Method and apparatus for automatically correlating related incidents of policy violations

US 7,996,374 B1
Filed: 03/28/2008
Issued: 08/09/2011
Est. Priority Date: 03/28/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

identifying a plurality of incidents of violations of a policy upon detecting presence of confidential information in a plurality of messages;

storing the plurality of violation incidents of the policy in a data repository, wherein each of the plurality of violation incidents is associated with a plurality of message attribute values;

receiving a user request to correlate one of the plurality of violation incidents of the policy stored in the data repository to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value, the user request specifying the at least one common message attribute value associated with the violation incident to be correlated;

in response to the user request, automatically correlating a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one specified common message attribute value, wherein automatically correlating comprises searching the data repository using the at least one common message attribute value and finding other violation incidents of the policy having the at least one message attribute value;

displaying the at least one message attribute value of the requested violation incident; and

for each of the at least one message attribute value, displaying a count of the number of other violation incidents of the policy that have in common the message attribute value with the requested violation incident.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for automatically correlating policy violation incidents. In one embodiment, the method includes receiving user input identifying one of policy violation incidents stored in a data repository, where each policy violation incident is associated with one or more attributes. The method further includes automatically correlating the identified policy violation incident with other policy violation incidents that have in common at least one attribute with the identified policy violation incident, and presenting the resulting correlation information to a user.

Citations

19 Claims

1. A computer-implemented method, comprising:
- identifying a plurality of incidents of violations of a policy upon detecting presence of confidential information in a plurality of messages;
  
  storing the plurality of violation incidents of the policy in a data repository, wherein each of the plurality of violation incidents is associated with a plurality of message attribute values;
  
  receiving a user request to correlate one of the plurality of violation incidents of the policy stored in the data repository to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value, the user request specifying the at least one common message attribute value associated with the violation incident to be correlated;
  
  in response to the user request, automatically correlating a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one specified common message attribute value, wherein automatically correlating comprises searching the data repository using the at least one common message attribute value and finding other violation incidents of the policy having the at least one message attribute value;
  
  displaying the at least one message attribute value of the requested violation incident; and
  
  for each of the at least one message attribute value, displaying a count of the number of other violation incidents of the policy that have in common the message attribute value with the requested violation incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the plurality of policy violation incidents are incidents of storing or transmitting confidential information that violate one or more data loss prevention policies.
  - 3. The method of claim 1, wherein automatically correlating comprises:
    - generating a list of the plurality of message attribute values of the requested violation incident; and
      
      for each of the plurality of message attribute values of the list, generating a count of the number of other violation incidents of the policy that have in common the message attribute value with the requested violation incident.
  - 4. The method of claim 1, wherein the plurality of violation incidents has one of a plurality of incident types, each of the plurality of incident types having a corresponding plurality of message attributes, the plurality of incident types comprising hypertext transfer protocol (HTTP), instant messaging (IM), simple mail transfer protocol (SMTP), network news transfer protocol (NNTP), unidirectional transmission control protocol (uTCP), file transfer protocol (FTP), and removable media.
  - 5. The method of claim 1, further comprising:
    - receiving a user request to display a list of the other violation incidents of the policy that correspond to a particular count; and
      
      generating the list of the other violation incidents of the policy corresponding to the particular count to be displayed upon receiving the request.
  - 6. The method of claim 1, further comprising:
    - receiving user input regarding a request to find similar incidents according to one or more user-identified message attributes of the requested violation incident; and
      
      generating a list of the similar incidents that share a value of the one or more user-identified message attributes with the requested violation incident.
  - 7. The method of claim 1, wherein automatically correlating the violation incident comprises correlating the violation incident with the other violation incidents of the policy that occurred within a given time period.
  - 8. The method of claim 1, wherein automatically correlating the violation incident comprises correlating the violation incident with the other violation incidents of the policy that were detected during a scan session.
  - 9. The method of claim 1, wherein the requested violation incident is a violation detected in a message, and wherein the plurality of message attribute values comprise values of one or more of the following:
    - a message recipient attribute that is representative of an email address of a recipient of the message that triggered the violation incident of the policy;
      
      a recipient address attribute that is representative of a network address of the recipient of the message that triggered the violation incident of the policy;
      
      a message sender attribute that is representative of an email address of a sender of the message that triggered the violation incident of the policy;
      
      a sender address attribute that is representative of a network address of the sender of the message that triggered the violation incident of the policy;
      
      a message subject attribute that is representative of a subject of the message that triggered the policy violation incident of the policy;
      
      oran attachment name attribute that is representative of an attached file of the message that triggered the violation incident of the policy.
  - 10. The method of claim 1, wherein the requested violation incident is a violation detected in a message or a file, and wherein the plurality of message attribute values comprise values of one or more of the following:
    - a policy type attribute that is representative of a policy type of the violation incident of the policy;
      
      a user name attribute that is representative of a user name of a user that triggered the violation incident of the policy;
      
      a host name attribute that is representative of a name of a computer where the violation incident of the policy occurred;
      
      a file server name attribute that is representative of a name of a server where the violation incident of the policy occurred;
      
      a file name attribute that is representative of a name of a file that triggered the violation incident of the policy;
      
      a file owner attribute that is representative of a name of an owner of the file that triggered the violation incident of the policy;
      
