Data security system and method for separation of user communities

US 7,140,044 B2
Filed: 12/06/2001
Issued: 11/21/2006
Est. Priority Date: 11/13/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of securing data in a computer network and transparently establishing and managing the separation of user-based communities of interest based upon crypto-graphically separated, need to know security levels, said data having one or more security sensitive words, data objects, characters or icons, said computer network having a plurality of computers interconnected together, one of said plurality of computers designated as a data input computer and each of said plurality of computers having a memory therein, respective memories designated as a remainder store and respective extract stores in one or more computers of said plurality of computers, said user-based communities of interest representing a plurality of users having a corresponding plurality of security levels each with a respective security clearance and respective extract store, comprising:

filtering data input from said data input computer and extracting said security sensitive words, data objects, characters or icons from said data to obtain (a) subsets of extracted data and (b) remainder data;

storing said subsets of extracted data and said remainder data in said respective extract stores and said remainder store, respectively; and

,permitting reconstruction of some or all of said data via one or more of said subsets of extracted data and remainder data only in the presence of a predetermined security clearance of said plurality of security levels.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data is secured in a computer network to transparently establish and manage a separation of user-based communities of interest based upon crypto-graphically separated, need to know, security levels. Data from a source document, data object or data stream is filtered to form subsets of extracted data and remainder data based upon security levels for the communities. Extracts are stored in assigned memories. Full or partial plaintext reconstruction is permitted only in the presence of assigned security clearance for the community of the inquiring party. Encryption, corresponding to security levels, establishes separation of secured data. The information processing system uses a data filter to extract security sensitive words, data objects, etc., a distributed storage system and a compiler is used to reconstruct plaintext based on security clearance. Multiple level encryption in one document is also available.

1642 Citations

73 Claims

1. A method of securing data in a computer network and transparently establishing and managing the separation of user-based communities of interest based upon crypto-graphically separated, need to know security levels, said data having one or more security sensitive words, data objects, characters or icons, said computer network having a plurality of computers interconnected together, one of said plurality of computers designated as a data input computer and each of said plurality of computers having a memory therein, respective memories designated as a remainder store and respective extract stores in one or more computers of said plurality of computers, said user-based communities of interest representing a plurality of users having a corresponding plurality of security levels each with a respective security clearance and respective extract store, comprising:
- filtering data input from said data input computer and extracting said security sensitive words, data objects, characters or icons from said data to obtain (a) subsets of extracted data and (b) remainder data;
  
  storing said subsets of extracted data and said remainder data in said respective extract stores and said remainder store, respectively; and
  
