Methods, systems, and computer program products for transmission control of sensitive application-layer data

US 20070094394A1
Filed: 10/26/2005
Published: 04/26/2007
Est. Priority Date: 10/26/2005
Status: Active Grant

First Claim

Patent Images

1. A method for identifying sensitive application-layer data and controlling transmission of the data in a network, the method comprising:

identifying, in a system resource, sensitive data at an application layer;

detecting a packetization of the identified sensitive data;

in response to identifying the sensitive data and detecting the packetization, inserting a flag indicative of the presence of sensitive data in a packet having at least a portion of the identified sensitive data, wherein the flag is inserted in a portion of the packet corresponding to a layer other than the application layer; and

controlling transmission of the packet in a network based on the flag.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods, systems, and computer program products for identifying sensitive application-layer data and controlling transmission of the data in a network. According to one method, sensitive data in a system resource is identified at an application layer. A packetization of the identified sensitive data is detected. A flag indicative of the presence of sensitive data is inserted in a packet having at least a portion of the identified sensitive data in response to identifying the sensitive data and detecting the packetization. The flag is inserted in a portion of the packet corresponding to a layer other than the application layer. Transmission of the packet is controlled in a network based on the flag.

Citations

29 Claims

1. A method for identifying sensitive application-layer data and controlling transmission of the data in a network, the method comprising:
- identifying, in a system resource, sensitive data at an application layer;
  
  detecting a packetization of the identified sensitive data;
  
  in response to identifying the sensitive data and detecting the packetization, inserting a flag indicative of the presence of sensitive data in a packet having at least a portion of the identified sensitive data, wherein the flag is inserted in a portion of the packet corresponding to a layer other than the application layer; and
  
  controlling transmission of the packet in a network based on the flag.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the system resource includes at least one of a file, data being input into email, data being input into a chat session, and stored information.
  - 3. The method of claim 1 comprising creating a sensitive data definition at the application layer.
  - 4. The method of claim 3 comprising storing the sensitive data definition in a database.
  - 5. The method of claim 3 wherein identifying the sensitive data includes comparing data at the application layer with the sensitive data definition.
  - 6. The method of claim 1 wherein controlling transmission of the packet in a network based on the flag includes processing a flag definition associated with the flag for use in controlling transmission of the packet in the network.
  - 7. The method of claim 6 wherein the flag definition is retrieved from a database for processing.
  - 8. The method of claim 1 wherein inserting the flag includes inserting the flag in a field of the packet.
  - 9. The method of claim 8 wherein the field includes at least one of a type-of-service field of an Internet protocol (IP) header, an IP-options field of an IP header, a Transmission Control Protocol (TCP)-options field of a TCP header, an “
    - option +padding”
      
      field of an IP version 4 (IPv4) frame, an options field of a TCP frame, and a next-header field of an IP version 6 (IPv6) datagram/frame.
  - 10. The method of claim 1 wherein the flag includes at least one of a Data Cannot Leave Subnet (DCLS) flag, a Data Cannot travel over an Unencrypted Connection (DCUC) flag, and a Data Cannot be sent to a Portable Device (DCPD) flag.
  - 11. The method of claim 1 wherein controlling transmission includes controlling egress of the packet at a network infrastructure device in the network.
  - 12. The method of claim 11 wherein the network infrastructure device includes at least one of a network interface card (NIC), a gateway, a switch, a firewall, a router and a network bridge.
  - 13. The method of claim 1 wherein controlling transmission includes controlling egress of the packet at a network interface of at least one of a host device, a local area network (LAN), a local area sub-network, a wide area network (WAN), and the Internet.
  - 14. The method of claim 1 comprising creating a sensitive data flag definition and storing the sensitive data flag definition in a flag type database.

