System and method for intelligence based security

US 8,341,404 B2
Filed: 02/17/2006
Issued: 12/25/2012
Est. Priority Date: 02/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for securing data, implemented in a computer system, the computer system including a tangible, non-transitory storage section, a user input device, an output device, and a processor, the method comprising:

receiving, at the computer system, one or more parameters defining a security policy;

dynamically generating, by executing with the processor of the computer system instructions stored in the storage section, one or more intelligent security rules based on the security policy, each rule including at least one qualifier and at least one attribute;

maintaining the one or more intelligent security rules, by executing with the processor of the computer system instructions stored in the storage section, for use by an intelligent security filter operable to leverage the one or more intelligent security rules;

determining whether applying the one or more intelligent security rules would cause a system misconfiguration; and

responsive to the determining step, altering the one or more intelligent security rules to avoid the system misconfiguration.

View all claims

19 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Included in the present disclosure are a system, method and program of instructions operable to protect vital information by combining information about a user and what they are allowed to see with information about essential files that need to be protected on an information handling system. Using intelligent security rules, essential information may be encrypted without encrypting the entire operating system or application files. According to aspects of the present disclosure, shared data, user data, temporary files, paging files, the password hash that is stored in the registry, and data stored on removable media may be protected.

18 Citations

View as Search Results

21 Claims

1. A method for securing data, implemented in a computer system, the computer system including a tangible, non-transitory storage section, a user input device, an output device, and a processor, the method comprising:
- receiving, at the computer system, one or more parameters defining a security policy;
  
  dynamically generating, by executing with the processor of the computer system instructions stored in the storage section, one or more intelligent security rules based on the security policy, each rule including at least one qualifier and at least one attribute;
  
  maintaining the one or more intelligent security rules, by executing with the processor of the computer system instructions stored in the storage section, for use by an intelligent security filter operable to leverage the one or more intelligent security rules;
  
  determining whether applying the one or more intelligent security rules would cause a system misconfiguration; and
  
  responsive to the determining step, altering the one or more intelligent security rules to avoid the system misconfiguration.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the attribute of each rule indicates whether data identified by the rule is to be encrypted or to remain unencrypted and, if encrypted, what type of encryption and what type of key are to be used for encryption.
  - 3. The method of claim 1, wherein the qualifier of each rule includes a pathname, path scope, data type, file type, file system owner, file system attributes and running process attributes and owner.
  - 4. The method of claim 1, wherein the parameters of the security policy include one or more of a pathname, path scope, data type, data ownership, category of data and active process attributes.

5. A system for securing data, comprising:
- at least one processor;
  
  a memory operably associated with the at least one processor; and
  
  a program of instructions storable in the memory and executable by the processor, the program of instructions including;
  
  at least one instruction operable to apply one or more security measures to data identified by one or more of;
  
  a pathname, data type, file type, file system owner, file system attributes, and running process attributes and owner, maintain the one or more security measures applicable to data while the data is not in use, and automatically remove the one or more security measures from data in response to detecting a triggering file operation requesting access to the data;
  
  at least one instruction operable to apply one or more security measures to data in response to detecting a triggering file operation, the one or more security measures being applied based on one or more intelligence based encryption rules, each intelligence based encryption rule including one or more of;
  
  a path at which data to be protected is stored, a scope of data to be protected stored at the path, and one or more attributes of processes required to be running for data to be protected;
  
  at least one instruction operable to receive one or more parameters defining a security policy, and generate the one or more intelligence based encryption rules based on the security policy;
  
  determining whether applying the one or more intelligent security rules would cause a system misconfiguration; and
  
  responsive to the determining step, altering the one or more intelligent security rules to avoid the system misconfiguration.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The system of claim 5, further comprising the program of instructions including at least one instruction operable to block pending file open operations until after appropriate security measures have been applied to the file.
  - 7. The system of claim 5, wherein the intelligence based encryption rules include a type of data to be protected.
  - 8. The system of claim 5, wherein the program of instructions is operable to apply one or more security measures to a paging file associated with one or more applications.
  - 9. The system of claim 5, wherein the program of instructions is further operable to:
    - store a representation of one or more user credentials in a secure location;
      
      remove one or more protective measures from the representation in response to a request seeking access to the representation; and
      
      restore the representation to a secure location when not in use by a requesting application.
  - 10. The system of claim 9, wherein the representation includes a hash of a domain password;
    - and where the secure location is outside a registry.
  - 11. The system of claim 5, wherein the program of instructions includes at least one instruction operable to apply one or more security measures to data maintained on accessible removable media.

12. A method for securing data, implemented in a computer system, the computer system including a tangible, non-transitory storage section, a processor, a first set of instructions comprising an intelligent security filter, and a second set of instructions comprising a security service, the instructions being executable by the processor, the method comprising:
- receiving, at the security service, parameters defining a security policy;
  
  generating, at the security service, one or more intelligent security rules based on the security policy;
  
  detecting, at the intelligent security filter, a triggering file operation generated by an application run by or on behalf of a user;
  
  determining, at the intelligent security, whether any of the one or more intelligent security rules requires a security measure to be applied to data in the storage section in response to the triggering file operation;
  
  responsive to determining that the triggering file operation requires a security measure, applying the security measure at the intelligent security filter;
  
  wherein the detecting, determining, generating, and applying steps are performed without user interaction;
  
  wherein the security measure is applied without direction and control from the application;
  
  determining whether applying the one or more intelligent security rules would cause a system misconfiguration; and
  
  responsive to the determining step, altering the one or more intelligent security rules to avoid the system misconfiguration.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, wherein the security measure includes one or more techniques selected from the group consisting of:
    - encrypting data and writing the encrypted data to the storage section, decrypting data and providing the decrypted data to the application, and restricting access to data.
  - 14. The method of claim 12, wherein the one of more intelligent security rules include at least one qualifier and at least one attribute.
  - 15. The method of claim 14, wherein the attribute of each rule indicates whether data identified by the rule is to be encrypted or to remain unencrypted and, if encrypted, what type of encryption and what type of key are to be used for encryption.
  - 16. The method of claim 14, wherein the qualifier of each rule includes one or more of:
    - a pathname, path scope, data type, file type, file system owner, file system attributes and running process attributes and owner.
  - 17. The method of claim 12, wherein at least one of the one or more intelligent security rules requires a security measure to be applied to data stored in removable media.
  - 18. The method of claim 12, wherein the computer system further includes a network connection, and wherein at least one of the one or more intelligent security rules requires a security measure to be applied to data stored in a remote storage location that is accessed via the network connection.
  - 19. The method of claim 12, further comprising logging security relevant file operations to the storage section based on the one or more intelligent security rules.
  - 20. The method of claim 12, wherein the security measure includes encrypting data placed in an application-swap file with the intelligent security filter.
  - 21. The method of claim 12, wherein the security measure includes decrypting data placed in an application-swap file with the intelligent security filter when the application-swap file is accessed by the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Marketing LP (Dell Technologies Inc.)
Original Assignee
Credant Technologies Incorported (Dell Technologies Inc.)
Inventors
Jaynes, Jason, Chin, Bryan, Consolver, David, Burchett, Christopher D.
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Traore, Fatoumata

Application Number

US11/357,448
Publication Number

US 20070174909A1
Time in Patent Office

2,503 Days
Field of Search

726/18, 726/19, 726/27, 726/5, 726/6, 726/7, 713/165, 713/167
US Class Current

713/165
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 9/088   Usage controlling of secret...

H04L 9/321   involving a third party or ...

System and method for intelligence based security

First Claim

19 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System and method for intelligence based security

First Claim

19 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others