  ,permitting reconstruction of some or all of said data via one or more of said subsets of extracted data and remainder data only in the presence of a predetermined security clearance of said plurality of security levels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. A method as claimed in claim 1 wherein said crypto-graphically separated, need to know security levels correspond to respective ones of said plurality of security levels, the method including encrypting said subsets of extracted data with corresponding degrees of encryption associated with said plurality of security levels, and including decrypting, during the reconstruction, of some or all of said subsets of extracted data only in the presence of said respective security level of said plurality of security levels.
  - 3. A method as claimed in claim 2 including utilizing placeholders in said remainder data representing non-reconstructed, extracted data during the reconstruction, said placeholders being one from the group of characters, icons, substitute words, data objects, underline and blank space.
  - 4. A method as claimed in claim 3 wherein a plurality of placeholders are utilized, said placeholders including characters, icons, substitute words, data objects, underline and blank spaces grouped to represent each respective security level of said plurality of security levels.
  - 5. A method as claimed in claim 1 including defining a plurality of filters, corresponding to said subsets of extracted data, prior to said filtering step.
  - 6. A method as claimed in claim 1 including encrypting said subsets of extracted data and remainder data prior to storing.
  - 7. A method as claimed in claim 6 wherein the step of permitting reconstruction includes decrypting said subsets of extracted data and remainder data.
  - 8. A method as claimed in claim 1 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said storing utilizes the URL for one or both of said extract store and said remainder store.
  - 9. A method as claimed in claim 1 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said data input computer operates as a client in said client-server network and one of said plurality of computers is designated as a server computer, the method including sending said extracted data from said data input computer to said server computer utilizing the respective URL.
  - 10. A method as claimed in claim 9 wherein said step of permitting reconstruction includes downloading said extracted data from said server computer utilizing said respective URL.
  - 11. A method as claimed in claim 1 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said data input computer operates as a client in said client-server network and one of said plurality of computers is designated as a server computer, the method including sending said extracted data from said data input computer to the computer with said extract store utilizing the respective URL as controlled by said server computer.
  - 12. A method as claimed in claim 10 including the step of encrypting and decrypting said remainder data and extracted data during sending and downloading.
  - 13. A method as claimed in claim 11 including the step of encrypting said extracted data during sending and downloading and decrypting said extracted data during reconstruction.
  - 14. A method as claimed in claim 1 wherein one computer of said plurality of computers includes a data display system with at least two separate but visually overlaid displays and at least two respective display interfaces, the step of reconstruction including displaying said extracted data on one of said at least two displays and displaying said remainder data on another of said at least two displays.
  - 15. A method as claimed in claim 1 wherein one computer of said plurality of computers includes a display fed from video memory having a plurality of frame memory segments, and wherein the reconstruction step of the method includes interleaving extracted data and remainder data into respective ones of said plurality of frame memory segments.
  - 16. A method as claimed in claim 1 including deleting said data input from said data input computer after the step of storing.
  - 17. A method as claimed in claim 1 including mapping said storing of said subsets of extracted data with encryption.
  - 18. A method as claimed in claim 1 wherein one of the steps of filtering, storing and permitting reconstruction utilize one of an inference engine, neural network and artificial intelligence process to filter, store and permit reconstruction.
  - 19. A method as claimed in claim 1 wherein said security sensitive data objects are one or more portions of an audio file and the step of reconstruction utilizes extracted data representative of said one or more portions of said audio file.
  - 20. A method as claimed in claim 4 including encrypting said remainder data prior to storing.
  - 21. A method as claimed in claim 20 wherein the step of permitting reconstruction includes decrypting said remainder data.
  - 22. A method as claimed in claim 21 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said storing utilizes the URL for one or both of said extract store and said remainder store.
  - 23. A method as claimed in claim 21 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said data input computer operates as a client in said client-server network and one of said plurality of computers is designated as a server computer, the method including sending said extracted data from said data input computer to the computer with said extract store utilizing the respective URL as controlled by said server computer.
  - 24. A method as claimed in claim 23 including the step of encrypting and decrypting said remainder data and extracted data during sending and downloading.
  - 25. A method as claimed in claim 24 wherein one computer of said plurality of computers includes a data display system with at least two separate but visually overlaid displays and at least two respective display interfaces, the step of reconstruction including displaying said extracted data on one of said at least two displays and displaying said remainder data on another of said at least two displays.
  - 26. A method as claimed in claim 24 wherein one computer of said plurality of computers includes a display fed from video memory having a plurality of frame memory segments, and wherein the reconstruction step of the method includes interleaving extracted data and remainder data into respective ones of said plurality of frame memory segments.
  - 27. A method as claimed in claim 24 including deleting said data input from said data input computer after the step of storing.
  - 28. A method as claimed in claim 27 including mapping said storing of said subsets of extracted data with encryption.

29. A computer readable medium containing programming instructions for securing data in a computer network and transparently establishing and managing the separation of user-based communities of interest based upon crypto-graphically separated, need to know security levels, said data having one or more security sensitive words, data objects, characters or icons, said computer network having a plurality of computers interconnected together, one of said plurality of computers designated as a data input computer and each of said plurality of computers having a memory therein, respective memories designated as a remainder store and respective extract stores in one or more computers of said plurality of computers, said user-based communities of interest representing a plurality of users having a corresponding plurality of security levels each with a respective security clearance and respective extract store, the programming instructions comprising:
- filtering data input from said data input computer and extracting said security sensitive words, data objects, characters or icons from said data to obtain (a) subsets of extracted data and (b) remainder data;
  
  storing said subsets of extracted data and said remainder data in said respective extract stores and said remainder store, respectively; and
  