      ora database attribute that is representative of a name of a database in which a file or a message that triggered the violation incident of the policy is stored.
  - 11. The method of claim 1, wherein automatically correlating the violation incident comprises:
    - for each of the at least one message attribute value of the requested violation incident,performing a lookup operation to determine an attribute table name, an attribute column name, and a comparator operator;
      
      reading the message attribute values corresponding to the particular message attribute;
      
      constructing a query using the attribute table name, the attribute column name, the comparator operator, and the read attribute value for the particular message attribute;
      
      performing a search within the incident data repository for other violation incidents of the policy using the constructed query; and
      
      generating a count of the number of number of other violation incidents of the policy returned from the particular search.
  - 12. The method of claim 1 wherein displaying the at least one message attribute value of the requested violation incident and displaying a count comprises:
    - displaying a table having one axis represent a given time period and another axis represent the plurality of message attribute values of the requested violation incident; and
      
      for each message attribute value of the table, displaying a count of the number of similar violation incidents of the plurality of stored violation incidents of the policy that occurred within the given time period and that share a similar message attribute value with a relevant message attribute value of the requested violation incident.
  - 13. The method of claim 12, further comprising:
    - providing links for each of the counts;
      
      for each of the links, providing a list of the similar violation incidents of the plurality of stored violation incidents of the policy that occurred within the given time period and that share the similar message attribute value with the particular message attribute value of the requested violation incident when the link is selected by the user.

14. An apparatus, comprising:
- memory to store a plurality of violation incidents of a policy, wherein each of the plurality of violation incidents is associated with a plurality of message attributes values;
  
  a processor, coupled to the memory, to identify the plurality of violation incidents of the policy upon detecting presence of confidential information in a plurality of messages, to provide a user interface to receive a user request to correlate one of the plurality of stored violation incidents of the policy in the memory to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value, the user request specifying the at least one common message attribute value associated with the violation incident to be correlated; and
  
  a correlation engine, executed by the processor, to automatically correlate a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one specified common message attribute value, wherein to automatically correlate comprises searching the memory using the at least one common message attribute value and finding other violation incidents of the policy having the at least one message attribute value,wherein the user interface is to present resulting correlation information to a user in response to receiving the user input identifying one of the plurality of stored policy violation incidents display the at least one message attribute value of the requested violation incident and for each of the at least one message attribute value, display a count of the number of other violation incidents of the policy that have in common the message attribute value with the requested violation incident.
- View Dependent Claims (15, 16, 17)
- - 15. The apparatus of claim 14, wherein the plurality of violation incidents has one of a plurality of incident types, each of the plurality of incident types having a corresponding plurality of message attributes, the plurality of incident types comprising hypertext transfer protocol (HTTP), instant messaging (IM), simple mail transfer protocol (SMTP), network news transfer protocol (NNTP), unidirectional transmission control protocol (uTCP), file transfer protocol (FTP), and removable media.
  - 16. The apparatus of claim 14, wherein the user interface is to provide a link for each of the counts, wherein the correlation engine is configured to generate a list of the other violation incidents of the policy corresponding to the count when the link for the particular count is activated.
  - 17. The apparatus of claim 14, wherein the correlation engine is to receive from the user through the user interface a request to find similar incidents according to one or more user-identified message attributes of the requested violation incident, and to generate a list of the similar incidents that share a value of the one or more user-identified message attributes with the requested violation incident.

18. A non-transitory computer-readable storage medium having instructions stored thereon that when executed by a computer cause the computer to perform a method comprising:
- identifying a plurality of incidents of violations of a policy upon detecting presence of confidential information in a plurality of messages;
  
  storing the plurality of violation incidents of the policy in a data repository, wherein each of the plurality of violation incidents is associated with a plurality of message attribute values;
  
  receiving a user request to correlate one of the plurality of violation incidents of the policy stored in the data repository to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value, the user request specifying the at least one common message attribute value associated with the violation incident to be correlated;
  
  in response to the user request, automatically correlating a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one specified common message attribute value, wherein automatically correlating comprises searching the data repository using the at least one common message attribute value and finding other violation incidents of the policy having the at least one message attribute value with;
  
  displaying the at least one message attribute value of the requested violation incident; and
  
  for each of the at least one message attribute value to be correlated, displaying a count of the number of other violation incidents of the policy that have in common the message attribute value with the requested violation incident.
- View Dependent Claims (19)
- - 19. The non-transitory computer-readable storage medium of claim 18, wherein automatically correlating comprises:
    - generating a list of the plurality of message attribute values of the requested violation incident; and
      
      for each of the message attribute values of the list, generating a count of the number of other violation incidents of the policy that have in common the particular message attribute value with the requested violation incident.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Desjardins, Daren, Bothwell, Eric, Fontana, Alexander, Jones, Christopher
Primary Examiner(s)
Ali; Mohammad
Assistant Examiner(s)
Darno; Patrick A

Application Number

US12/079,660
Time in Patent Office

1,229 Days
Field of Search

707/694, 707/999.001, 707/999.009
US Class Current

707/694
CPC Class Codes

G06F 16/26   Visual data mining; Browsin...

G06Q 10/10   Office automation; Time man...

H04L 51/212   using filtering or selectiv...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Method and apparatus for automatically correlating related incidents of policy violations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for automatically correlating related incidents of policy violations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links