Method, Apparatus, and System for Data Protection

US 20150363600A1
Filed: 08/26/2015
Published: 12/17/2015
Est. Priority Date: 03/12/2013
Status: Active Grant

First Claim

Patent Images

1. A proxy server, comprising:

a receiving unit configured to receive outgoing data from a user terminal, wherein the outgoing data carries an identifier of a user;

an acquiring unit configured to acquire a user grade and a credit value of the user from a credit server according to the identifier received by the receiving unit, wherein the credit value is a violation percentage of historical outgoing data of the user;

a sending unit configured to send the outgoing data received by the receiving unit as well as the user grade and the credit value that are acquired by the acquiring unit to a data loss prevention (DLP) server such that the DLP server inspects security of the outgoing data according to the user grade and the credit value and such that the DLP server generates a message comprising an inspection result, wherein the inspection result comprises Pass the security inspection and Fail the security inspection, wherein the receiving unit is further configured to receive, from the DLP server, the message comprising the inspection result; and

a processing unit configured to use a policy corresponding to the inspection result to process the outgoing data according to the inspection result received by the receiving unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus, and a system for data protection. A specific solution is: a proxy server receives outgoing data from a user terminal, where the outgoing data carries an identifier of a user; acquires a user grade and a credit value of the user from a credit server according to the identifier, where the credit value is a violation percentage of historical outgoing data of the user; sends the outgoing data, the user grade, and the credit value to a DLP server so that the DLP server inspects security of the outgoing data according to the user grade and the credit value, and further generates a message including an inspection result; and receives, from the DLP server, the message including the inspection result and uses a policy corresponding to the inspection result to process the outgoing data. The present invention is used during a protection process of outgoing data.

41 Citations

View as Search Results

18 Claims

1. A proxy server, comprising:
- a receiving unit configured to receive outgoing data from a user terminal, wherein the outgoing data carries an identifier of a user;
  
  an acquiring unit configured to acquire a user grade and a credit value of the user from a credit server according to the identifier received by the receiving unit, wherein the credit value is a violation percentage of historical outgoing data of the user;
  
  a sending unit configured to send the outgoing data received by the receiving unit as well as the user grade and the credit value that are acquired by the acquiring unit to a data loss prevention (DLP) server such that the DLP server inspects security of the outgoing data according to the user grade and the credit value and such that the DLP server generates a message comprising an inspection result, wherein the inspection result comprises Pass the security inspection and Fail the security inspection, wherein the receiving unit is further configured to receive, from the DLP server, the message comprising the inspection result; and
  
  a processing unit configured to use a policy corresponding to the inspection result to process the outgoing data according to the inspection result received by the receiving unit.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The proxy server according to claim 1, wherein the acquiring unit comprises:
    - a sending subunit configured to send the identifier to the credit server such that the credit server queries the user grade and the credit value of the user according to the identifier; and
      
      a receiving subunit configured to receive the user grade and the credit value from the credit server.
  - 3. The proxy server according to claim 1, wherein the user grade of the user comprises an exempted from inspection grade, an inspection grade, and an outgoing permission prohibition grade, wherein the inspection grade at least comprises a simple inspection grade and a strict inspection grade, wherein the violation percentage is calculated by the credit server according to the number of times that historical outgoing data of the user passes the security inspection and the number of times that historical outgoing data of the user fails the security inspection, and wherein the numbers are prestored in the credit server.
  - 4. The proxy server according to claim 2, wherein the user grade of the user comprises an exempted from inspection grade, an inspection grade, and an outgoing permission prohibition grade, wherein the inspection grade at least comprises a simple inspection grade and a strict inspection grade, wherein the violation percentage is calculated by the credit server according to the number of times that historical outgoing data of the user passes the security inspection, and the number of times that historical outgoing data of the user fails the security inspection, and wherein the numbers are prestored in the credit server.
  - 5. The proxy server according to claim 1, wherein, after the processing unit executes using the policy corresponding to the inspection result to process the outgoing data according to the inspection result, the sending unit is further configured to send the message comprising the inspection result to the credit server such that the credit server updates the user grade and the credit value according to the identifier and the inspection result.
  - 6. The proxy server according to claim 1, wherein the sending unit is further configured to send the outgoing data, the user grade, and the credit value to the DLP server using the Internet Content Adaptation Protocol (ICAP) when the outgoing data is Web data, and wherein the user grade and the credit value are carried in an extended ICAP header field.

7. A data loss prevention (DLP) server, comprising:
- a receiving unit configured to receive outgoing data, a user grade, and a credit value sent by a proxy server, wherein the outgoing data carries an identifier of a user, wherein the user grade and the credit value are acquired by the proxy server from a credit server according to the identifier, and wherein the credit value is a violation percentage of historical outgoing data of the user;
  
  an inspecting unit configured to inspect security of the outgoing data according to the user grade and the credit value that are received by the receiving unit and generate a message comprising an inspection result, wherein the inspection result comprises Pass the security inspection and Fail the security inspection; and
  
  a sending unit configured to send, to the proxy server, the message comprising the inspection result, which is generated by the inspecting unit such that the proxy server uses a policy corresponding to the inspection result to process the outgoing data according to the inspection result.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The DLP server according to claim 7, wherein the user grade of the user comprises an exempted from inspection grade, an inspection grade, and an outgoing permission prohibition grade, wherein the inspection grade at least comprises a simple inspection grade and a strict inspection grade, wherein the violation percentage is calculated by the credit server according to the number of times that historical outgoing data of the user passes the security inspection, and the number of times that historical outgoing data of the user fails the security inspection, and wherein the numbers are prestored in the credit server.
  - 9. The DLP server according to claim 8, wherein the inspecting unit comprises:
    - a first inspecting subunit configured to directly generate a message indicating that the security inspection passes when the user grade is an exempted from inspection grade; and
      