  ,permitting reconstruction of some or all of said data via one or more of said subsets of extracted data and remainder data only in the presence of a predetermined security clearance of said plurality of security levels.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 30. A medium with programming instructions as claimed claim 29 wherein said crypto-graphically separated, need to know security levels correspond to respective ones of said plurality of security levels, the instructions including encrypting said subsets of extracted data with corresponding degrees of encryption associated with said plurality of security levels, and including decrypting, during the reconstruction, of some or all of said subsets of extracted data only in the presence of said respective security level of said plurality of security levels.
  - 31. A medium with programming instructions as claimed claim 30 including utilizing placeholders in said remainder data representing non-reconstructed, extracted data during the reconstruction, said placeholders being one from the group of characters, icons, substitute words, data objects, underline and blank space.
  - 32. A medium with programming instructions as claimed claim 31 wherein a plurality of placeholders are utilized, said placeholders including characters, icons, substitute words, data objects, underline and blank spaces grouped to represent each respective security level of said plurality of security levels.
  - 33. A medium with programming instructions as claimed claim 29 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and the instructions for said storing utilizes the URL for one or both of said extract store and said remainder store.
  - 34. A medium with programming instructions as claimed claim 29 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said data input computer operates as a client in said client-server network and one of said plurality of computers is designated as a server computer, the instructions including sending said extracted data from said data input computer to the computer with said extract store utilizing the respective URL as controlled by said server computer.
  - 35. A medium with programming instructions as claimed claim 34 including encrypting and decrypting said remainder data and extracted data during sending and downloading.
  - 36. A medium with programming instructions as claimed claim 29 including deleting said data input from said data input computer after the step of storing.
  - 37. A medium with programming instructions as claimed claim 29 including mapping said storing of said subsets of extracted data with encryption.
  - 38. A medium with programming instructions as claimed claim 32 including encrypting said remainder data prior to storing.
  - 39. A medium with programming instructions as claimed claim 38 wherein the step of permitting reconstruction includes decrypting said remainder data.
  - 40. A medium with programming instructions as claimed claim 39 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and the instructions for said storing utilizes the URL for one or both of said extract store and said remainder store.
  - 41. A medium with programming instructions as claimed claim 39 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said data input computer operates as a client in said client-server network and one of said plurality of computers is designated as a server computer, the instructions including sending said extracted data from said data input computer to the computer with said extract store utilizing the respective URL as controlled by said server computer.
  - 42. A medium with programming instructions as claimed claim 41 including encrypting and decrypting said remainder data and extracted data during sending and downloading.
  - 43. A medium with programming instructions as claimed claim 42 including deleting said data input from said data input computer after the step of storing.
  - 44. A medium with programming instructions as claimed claim 43 including mapping said storing of said subsets of extracted data with encryption.
  - 45. A medium with programming instructions as claimed claim 29 wherein the programming instructions for one of the filtering, storing and permitting reconstruction utilize one of an inference engine, neural network and artificial intelligence process to filter, store and permit reconstruction.
  - 46. A medium with programming instructions as claimed claim 29 wherein said security sensitive data objects are one or more portions of an audio file and the programming instructions for reconstruction utilizes extracted data representative of said one or more portions of said audio file.

47. An information processing system for securing data in a computer network and transparently establishing and managing the separation of user-based communities of interest based upon crypto-graphically separated, need to know security levels, said data having one or more security sensitive words, data objects, characters or icons, said computer network having a plurality of computers for a plurality of users all interconnected together, one of said plurality of computers designated as a data input computer and each of said plurality of computers having a memory therein, respective memories designated as a remainder store and respective extract stores in one or more computers of said plurality of computers, said user-based communities of interest representing said plurality of users having a corresponding plurality of security levels each with a respective security clearance and respective extract store, comprising:
- means for filtering data input from said data input computer and extracting said security sensitive words, data objects, characters or icons from said data to obtain (a) subsets of extracted data and (b) remainder data;
  
  means for storing said subsets of extracted data and said remainder data in said respective extract store and said remainder store, respectively; and
  
