Extrusion detection of obfuscated content
DCFirst Claim
Patent Images
1. A computer-implemented method for detecting extrusion of obfuscated content, comprising:
- comparing signatures of programs launched on a computer with signatures of known obfuscation tools;
detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool;
responsive to detecting launching of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising;
determining if the file contains a word/phrase indicative of sensitive information;
responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and
determining whether the file is classified as sensitive responsive to results of the interrogation;
responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file and classifying the output file as sensitive;
computing a signature of the output file; and
using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file.
2 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Techniques are disclosed that enable extrusion detection (i.e., outgoing confidential information from an enterprise or other entity). The techniques operate to detect outgoing confidential information at the gateway and/or the client, even if that confidential information is encrypted, compressed, or otherwise obfuscated before transmission (e.g., via email or to a portable storage media such as a memory stick).
109 Citations
17 Claims
-
1. A computer-implemented method for detecting extrusion of obfuscated content, comprising:
-
comparing signatures of programs launched on a computer with signatures of known obfuscation tools; detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool; responsive to detecting launching of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising; determining if the file contains a word/phrase indicative of sensitive information; responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and determining whether the file is classified as sensitive responsive to results of the interrogation; responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file and classifying the output file as sensitive; computing a signature of the output file; and using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file. - View Dependent Claims (2, 3, 4, 5, 6, 15, 16, 17)
-
-
7. One or more non-transitory machine-readable mediums encoded with instructions, that when executed by one or more processors, cause the processor to carry out a process for detecting extrusion of obfuscated content, the process comprising:
-
comparing signatures of programs launched on a computer with signatures of known obfuscation tools; detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool; responsive to detecting launching of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising; determining if the file contains a word/phrase indicative of sensitive information; responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and determining whether the file is classified as sensitive responsive to results of the interrogation; responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file and classifying the output file as sensitive; computing a signature of the output file; and using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for detecting extrusion of obfuscated content, comprising:
-
a non-transitory machine-readable medium encoded with processor-executable instructions comprising; a monitoring module for comparing signatures of programs launched on a computer with signatures of known obfuscation tools and for detecting launching of an obfuscation tool on the computer responsive to a signature of a program launched on the computer matching a signature of a known obfuscation tool; a classifier module for, responsive to a detected launch of the obfuscation tool, determining if a file being opened by the obfuscation tool is classified as sensitive, the determining comprising; determining if the file contains a word/phrase indicative of sensitive information; responsive to determining that the file contains the word/phrase indicative of sensitive information, interrogating the file to glean a context in which the word/phrase is used; and determining whether the file is classified as sensitive responsive to results of the interrogation; the monitoring module further for, responsive to a determination that the file being opened by the obfuscation tool is classified as sensitive, determining that the obfuscation tool produces an output file, for classifying the output file as sensitive, and for computing a signature of the output file; and a data leakage detection engine for using the signature of the output file to prevent extrusion of obfuscated sensitive content within the output file; and a processor for executing the instructions encoded on the non-transitory machine-readable medium. - View Dependent Claims (14)
-
Specification