Preventing Inappropriate Data Transfers Based on Reputation Scores

US 20120291087A1
Filed: 05/09/2011
Published: 11/15/2012
Est. Priority Date: 05/09/2011
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by a computing system programmed to perform the following, comprising:

monitoring, by a data loss prevention (DLP) agent, outbound data transfers performed by the computing system;

determining a reputation score for at least one of the data transfers to a destination entity specified to receive the at least one data transfer based on a data type of the data being transferred to the destination entity; and

detecting, by the DLP agent, a violation of a DLP policy based on the reputation score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting violations of data loss prevention (DLP) policies based on reputation scores.

130 Citations

20 Claims

1. A method, implemented by a computing system programmed to perform the following, comprising:
- monitoring, by a data loss prevention (DLP) agent, outbound data transfers performed by the computing system;
  
  determining a reputation score for at least one of the data transfers to a destination entity specified to receive the at least one data transfer based on a data type of the data being transferred to the destination entity; and
  
  detecting, by the DLP agent, a violation of a DLP policy based on the reputation score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising updating an overall reputation score of the destination entity based on the reputation score for the at least one data transfer.
  - 3. The method of claim 2, further comprising sharing the overall reputation score with a network community service.
  - 4. The method of claim 1, further comprising updating a data-type reputation score of the destination entity for the data type being transferred in the at least one data transfer.
  - 5. The method of claim 4, further comprising sharing the data-type reputation score with a network community service.
  - 6. The method of claim 1, wherein said determining the reputation score comprises:
    - classifying the data as being one of a plurality of data types;
      
      associating the data with the one data type;
      
      associating the data with the destination entity; and
      
      calculating the reputation score for the at least one data transfer using the one data type and the destination entity.
  - 7. The method of claim 6, wherein said calculating the reputation score comprises at least one of the following:
    - determining if the at least one data transfer is a first time that any data is being transmitted to the destination entity by the computing device;
      
      determining if the at least one data transfer is a first time that data of the one data type is being transmitted to the destination entity by the computing device;
      
      determining if an overall reputation score of the destination entity is below a first reputation threshold;
      
      ordetermining if a data-type reputation score of the destination entity for the one data type is below a second reputation threshold.
  - 8. The method of claim 1, further comprising:
    - pausing the at least one data transfer;
      
      generating an alert to a user of the computing system to approve or deny the at least one data transfer;
      
      receiving user input from the user to approve or deny the at least one data transfer;
      
      allowing the at least one data transfer when the user approves the at least one data transfer; and
      
      preventing the at least one data transfer when the user denies the at least one data transfer.
  - 9. The method of claim 1, further comprising categorizing the data of each of the outbound data transfers into one of a plurality of categories, wherein each of the plurality of categories represents a different data type.
  - 10. The method of claim 9, further comprising receiving input from a user of the computing system to define the plurality of categories.
  - 11. The method of claim 1, further comprising receiving at least one of an overall reputation score of the destination entity from a network community service or one or more data-type reputation scores for the destination entity for given data types.
  - 12. The method of claim 1, wherein said determining the reputation score comprises:
    - tracking a number of previously-detected violations of the DLP policy by previous data transfers to the destination entity; and
      
      calculating the reputation score for the at least one data transfer based on the data type being transferred to the destination entity and the tracked number of previously-detected violations.
  - 13. The method of claim 1, wherein said detecting the violation comprises comparing the reputation score against a specified reputation threshold for a given data type of the data being transferred, wherein the violation of the DLP policy is detected when the reputation score is less than the specified reputation threshold.
  - 14. The method of claim 13, further comprising preventing, by the DLP agent, the at least one data transfer to the destination entity when the reputation score is less than the specified reputation threshold for the given data type of the data being transferred.

15. A system, comprising:
- a memory; and
  
  a processor coupled with the memory tomonitor outbound data transfers;
  
  determine a reputation score for at least one of the data transfers to a destination entity specified to receive the at least one data transfer based on a data type of the data being transferred to the destination entity; and
  
  detect a violation of a data loss prevention (DLP) policy based on the reputation score.
- View Dependent Claims (16, 17, 18)
- - 16. The system of claim 15, wherein the processor is further to update at least one of an overall reputation score of the destination entity based on the reputation score for the at least one data transfer or a data-type reputation score for the destination entity for the data type being transferred in the at least one data transfer.
  - 17. The system of claim 15, wherein the processor is further to:
    - classify the data as being one of a plurality of data types;
      
      associate the data with the one data type;
      
      associate the data with the destination entity; and
      
      calculate the reputation score for the at least one data transfer using the one data type and the destination entity.
  - 18. The system of claim 17, wherein the processor is further to perform at least one of the following to calculate the reputation score:
    - determine if the at least one data transfer is a first time that any data is being transmitted to the destination entity by the computing device;
      
      determine if the at least one data transfer is a first time that data of the one data type is being transmitted to the destination entity by the computing device;
      
      determine if an overall reputation score of the destination entity is below a first reputation threshold;
      
      ordetermine if a data-type reputation score of the destination entity for the one data type is below a second reputation threshold.

19. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform a method comprising:
- monitoring outbound data transfers performed by the computing system;
  
  determining a reputation score for at least one of the data transfers to a destination entity specified to receive the at least one data transfer based on a data type of the data being transferred to the destination entity; and
  
  detecting a violation of a DLP policy based on the reputation score.
- View Dependent Claims (20)
- - 20. The non-transitory computer readable storage medium of claim 19, wherein said determining the reputation score comprises at least one of the following:
    - classifying the data as being one of a plurality of data types;
      
      associating the data with the one data type;
      
      associating the data with the destination entity; and
      
      calculating the reputation score for the at least one data transfer using the one data type and the destination entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Agrawal, Mukund

Granted Patent

US 8,763,072 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/60   Protecting data

G06F 21/64   Protecting data integrity, ...

H04L 63/105   Multiple levels of security

Preventing Inappropriate Data Transfers Based on Reputation Scores

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

130 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing Inappropriate Data Transfers Based on Reputation Scores

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links