      a second inspecting subunit configured to directly generate a message indicating that the security inspection fails when the user grade is an outgoing permission prohibition grade.
  - 10. The DLP server according to claim 8, wherein the inspecting unit comprises a third inspecting subunit configured to:
    - inspect the security of the outgoing data according to the inspection grade and the credit value when the user grade is an inspection grade; and
      
      generate the message comprising the inspection result,wherein the third inspecting subunit comprises;
      
      a selecting module configured to select a corresponding inspection algorithm according to a specific grade of the inspection grade;
      
      a restoring module configured to restore the outgoing data according to a preset restoration policy;
      
      an inspecting module configured to use the inspection algorithm selected by the selecting module to inspect the restored outgoing data with reference to the credit value; and
      
      a generating module configured to acquire an inspection result obtained by the inspecting module and generate the message comprising the inspection result.
  - 11. The DLP server according to claim 7, wherein after the message comprising the inspection result is sent to the proxy server, the sending unit is further configured to send the message comprising the inspection result to the credit server such that the credit server updates the user grade and the credit value according to the identifier and the inspection result.
  - 12. The DLP server according to claim 8, wherein after the message comprising the inspection result is sent to the proxy server, the sending unit is further configured to send the message comprising the inspection result to the credit server such that the credit server updates the user grade and the credit value according to the identifier and the inspection result.
  - 13. The DLP server according to claim 9, wherein after the message comprising the inspection result is sent to the proxy server the sending unit is further configured to send the message comprising the inspection result to the credit server such that the credit server updates the user grade and the credit value according to the identifier and the inspection result.
  - 14. The DLP server according to claim 10, wherein after the message comprising the inspection result is sent to the proxy server the sending unit is further configured to send the message comprising the inspection result to the credit server such that the credit server updates the user grade and the credit value according to the identifier and the inspection result.

15. A data protection system, comprising:
- a data loss prevention (DLP) server;
  
  a credit server; and
  
  a proxy server configured to;
  
  receive outgoing data from a user terminal, wherein the outgoing data carries an identifier of a user;
  
  acquire a user grade and a credit value of the user from a credit server according to the identifier, wherein the credit value is a violation percentage of historical outgoing data of the user;
  
  send the outgoing data, the user grade, and the credit value to a DLP server such that the DLP server inspects security of the outgoing data according to the user grade and the credit value and such that the DLP server generates a message comprising an inspection result, wherein the inspection result comprises Pass the security inspection and Fail the security inspection; and
  
  receive, from the DLP server, the message comprising the inspection result and use a policy corresponding to the inspection result to process the outgoing data according to the inspection result,wherein the DLP server is configured to;
  
  receive the outgoing data, the user grade, and the credit value sent by the proxy server, wherein the outgoing data carries the identifier of the user, wherein the user grade and the credit value are acquired by the proxy server from the credit server according to the identifier, wherein the credit value is the violation percentage of historical outgoing data of the user;
  
  inspect security of the outgoing data according to the user grade and the credit value and generate the message comprising the inspection result, and wherein the inspection result comprises Pass the security inspection and Fail the security inspection; and
  
  send the message comprising the inspection result to the proxy server such that the proxy server uses the policy corresponding to the inspection result to process the outgoing data according to the inspection result, andwherein the credit server is configured to;
  
  receive the identifier of the user from the proxy server;
  
  query the user grade and the credit value of the user according to the identifier,wherein the credit value is the violation percentage of outgoing data of the user; and
  
  send the user grade and the credit value to the proxy server.
- View Dependent Claims (16, 17, 18)
- - 16. The data protection system according to claim 15, wherein the credit server is further configured to:
    - receive, from one of the DLP server and the proxy server, the message comprising the inspection result; and
      
      update, according to the inspection result, the user grade and the credit value, and wherein the inspection result is acquired by the DLP server by inspecting security of the outgoing data according to the user grade and the credit value.
  - 17. The data protection system according to claim 15, wherein the user grade of the user comprises an exempted from inspection grade, an inspection grade, and an outgoing permission prohibition grade, wherein the inspection grade at least comprises a simple inspection grade and a strict inspection grade, wherein the violation percentage is calculated by the credit server according to the number of times that historical outgoing data of the user passes the security inspection, wherein the number of times that historical outgoing data of the user fails the security inspection, and wherein the numbers are prestored in the credit server.
  - 18. The data protection system according to claim 17, wherein the DLP server is further configured to:
    - generate a message indicating that the security inspection passes when the user grade is the exempted from inspection grade;
      
      generate a message indicating that the security inspection fails when the user grade is the outgoing permission prohibition grade; and
      
      select a corresponding inspection algorithm according to a specific grade of the inspection grade when the user grade is the inspection grade;
      
      restore the outgoing data according to a preset restoration policy when the user grade is the inspection grade;
      
      use the selected inspection algorithm to inspect the restored outgoing data with reference to the credit value when the user grade is the inspection grade; and
      
      acquire an inspection result of the restored outgoing data and generate the message comprising the inspection result when the user grade is the inspection grade.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Jin, Wei

Granted Patent

US 9,984,241 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/62   Protecting access to data v...

G06F 21/6245   Protecting personal data, e...

H04L 51/212   using filtering or selectiv...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 67/564   Enhancement of application ...

Method, Apparatus, and System for Data Protection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method, Apparatus, and System for Data Protection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links