  ,means for permitting reconstruction of some or all of said data via one or more of said subsets of extracted data and remainder data only in the presence of a predetermined security clearance of said plurality of security levels.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 48. An information processing system as claimed in claim 47 wherein said crypto-graphically separated, need to know security levels correspond to respective ones of said plurality of security levels, the system including means for encrypting said subsets of extracted data with corresponding degrees of encryption associated with said plurality of security levels, and including means for decrypting, during the reconstruction, of some or all of said subsets of extracted data only in the presence of said respective security level of said plurality of security levels.
  - 49. An information processing system as claimed in claim 48 including placeholders in said remainder data representing non-reconstructed, extracted data during the reconstruction, said placeholders being one from the group of characters, icons, substitute words, data objects, underline and blank space.
  - 50. An information processing system as claimed in claim 49 including a plurality of placeholders including characters, icons, substitute words, data objects, underline and blank spaces grouped to represent each respective security level of said plurality of security levels.
  - 51. An information processing system as claimed in claim 47 including means for defining a plurality of filters, corresponding to said subsets of extracted data, prior to said filtering step.
  - 52. An information processing system as claimed in claim 47 including means for encrypting said subsets of extracted data and remainder data prior to storing.
  - 53. An information processing system as claimed in claim 52 wherein said means for permitting reconstruction includes means for decrypting said subsets of extracted data and remainder data.
  - 54. An information processing system as claimed in claim 47 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said means for storing utilizes the URL for one or both of said extract store and said remainder store.
  - 55. An information processing system as claimed in claim 47 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said data input computer operates as a client in said client-server network and one of said plurality of computers is designated as a server computer, the system including means for sending said extracted data from said data input computer to the computer with said extract store utilizing the respective URL as controlled by said server computer.
  - 56. An information processing system as claimed in claim 55 including means for encrypting and decrypting said remainder data and extracted data during sending and downloading.
  - 57. An information processing system as claimed in claim 47 wherein one computer of said plurality of computers includes a data display system with at least two separate but visually overlaid displays and at least two respective display interfaces, the means for reconstruction including means for displaying said extracted data on one of said at least two displays and displaying said remainder data on another of said at least two displays.
  - 58. An information processing system as claimed in claim 47 wherein one computer of said plurality of computers includes a display fed from video memory having a plurality of frame memory segments, and wherein said means for reconstruction includes means for interleaving extracted data and remainder data into respective ones of said plurality of frame memory segments.
  - 59. An information processing system as claimed in claim 47 including means for deleting said data input from said data input computer after storing.
  - 60. An information processing system as claimed in claim 47 including means for mapping the storing of said subsets of extracted data with encryption.
  - 61. An information processing system as claimed in claim 50 including means for encrypting said remainder data prior to storing.
  - 62. An information processing system as claimed in claim 61 wherein said means for reconstruction includes means for decrypting said remainder data.
  - 63. An information processing system as claimed in claim 62 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said means for storing utilizes the URL for one or both of said extract store and said remainder store.
  - 64. An information processing system as claimed in claim 62 wherein said plurality of computers are configured in a client-server network within which respective computers are designated by respective uniform resource locators (URLs) and said data input computer operates as a client in said client-server network and one of said plurality of computers is designated as a server computer, the system including means for sending said extracted data from said data input computer to the computer with said extract store utilizing the respective URL as controlled by said server computer.
  - 65. An information processing system as claimed in claim 64 including means for encrypting and decrypting said remainder data and extracted data during sending and downloading.
  - 66. An information processing system as claimed in claim 65 wherein one computer of said plurality of computers includes a data display system with at least two separate but visually overlaid displays and at least two respective display interfaces, the means for reconstruction including means for displaying said extracted data on one of said at least two displays and displaying said remainder data on another of said at least two displays.
  - 67. An information processing system as claimed in claim 65 wherein one computer of said plurality of computers includes a display fed from video memory having a plurality of frame memory segments, and the means for reconstruction includes means for interleaving extracted data and remainder data into respective ones of said plurality of frame memory segments.
  - 68. An information processing system as claimed in claim 65 including means for deleting said data input from said data input computer after storing.
  - 69. An information processing system as claimed in claim 68 including means for mapping the storing of said subsets of extracted data with encryption.
  - 70. An information processing system as claimed in claim 47 wherein one of the means for filtering, means for storing and means for permitting reconstruction utilize one of an inference engine, neural network and artificial intelligence process to filter, store and permit reconstruction.
  - 71. An information processing system as claimed in claim 47 wherein said security sensitive data objects are one or more portions of an audio file and said means for reconstruction utilizes extracted data representative of said one or more portions of said audio file.

72. A method of securing data and transparently managing the separation of user-based communities of interest based upon crypto-graphically separated, need to know security levels with a plurality of encryption types, said data having one or more security sensitive words, data objects, characters or icons, said user-based communities of interest representing a plurality of users having a corresponding plurality of security levels each with a respective security clearance and respective extract stores, comprising:
- filtering data and extracting said security sensitive words, data objects, characters or icons from said data to obtain (a) subsets of extracted data for said respective extract stores and (b) remainder data;
  
  encrypting said subsets of extracted data with said plurality of encryption types and storing extracted and remainder data in respective extract stores and remainder store; and
  
  ,permitting reconstruction of some or all of said data via one or more of said subsets of encrypted extracted data and remainder data from said extract stores and remainder store only in the presence of a respective predetermined security clearance of said plurality of security levels.

73. A method of securing data and transparently managing the separation of user-based communities of interest based upon crypto-graphically separated, need to know security levels with a plurality of encryption types, said data having one or more security sensitive words, data objects, characters or icons, said user-based communities of interest representing a plurality of users having a corresponding plurality of security levels each with a respective security clearance and respective extract stores, comprising:
- filtering data and extracting said security sensitive words, data objects, characters or icons from said data to obtain (a) subsets of extracted data for said respective extract stores and (b) remainder data;
  
  encrypting said subsets of extracted data with said plurality of encryption types to obtain multiple level encryption and storing extracted and remainder data in respective extract stores and remainder store; and
  
  ,decrypting all or portions of said data from said extract stores and remainder store with multiple level encryption only in the presence of a respective predetermined security clearance of said plurality of security levels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DigitalDoors, Inc.
Original Assignee
DigitalDoors, Inc.
Inventors
Nemzow, Martin A., Redlich, Ron M.
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US10/008,209
Publication Number

US 20020091975A1
Time in Patent Office

1,811 Days
Field of Search

713/200, 713/201, 713/166, 715/751, 715/530, 726/27
US Class Current

726/27
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

Data security system and method for separation of user communities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

1642 Citations

73 Claims

Specification

Solutions

Use Cases

Quick Links

Data security system and method for separation of user communities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1642 Citations

73 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links