15. A system for identifying sensitive application-layer data and controlling transmission of the data in a network, the system comprising:
- an application monitor adapted to identify sensitive data at an application layer in a system resource;
  
  a sensitive data agent operatively associated with the application monitor adapted to detect a packetization of the sensitive data identified by the application monitor and to insert a flag indicative of the presence of sensitive data in a packet having at least a portion of the identified sensitive data, wherein inserting the flag in the packet includes inserting the flag in a portion of the packet corresponding to a layer other than the application layer; and
  
  a sensitive data network agent operatively associated with the sensitive data agent adapted to control transmission of the packet in a network by interpreting the flag during transmission of the packet.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The system of claim 15 wherein the system resource includes at least one of a file, data being input into email, data being input into a chat session, and stored information.
  - 17. The system of claim 15 wherein the application monitor is adapted to create a sensitive data definition at the application layer.
  - 18. The system of claim 17 wherein the sensitive data agent is adapted to store the sensitive data definition in a sensitive data database.
  - 19. The system of claim 18 wherein the application monitor identifies the sensitive data by comparing data at the application layer with entries in the sensitive data database.
  - 20. The system of claim 15 wherein the sensitive data agent is adapted to process a flag definition associated with the flag for use in controlling transmission of the packet in the network.
  - 21. The system of claim 20 comprising a flag type database, wherein the sensitive data agent is adapted to retrieve the flag definition from the flag type database for processing.
  - 22. The system of claim 15 wherein the sensitive data agent is adapted to insert the flag in a field of the packet.
  - 23. The system of claim 22 wherein the field includes at least one of a type-of-service field of an Internet protocol (IP) header, an IP-options field of an IP header, a Transmission Control Protocol (TCP)-options field of a TCP header, an “
    - option +padding”
      
      field of an IP version 4 (IPv4) frame, an options field of a TCP frame, and a next-header field of an IP version 6 (IPv6) datagram/frame.
  - 24. The system of claim 15 wherein the flag includes at least one of a Data Cannot Leave Subnet (DCLS) flag, a Data Cannot travel over an Unencrypted Connection (DCUC) flag, and a Data Cannot be sent to a Portable Device (DCPD) flag.
  - 25. The system of claim 15 wherein the sensitive data network agent is adapted to control egress of the packet at a network infrastructure device in the network.
  - 26. The system of claim 25 wherein the network infrastructure device includes at least one of a network interface card (NIC), a gateway, a switch, a firewall, a router and a network bridge.
  - 27. The system of claim 15 wherein the sensitive data network agent is adapted to control egress of the packet at a network interface of at least one of a host device, a local area network (LAN), a local area sub-network, a wide area network (WAN), and the Internet.

28. A system for identifying sensitive application-layer data and controlling transmission of the data in a network, the system comprising:
- means for identifying sensitive data in a system resource;
  
  means for detecting a packetization of the identified sensitive data;
  
  means for inserting a flag in a packet having at least a portion of the identified sensitive data, wherein inserting the flag in the packet includes inserting the flag in a portion of the packet corresponding to the means for detecting the packetization of the identified sensitive data; and
  
  means for controlling transmission of the sensitive data in a network by interpreting the flag during transmission of the packet.

29. A computer program product comprising computer-executable instructions embodied in a computer readable medium for performing steps comprising:
- identifying, in a system resource, sensitive data at an application layer;
  
  detecting a packetization of the identified sensitive data;
  
  in response to identifying the sensitive data and detecting the packetization, inserting a flag indicative of the presence of sensitive data in a packet having at least a portion of the identified sensitive data, wherein the flag is inserted in a portion of the packet corresponding to a layer other than the application layer; and
  
  controlling transmission of the packet in a network based on the flag.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Chemtron Research LLC (Intellectual Ventures LLC)
Original Assignee
Armstrong Quinton Co LLC (Intellectual Ventures LLC)
Inventors
Singh, Mona, Bardsley, Jeffrey Scott, Horner, Richard Mark

Granted Patent

US 8,301,771 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/226
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 67/289   Intermediate processing fun...

H04L 67/561   Adding application-function...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/32   Architecture of open system...

Methods, systems, and computer program products for transmission control of sensitive application-layer data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer program products for transmission control of sensitive application-layer data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links