SYSTEMS AND METHODS FOR DETECTING INFORMATION LEAKAGE BY AN ORGANIZATIONAL INSIDER

US 20150261940A1
Filed: 04/25/2014
Published: 09/17/2015
Est. Priority Date: 03/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting information leakage by an organizational insider, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a set of organizational insiders of an organization;

identifying a set of public forums used by at least one organizational insider in the set of organizational insiders;

identifying a set of messages posted to at least one public forum in the set of public forums;

creating a message record corresponding to each message in the set of messages, the message record comprising;

a message summary;

a set of message metadata fields;

consolidating a plurality of message records into a message summary record according to the sets of metadata fields in the plurality of message records;

identifying, based on the message summary record, an information leakage threat.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.

36 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting information leakage by an organizational insider, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a set of organizational insiders of an organization;
  
  identifying a set of public forums used by at least one organizational insider in the set of organizational insiders;
  
  identifying a set of messages posted to at least one public forum in the set of public forums;
  
  creating a message record corresponding to each message in the set of messages, the message record comprising;
  
  a message summary;
  
  a set of message metadata fields;
  
  consolidating a plurality of message records into a message summary record according to the sets of metadata fields in the plurality of message records;
  
  identifying, based on the message summary record, an information leakage threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the set of public forums comprises at least one of:
    - a social media site;
      
      a website;
      
      a blog;
      
      an electronic mailing list;
      
      a discussion board;
      
      an electronic bulletin board;
      
      a wiki.
  - 3. The computer-implemented method of claim 1, wherein identifying the set of messages posted on the public forum comprises:
    - identifying a set of keywords pertaining to at least one of;
      
      organizational infrastructure of the organization;
      
      confidential organizational information of the organization;
      
      organizational insider personal information of the organizational insiders in the organization;
      
      searching the public forum for messages containing at least one keyword in the set of keywords.
  - 4. The computer-implemented method of claim 3, wherein identifying the set of keywords comprises:
    - intercepting network communications transmitted by at least one of;
      
      a network gateway;
      
      a network router;
      
      an email gateway;
      
      a network firewall;
      
      a proxy server;
      
      a data-loss-prevention program;
      
      compiling the set of keywords from the intercepted network communications.
  - 5. The computer-implemented method of claim 3, wherein searching the public forum for messages containing the keyword comprises at least one of:
    - searching the public forum using a search engine;
      
      searching the public forum using a web crawler;
      
      searching the public forum using a database query.
  - 6. The computer-implemented method of claim 1, wherein the set of message metadata fields comprises at least one of:
    - a message source;
      
      a message destination;
      
      a timestamp;
      
      a message type;
      
      a user identification;
      
      a risk score;
      
      a data loss prevention classification;
      
      a sentiment.
  - 7. The computer-implemented method of claim 1, wherein consolidating a plurality of message records into a message summary record comprises creating a message summary record from a plurality of message records with at least one common message metadata field.
  - 8. The computer-implemented method of claim 1, wherein the message summary record comprises:
    - at least one message metadata field common to the plurality of message records consolidated into the message summary record;
      
      an information leakage threat rating.
  - 9. The computer-implemented method of claim 1, further comprising taking a security action based on the information leakage threat.

10. A system for detecting information leakage by an organizational insider, the system comprising:
- an insider identification module, stored in memory, that identifies a set of organizational insiders of an organization;
  
  a forum identification module that identifies a set of public forums used by at least one organizational insider in the set of organizational insiders;
  
  a message identification module that identifies a set of messages posted to at least one public forum in the set of public forums;
  
  a message record module, stored in memory, that creates a message record corresponding to each message in the set of messages, the message record comprising;
  
  a message summary;
  
  a set of message metadata fields;
  
  a consolidation module, stored in memory, that consolidates a plurality of message records into a message summary record according to the sets of metadata fields in the plurality of message records;
  
  a threat identification module that identifies, based on the message summary record, an information leakage threat;
  
  at least one processor configured to execute the insider identification module, the forum identification module, the message identification module, the message record module, the consolidation module, and the threat identification module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the set of public forums comprises at least one of:
    - a social media site;
      
      a website;
      
      a blog;
      
      an electronic mailing list;
      
      a discussion board;
      
      an electronic bulletin board;
      
      a wiki.
  - 12. The system of claim 10, wherein the message identification module identifies the set of messages posted on the public forum by:
    - identifying a set of keywords pertaining to at least one of;
      
      organizational infrastructure of the organization;
      
      confidential organizational information of the organization;
      
      organizational insider personal information of the organizational insiders in the organization;
      
      searching the public forum for messages containing at least one keyword in the set of keywords.
  - 13. The system of claim 12, wherein the message identification module identifies the set of keywords by:
    - intercepting network communications transmitted by at least one of;
      
      a network gateway;
      
      a network router;
      
      an email gateway;
      
      a network firewall;
      
      a proxy server;
      
      a data-loss-prevention program;
      
      compiling the set of keywords from the intercepted network communications.
  - 14. The system of claim 12, wherein the message identification module searches the public forum for messages containing the keyword by at least one of:
    - searching the public forum using a search engine;
      
      searching the public forum using a web crawler;
      
      searching the public forum using a database query.
  - 15. The system of claim 10, wherein the set of message metadata fields comprises at least one of:
    - a message source;
      
      a message destination;
      
      a timestamp;
      
      a message type;
      
      a user identification;
      
      a risk score;
      
      a data loss prevention classification;
      
      a sentiment.
  - 16. The system of claim 10, wherein the consolidation module consolidates a plurality of message records into a message summary record by creating a message summary record from a plurality of message records with at least one common message metadata field.
  - 17. The system of claim 10, wherein the message summary record comprises:
    - at least one message metadata field common to the plurality of message records consolidated into the message summary record;
      
      an information leakage threat rating.
  - 18. The system of claim 10, further comprising a security module, stored in memory, that takes a security action based on the information leakage threat.

19. A non-transitory computer-readable-storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a set of organizational insiders of an organization;
  
  identify a set of public forums used by at least one organizational insider in the set of organizational insiders;
  
  identify a set of messages posted to at least one public forum in the set of public forums;
  
  create a message record corresponding to each message in the set of messages, the message record comprising;
  
  a message summary;
  
  a set of message metadata fields;
  
  consolidate a plurality of message records into a message summary record according to the sets of metadata fields in the plurality of message records;
  
  identify, based on the message summary record, an information leakage threat.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable-storage medium of claim 19, wherein the set of public forums comprises at least one of:
    - a social media site;
      
      a website;
      
      a blog;
      
      an electronic mailing list;
      
      a discussion board;
      
      an electronic bulletin board;
      
      a wiki.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin Alejandro, Kashyap, Anand

Granted Patent

US 9,652,597 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06Q 10/10   Office automation; Time man...

G06Q 50/01   Social networking

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/1097   for distributed storage of ...

H04L 67/535   Tracking the activity of th...

SYSTEMS AND METHODS FOR DETECTING INFORMATION LEAKAGE BY AN ORGANIZATIONAL INSIDER

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETECTING INFORMATION LEAKAGE BY AN ORGANIZATIONAL INSIDER

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links