SYSTEM AND METHOD OF DATA INTERCEPTION AND CONVERSION IN A PROXY

US 20120278621A1
Filed: 04/19/2012
Published: 11/01/2012
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method of obfuscating data in a data object, comprising:

receiving, by an intercepting proxy server computer, the data object from a client device;

at the intercepting proxy server computer, generating a modified data object for transmission to a server computer in a cloud, comprising;

(i) identifying a real data element in the data object;

(ii) creating a token having a token value by encrypting the real data element;

(iii) concatenating a predetermined prefix and the token value to generate a replacement value; and

(iv) replacing the real data element with the replacement value, thus generating the modified data object.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intercepting proxy server processes traffic between an enterprise user and a cloud application which provides Software as a Service (SaaS). The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating information by encrypting individual real data elements without disturbing the validity of the application protocol. To the processing cloud application real data are only visible as encrypted tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding sensitive real data. In this way, the enterprise is able to enjoy the benefits of the cloud application, while protecting the privacy of real data.

36 Citations

View as Search Results

26 Claims

1. A method of obfuscating data in a data object, comprising:
- receiving, by an intercepting proxy server computer, the data object from a client device;
  
  at the intercepting proxy server computer, generating a modified data object for transmission to a server computer in a cloud, comprising;
  
  (i) identifying a real data element in the data object;
  
  (ii) creating a token having a token value by encrypting the real data element;
  
  (iii) concatenating a predetermined prefix and the token value to generate a replacement value; and
  
  (iv) replacing the real data element with the replacement value, thus generating the modified data object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising transmitting the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 3. The method of claim 1, further comprising:
    - receiving a returned data object, comprising a returned data element, from the server computer in the cloud;
      
      identifying the returned data element as a token-to-be-replaced;
      
      replacing the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
      
      transmitting the modified returned data object to the client device.
  - 4. The method of claim 1, wherein the concatenating further comprises adding a predetermined suffix to the replacement value.
  - 5. The method of claim 1, the identifying the real data element further comprises:
    - mapping the data in the data object against a dictionary of attributes; and
      
      identifying the real data element using a corresponding attribute in the dictionary.
  - 6. The method of claim 3, wherein the identifying the token-to-be-replaced further comprises:
    - mapping data in the returned data object against a dictionary of attributes; and
      
      identifying the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 7. The method of claim 3, wherein the replacing the token-to-be-replaced further comprises:
    - extracting the token value from the token-to-be-replaced; and
      
      generating the real data element, comprising decrypting the token value.
  - 8. The method of claim 3, wherein the replacing the token-to-be-replaced further comprises formatting the real data element according to a context in the returned data object.

9. An intercepting proxy server computer, comprising:
- a processor;
  
  a memory having computer readable instructions stored thereon for execution by the processor, causing the processor to obfuscate data in a data object, comprising;
  
  receiving a data object from a client device;
  
  generating a modified data object for transmission to a server computer in a cloud, comprising;
  
  (i) identifying a real data element in the data object;
  
  (ii) creating a token having a token value by encrypting the real data element;
  
  (iii) concatenating a predetermined prefix and the token value to generate a replacement value; and
  
  (v) replacing the real data element with the replacement value, thus generating the modified data object.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The intercepting proxy server computer of claim 9, wherein the computer readable instructions further cause the processor to transmit the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 11. The intercepting proxy server computer of claim 9, wherein the computer readable instructions further cause the processor to:
    - receive a returned data object, comprising a returned data element, from the server computer in the cloud;
      
      identify the returned data element as a token-to-be-replaced;
      
      replace the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
      
      transmit the modified returned data object to the client device.
  - 12. The intercepting proxy server computer of claim 9, wherein the computer readable instructions for concatenating further cause the processor to add a predetermined suffix to the replacement value.
  - 13. The intercepting proxy server computer of claim 9, the computer readable instructions for identifying the real data element further cause the processor to:
    - map the data in the data object against a dictionary of attributes; and
      
      identify the real data element using a corresponding attribute in the dictionary.
  - 14. The intercepting proxy server computer of claim 11, wherein the computer readable instructions to identify the token-to-be-replaced further cause the processor to:
    - map data in the returned data object against a dictionary of attributes; and
      
      identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 15. The intercepting proxy server computer of claim 11, wherein the computer readable instructions to replace the token-to-be-replaced further cause the processor to:
    - extract the token value from the token-to-be-replaced; and
      
      generate the real data element, comprising decrypting the token value.
  - 16. The intercepting proxy server computer of claim 11, wherein the computer readable instructions to replace the token-to-be-replaced further cause the processor to format the real data element according to a context in the returned data object.
  - 17. A computer network, comprising the intercepting proxy server computer of claim 9.

18. An intercepting proxy server computer, comprising:
- a processor including a network input/output (TO) system configured to receive a data object from a client device;
  
  a memory having computer readable instructions stored thereon for execution by the processor, causing the processor to obfuscate data in a data object and generate a modified data object for transmission to a server computer in a cloud, the computer readable instructions forming;
  
  a tooling module for identifying a real data element in the data object;
  
  a token generator module for creating a token having a token value by encrypting the real data element;
  
  a token packaging module for concatenating a predetermined prefix and the token value to generate a replacement value, and replacing the real data element with the replacement value, thus generating the modified data object.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The intercepting proxy server computer of claim 18, wherein the network input/output (TO) system is further configured to transmit the modified data object from the intercepting proxy server computer to the server computer in the cloud.
  - 20. The intercepting proxy server computer of claim 18, wherein:
    - the network input/output (TO) system is further configured to receive a returned data object, comprising a returned data element, from the server computer in the cloud;
      
      the tooling module is further configured to identify the returned data element as a token-to-be-replaced;
      
      the intercepting proxy server computer further comprising a context formatting module configured to replace the token-to-be-replaced with the real data element, thereby generating a modified returned data object; and
      
      the network input/output (TO) system is further configured to transmit the modified returned data object to the client device.
  - 21. The intercepting proxy server computer of claim 18, wherein the token packaging module is further configured to add a predetermined suffix to the replacement value.
  - 22. The intercepting proxy server computer of claim 18, wherein the tooling module is further configured to map the data in the data object against a dictionary of attributes and identify the real data element using a corresponding attribute in the dictionary.
  - 23. The intercepting proxy server computer of claim 20, wherein the tooling module is further configured to map data in the returned data object against a dictionary of attributes and identify the token-to-be-replaced using a corresponding attribute of the returned data element of the returned data object.
  - 24. The intercepting proxy server computer of claim 20, wherein the computer readable instructions further form a decryption module configured to extract the token value from the token-to-be-replaced and to generate the real data element by decrypting the token value.
  - 25. The intercepting proxy server computer of claim 20, wherein the computer readable instructions further form a context formatting module configured to format the real data element according to a context in the returned data object.
  - 26. A computer network, comprising the intercepting proxy server computer of claim 18.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
WOLOSZYN, Terrence Peter

Granted Patent

US 9,647,989 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/602   Providing cryptographic fac...

G09C 1/00   Apparatus or methods whereb...

H04L 61/2596   Translation of addresses of...

H04L 61/301   Name conversion

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

SYSTEM AND METHOD OF DATA INTERCEPTION AND CONVERSION IN A PROXY

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD OF DATA INTERCEPTION AND CONVERSION IN A PROXY

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others