the software includes functions enabling collecting network traffic via the network interface, analyzing content of the collected traffic to determine if it is entirely included in a first set of content associated with a first classification, and if so, then classifying the collected content as the first classification, and performing a first action if the collected content is classified as the first classification, and performing a second action otherwise.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 45. The content appliance of claim 44, wherein:
    - the software further includes functions enabling analyzing, if the collected traffic is not classified as the first classification, the content of the collected traffic to determine if it is entirely included in a second set of content associated with a second classification, and if so, then classifying the collected content as the second classification.
  - 46. The content appliance of claim 45, wherein:
    - the software further includes functions enabling classifying the collected content as a third classification, if it is not classified as the first classification and if it is not classified as the second classification.
  - 47. The content appliance of claim 46, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification;
      
      the first action is no action; and
      
      the second action comprises a flagging action.
  - 48. The content appliance of claim 47, wherein:
    - the second action further comprises writing information to a log.
  - 49. The content appliance of claim 47, wherein:
    - the second action comprises performing a third action if the monitored data is classified as the second classification, and performing a fourth action otherwise.
  - 50. The content appliance of claim 49, wherein:
    - the first classification is a public classification;
      
      the second classification is a private classification;
      
      the third classification is an unknown classification;
      
      the first action is no action;
      
      the third action comprises a first flagging action; and
      
      the fourth action comprises a second flagging action.
  - 51. The content appliance of claim 44, wherein:
    - the analyzing content of the collected traffic includes linguistically analyzing the collected traffic.
  - 52. The content appliance of claim 51, wherein:
    - the linguistically analyzing the collected traffic includes producing a set of traffic keys corresponding to the collected traffic content.
  - 53. The content appliance of claim 52, wherein:
    - the collected traffic content is entirely included in the first set of content if all of the traffic keys are present in a first set of keys associated with the first content.
  - 54. The content appliance of claim 53, wherein:
    - the collected traffic content is entirely included in the second set of content if all of the traffic keys are present in a second set of keys associated with the second content.
  - 55. The content appliance of claim 54, wherein:
    - at least a portion of the first set of keys are present in the second set of keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
RSA Security Incorporated (Symphony Technology Group LLC)
Inventors
Reizes, David Alexander, Wiese, James Christopher, Nisbet, James Donald, Hoyt, Stephen Crosby

Granted Patent

US 7,523,301 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/62   Protecting access to data v...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99939   Privileged access

Inferring content sensitivity from partial content matching

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Inferring content sensitivity from partial content matching

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links