CHAIN OF CUSTODY FOR ENTERPRISE DOCUMENTS

US 20190318128A1
Filed: 10/19/2018
Published: 10/17/2019
Est. Priority Date: 04/13/2018
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of endpoints storing a plurality of documents;

an enterprise network interconnecting the plurality of endpoints; and

a server coupled in a communicating relationship with the enterprise network, the server storing a ledger with a chain of custody for each of the plurality of documents, the chain of custody for each one of the plurality of documents including one or more fuzzy hashes, each associated with a user of the one of the plurality of documents and contents of the one of the plurality of documents, the server configured to respond to an information request containing a first fuzzy hash, by matching the first fuzzy hash to one or more of the fuzzy hashes stored in the ledger and providing chain of custody information to a requestor for at least one of the plurality of documents corresponding to the one or more of the fuzzy hashes, the server further configured to respond to an update request containing a second fuzzy hash by matching the second fuzzy hash to a matching one of the plurality of documents and adding the second fuzzy hash and related information to the chain of custody in the ledger for the matching one of the plurality of documents.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A ledger stores chain of custody information for files throughout an enterprise network. By identifying files with a homologous identifier such as a fuzzy hash that permits piecewise evaluation of similarity, the ledger can be used to track a chain of custody over a sequence of changes in content, ownership, and file properties. The ledger can be used, e.g., to evaluate trustworthiness of a file the first time it is encountered by an endpoint, or to apply enterprise policies based on trust.

Citations

20 Claims

1. A system comprising:
- a plurality of endpoints storing a plurality of documents;
  
  an enterprise network interconnecting the plurality of endpoints; and
  
  a server coupled in a communicating relationship with the enterprise network, the server storing a ledger with a chain of custody for each of the plurality of documents, the chain of custody for each one of the plurality of documents including one or more fuzzy hashes, each associated with a user of the one of the plurality of documents and contents of the one of the plurality of documents, the server configured to respond to an information request containing a first fuzzy hash, by matching the first fuzzy hash to one or more of the fuzzy hashes stored in the ledger and providing chain of custody information to a requestor for at least one of the plurality of documents corresponding to the one or more of the fuzzy hashes, the server further configured to respond to an update request containing a second fuzzy hash by matching the second fuzzy hash to a matching one of the plurality of documents and adding the second fuzzy hash and related information to the chain of custody in the ledger for the matching one of the plurality of documents.

2. A method comprising:
- generating a first fuzzy hash for a file;
  
  requesting chain of custody information for the file from a ledger for an enterprise network based on the first fuzzy hash;
  
  receiving a modification to the file;
  
  generating a second fuzzy hash for the file; and
  
  transmitting the second fuzzy hash to the ledger for inclusion in a chain of custody for the file.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 3. The method of claim 2 wherein the file includes a document selected from a group consisting of a word processing document, a spreadsheet, an image, an audio file, and a video file.
  - 4. The method of claim 2 wherein the file includes computer executable code selected from a group consisting of source code, byte code, compiled code, and script.
  - 5. The method of claim 2 wherein receiving the modification includes receiving the modification from a user different than an author of the file.
  - 6. The method of claim 2 wherein the ledger is stored in database hosted at a threat management facility for the enterprise network.
  - 7. The method of claim 2 wherein the ledger is stored in a cloud resource remotely accessible from the enterprise network.
  - 8. The method of claim 2 wherein the ledger is a distributed ledger.
  - 9. The method of claim 2 wherein the chain of custody information includes an author and one or more users associated with a number of versions of the file.
  - 10. The method of claim 2 wherein the chain of custody information include at least one item that is cryptographically signed for authentication using a certificate from a trust authority.
  - 11. The method of claim 10 wherein the trust authority includes a trusted platform module or a remote third party trust authority.
  - 12. The method of claim 2 wherein the first fuzzy hash and the second fuzzy hash include context triggered piecewise hashes.

13. A method comprising:
- generating a homologous file identifier for a file;
  
  requesting chain of custody information for the file from a ledger for an enterprise network based on the homologous file identifier;
  
  evaluating a trustworthiness of the file based on the chain of custody information; and
  
  applying an enterprise policy to the file based on the trustworthiness.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13 wherein evaluating the trustworthiness of the file includes determining an amount of change to the file from one or more other files identified in the ledger based on a similarity of the homologous file identifier for the file to one or more other homologous file identifiers for the one or more other files identified in the ledger.
  - 15. The method of claim 13 wherein evaluating the trustworthiness of the file includes evaluating a trustworthiness of one or more users associated with the file in the chain of custody information.
  - 16. The method of claim 13 wherein the homologous file identifier includes a first fuzzy hash.
  - 17. The method of claim 16 further comprising receiving a modification to the file, generating a second fuzzy hash for the file, transmitting the second fuzzy hash to the ledger for inclusion in a chain of custody for the file.
  - 18. The method of claim 13 wherein applying the enterprise policy includes blocking or allowing access to the file at an endpoint in the enterprise network.
  - 19. The method of claim 13 wherein applying the enterprise policy includes blocking or allowing a transmittal of the file through the enterprise network.
  - 20. The method of claim 13 wherein applying the enterprise policy includes deploying a remedial measure based on a low trustworthiness of the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Ackerman, Karl, Humphries, Russell, Schiappa, Daniel Salvatore, Ray, Kenneth D., Thomas, Andrew J.

Granted Patent

US 11,288,385 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/137   Hash-based content-based in...

G06F 16/285   Clustering or classification

G06F 16/93   Document management systems

G06F 21/45   Structures or tools for the...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 21/64   Protecting data integrity, ...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 3/0675   using electro-optical, acou...

G06N 5/046   Forward inferencing; Produc...

G06N 5/048   Fuzzy inferencing

H04L 2463/082   applying multi-factor authe...

H04L 41/20   Network management software...

H04L 41/22   comprising specially adapte...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0838   using one-time-passwords

H04L 63/0861   using biometrical features,...

H04L 63/101 : Access control lists [ACL]

H04L 63/102 : Entity profiles

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/20 : for managing network securi...

H04L 63/205 : involving negotiation or de...

H04L 9/0891 : Revocation or update of sec...

H04L 9/16 : the keys or algorithms bein...

H04L 9/3213 : using tickets or tokens, e....

H04L 9/3226 : using a predetermined code,...

H04L 9/3228 : One-time or temporary data,...

H04L 9/3231 : Biological data, e.g. finge...

H04L 9/3265 : using certificate chains, t...

H04L 9/3271 : using challenge-response

H04L 9/50 : using hash chains, e.g. blo...

View All

CHAIN OF CUSTODY FOR ENTERPRISE DOCUMENTS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CHAIN OF CUSTODY FOR ENTERPRISE DOCUMENTS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links