Extrusion detection of obfuscated content

US 8,181,036 B1
Filed: 09/29/2006
Issued: 05/15/2012
Est. Priority Date: 09/29/2006
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A computer-implemented method for detecting extrusion of obfuscated content, comprising:

comparing signatures of programs launched on a computer with signatures of known obfuscation tools;

detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool;

responsive to detecting launching of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising;

determining if the file contains a word/phrase indicative of sensitive information;

responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and

determining whether the file is classified as sensitive responsive to results of the interrogation;

responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file and classifying the output file as sensitive;

computing a signature of the output file; and

using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

Techniques are disclosed that enable extrusion detection (i.e., outgoing confidential information from an enterprise or other entity). The techniques operate to detect outgoing confidential information at the gateway and/or the client, even if that confidential information is encrypted, compressed, or otherwise obfuscated before transmission (e.g., via email or to a portable storage media such as a memory stick).

109 Citations

17 Claims

1. A computer-implemented method for detecting extrusion of obfuscated content, comprising:
- comparing signatures of programs launched on a computer with signatures of known obfuscation tools;
  
  detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool;
  
  responsive to detecting launching of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising;
  
  determining if the file contains a word/phrase indicative of sensitive information;
  
  responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and
  
  determining whether the file is classified as sensitive responsive to results of the interrogation;
  
  responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file and classifying the output file as sensitive;
  
  computing a signature of the output file; and
  
  using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file.
- View Dependent Claims (2, 3, 4, 5, 6, 15, 16, 17)
- - 2. The method of claim 1 wherein using the signature to prevent extrusion of obfuscated sensitive content within the output file comprises:
    - sending the signature of the output file to a data leakage detection engine for use in extrusion detection.
  - 3. The method of claim 2 wherein the extrusion detection is carried out on at least one of the computer or a gateway proxy with which the computer is communicatively coupled.
  - 4. The method of claim 1 further comprising:
    - monitoring for outgoing communications that include one or more attachments; and
      
      in response to detecting an outgoing communication that includes an attachment, extracting the attachment for analysis.
  - 5. The method of claim 4 wherein the analysis comprises:
    - computing a signature of the extracted attachment;
      
      comparing that signature to signatures of known sensitive information; and
      
      in response to the signature of the extracted attachment matching a signature of known sensitive information thereby indicating an extrusion attempt, blocking the extrusion attempt.
  - 6. The method of claim 4 wherein in response to the analysis indicating an extrusion attempt, the method further comprises:
    - blocking the extrusion attempt.
  - 15. The method of claim 1, wherein determining if a file being opened by the obfuscation tool is classified as sensitive comprises:
    - determining whether the file being opened is known to contain obfuscated sensitive data.
  - 16. The method of claim 1, wherein determining if a file being opened by the obfuscation tool is classified as sensitive comprises:
    - sending the file to a remote security response center; and
      
      receiving, from the remote security response center, a classification for the file.
  - 17. The method of claim 1, wherein determining if a file being opened by the obfuscation tool is classified as sensitive comprises:
    - analyzing a classification of the file being opened based at least in part on a temporal sensitivity of the file.

7. One or more non-transitory machine-readable mediums encoded with instructions, that when executed by one or more processors, cause the processor to carry out a process for detecting extrusion of obfuscated content, the process comprising:
- comparing signatures of programs launched on a computer with signatures of known obfuscation tools;
  
  detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool;
  
  responsive to detecting launching of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising;
  
  determining if the file contains a word/phrase indicative of sensitive information;
  
  responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and
  
  determining whether the file is classified as sensitive responsive to results of the interrogation;
  
  responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file and classifying the output file as sensitive;
  
  computing a signature of the output file; and
  
  using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The one or more non-transitory machine-readable mediums of claim 7 wherein using the signature to prevent extrusion of obfuscated sensitive content within the output file comprises:
    - sending the signature of the output file to a data leakage detection engine for use in extrusion detection.
  - 9. The one or more non-transitory machine-readable mediums of claim 8 wherein the extrusion detection is carried out on at least one of the computer or a gateway proxy with which the computer is communicatively coupled.
  - 10. The one or more non-transitory machine-readable mediums of claim 7, the process further comprising:
    - monitoring for outgoing communications that include one or more attachments; and
      
      in response to detecting an outgoing communication that includes an attachment, extracting the attachment for analysis.
  - 11. The one or more non-transitory machine-readable mediums of claim 10 wherein the analysis comprises:
    - computing a signature of the extracted attachment;
      
      comparing that signature to signatures of known sensitive information; and
      
      in response to the signature of the extracted attachment matching a signature of known sensitive information thereby indicating an extrusion attempt, blocking the extrusion attempt.
  - 12. The one or more non-transitory machine-readable mediums of claim 10 wherein in response to the analysis indicating an extrusion attempt, the process further comprises:
    - blocking the extrusion attempt.

13. A system for detecting extrusion of obfuscated content, comprising:
- a non-transitory machine-readable medium encoded with processor-executable instructions comprising;
  
  a monitoring module for comparing signatures of programs launched on a computer with signatures of known obfuscation tools and for detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool;
  
  a classifier module for, responsive to a detected launch of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising;
  
  determining if the file contains a word/phrase indicative of sensitive information;
  
  responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and
  
  determining whether the file is classified as sensitive responsive to results of the interrogation;
  
  the monitoring module further for, responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file, for classifying the output file as sensitive, and for computing a signature of the output file; and
  
  a data leakage detection engine for using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file; and
  
  a processor for executing the instructions encoded on the non-transitory machine-readable medium.
- View Dependent Claims (14)
- - 14. The system of claim 13 further comprising:
    - a forwarding module for sending the signature of the output file to the data leakage detection engine for use in extrusion detection;
      
      wherein the extrusion detection is carried out on at least one of the computer or a gateway proxy with which the computer is communicatively coupled.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
Plecha, Thaddeus

Application Number

US11/537,252
Time in Patent Office

2,055 Days
Field of Search

726/23
US Class Current

713/189
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1416 Event detection, e.g. attac...

Extrusion detection of obfuscated content

First Claim

2 Assignments

Litigations

0 Petitions

Accused Products

Abstract

109 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Extrusion detection of obfuscated content

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links