System and method for managing data loss due to policy violations in temporary files

US 7,991,747 B1
Filed: 03/13/2009
Issued: 08/02/2011
Est. Priority Date: 09/18/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

monitoring, by a client agent, information content on a client for violations of a policy;

determining, by the client agent, that a violation of the policy has occurred for content of a temporary file of an application;

correlating, by the client agent, the policy violation of the temporary file with an original file of the application;

wherein correlating the policy violation of the temporary file with the original file of the application comprises;

monitoring file system operations performed by a file system for the temporary file with a file system driver;

detecting that a first file system operation has occurred;

detecting that a second file system operation has occurred subsequent to the first file system operation; and

correlating the policy violation of the temporary file with a name of the original file in response to detection of a sequence of the first and second file system operations;

generating a report for the policy violation of the temporary file using the name of the original file, andproviding the report indicating the monitored file system operations to a data loss prevention (DLP) agent of a computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for managing data loss due to policy violations in temporary files is described. In one embodiment, the method includes monitoring, by a client agent, information content on a client for violations of a policy. The method further includes determining, by the client agent, that a violation of the policy has occurred for content of a temporary file of an application. In one embodiment, the policy violation of the temporary file is correlated, by the client agent, with an original file of the application.

171 Citations

11 Claims

1. A computer-implemented method comprising:
- monitoring, by a client agent, information content on a client for violations of a policy;
  
  determining, by the client agent, that a violation of the policy has occurred for content of a temporary file of an application;
  
  correlating, by the client agent, the policy violation of the temporary file with an original file of the application;
  
  wherein correlating the policy violation of the temporary file with the original file of the application comprises;
  
  monitoring file system operations performed by a file system for the temporary file with a file system driver;
  
  detecting that a first file system operation has occurred;
  
  detecting that a second file system operation has occurred subsequent to the first file system operation; and
  
  correlating the policy violation of the temporary file with a name of the original file in response to detection of a sequence of the first and second file system operations;
  
  generating a report for the policy violation of the temporary file using the name of the original file, andproviding the report indicating the monitored file system operations to a data loss prevention (DLP) agent of a computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the policy violation of the temporary file is correlated with the name of the original file when the second file system operation occurs within a time limit relative to a time when the first file system operation occurs.
  - 3. The computer-implemented method of claim 2, wherein the time limit is 50 milliseconds.
  - 4. The computer-implemented method of claim 1, wherein the first file system operation is a close operation to close the temporary file, and the second operation is a rename operation to change a current name of the temporary file.
  - 5. The computer-implemented method of claim 1, wherein the temporary file is a temporary copy of the original file stored on a local storage medium of the computer system.
  - 6. The computer-implemented method of claim 1, wherein the temporary file is a temporary copy of the original file stored on a removable storage device coupled with the computer system.
  - 7. The computer-implemented method of claim 1, wherein the temporary file is a temporary file for an application selected from the group consisting of a word processing application, a spreadsheet application, a presentation application, and a database application.

8. A non-transitory computer readable storage medium that provides instructions, which when executed on a processing system cause the processing system to perform a method comprising:
- monitoring, by a client agent, information content on a client for violations of a policy;
  
  determining, by the client agent, that a violation of the policy has occurred for content of a temporary file of an application;
  
  correlating, by the client agent, the policy violation of the temporary file with an original file of the application;
  
  wherein correlating the policy violation of the temporary file with the original file of the application comprises;
  
  monitoring file system operations performed by a file system for the temporary file with a file system driver;
  
  detecting that a first file system operation has occurred;
  
  detecting that a second file system operation has occurred subsequent to the first file system operation; and
  
  correlating the policy violation of the temporary file with a name of the original file in response to detection of a sequence of the first and second file system operations;
  
  generating a report for the policy violation of the temporary file using the name of the original file, andproviding the report indicating the monitored file system operations to a data loss prevention (DLP) agent of a computer system.
- View Dependent Claims (9)
- - 9. The computer readable storage medium of claim 8, wherein the policy violation of the temporary file is correlated with the name of the original file when the second file system operation occurs within a time limit relative to a time when the first file system operation occurs.

10. A client system comprising:
- a memory to store information content; and
  
  a processor coupled to the memory to cause a policy violation detector to monitor information content on the client system for violations of a policy,determine that a violation of the policy has occurred for content of a temporary file of an application, andcorrelate the policy violation of the temporary file with an original file of the application;
  
  wherein correlate the policy violation of the temporary file with the original file of the application comprises;
  
  monitor file system operations performed by a file system for the temporary file with a file system driver;
  
  detect that a first file system operation has occurred;
  
  detect that a second file system operation has occurred subsequent to the first file system operation; and
  
  correlate the policy violation of the temporary file with a name of the original file in response to detection of a sequence of the first and second file system operations;
  
  generate a report for the policy violation of the temporary file using the name of the original file, andprovide the report indicating the monitored file system operations to a data loss prevention (DLP) agent of the client system.
- View Dependent Claims (11)
- - 11. The system of claim 10, wherein the temporary file is correlated with the name of the original file by the detector when the second file system operation occurs within a time limit relative to a time when the first file system operation occurs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kessler, Dirk, Upadhyay, Rajesh
Primary Examiner(s)
Saeed; Usmaan

Application Number

US12/404,103
Time in Patent Office

872 Days
Field of Search

None
US Class Current

707/674
CPC Class Codes

G06F 11/004   Error avoidance G06F11/07 a...

G06F 21/552   involving long-term monitor...

G06F 21/556   involving covert channels, ...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 21/6254   by anonymising data, e.g. d...

H04L 63/20   for managing network securi...

System and method for managing data loss due to policy violations in temporary files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing data loss due to policy violations in temporary files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links