Method and system for detecting and protecting against potential data loss from unknown applications

US 8,544,060 B1
Filed: 01/27/2012
Issued: 09/24/2013
Est. Priority Date: 01/27/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

detecting, by an endpoint data loss prevention (DLP) system running on a client computing device, that a local application has accessed a document on the client computing device;

determining that the document contains sensitive data according to one or more DLP polices of the endpoint DLP system;

determining that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies;

capturing at least one of one or more screenshots, and video of one or more operations that the application performs on the document;

sending the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system; and

receiving one or more updated DLP policies from the enforcement server, the one or more updated DLP policies comprising changes based on the captured at least one of the one or more screenshots or the video;

wherein the one or more updated DLP policies cause the endpoint DLP system to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting and protecting against potential data loss from unknown applications is described. In one embodiment, a method includes detecting, by an endpoint data loss prevention (DLP) system running on a client computing device, that a local application has accessed a document on the client computing device. The method further includes determining that the document contains sensitive data according to one or more DLP polices of the endpoint DLP system and determining that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies. Then, the method includes capturing at least one of one or more screenshots, and video of one or more operations that the application performs on the document and sending the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system.

Citations

15 Claims

1. A computer-implemented method, comprising:
- detecting, by an endpoint data loss prevention (DLP) system running on a client computing device, that a local application has accessed a document on the client computing device;
  
  determining that the document contains sensitive data according to one or more DLP polices of the endpoint DLP system;
  
  determining that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies;
  
  capturing at least one of one or more screenshots, and video of one or more operations that the application performs on the document;
  
  sending the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system; and
  
  receiving one or more updated DLP policies from the enforcement server, the one or more updated DLP policies comprising changes based on the captured at least one of the one or more screenshots or the video;
  
  wherein the one or more updated DLP policies cause the endpoint DLP system to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the endpoint DLP system utilizes one or more application programming interfaces (APIs) of an operating system of the client computing device in order capture the at least one of the one or more screenshots or the video.
  - 3. The computer-implemented method of claim 1, wherein the one or more screenshots are taken at periodic time intervals over a time span that the application is in use.
  - 4. The computer-implemented method of claim 1, wherein the enforcement server analyzes the captured data to determine if at least one of malicious or suspicious activity occurred with respect to the document on the endpoint device.
  - 5. The computer-implemented method of claim 1, wherein the whitelist comprises one or more different application and document type pairs that have been approved by an administrator of the endpoint DLP system as being an allowable combination.
  - 6. The computer-implemented method of claim 1, further comprising, prior to the capturing:
    - presenting a notice to a user of the application that the application may be subject to screenshot or video capture that present privacy issues; and
      
      allowing access to the document when the user acknowledges and accepts the notice.

7. An endpoint device, comprising:
- a memory to store instructions for a data loss prevention (DLP) policy; and
  
  a processing device coupled with the memory, wherein the processing device is configured to;
  
  detect that a local application of the endpoint device has accessed a document on the client computing device;
  
  determine that the document contains sensitive data according to the DLP policy;
  
  determine that a combination of the local application and a type of the document is not included in a whitelist of the DLP policies;
  
  capture at least one of one or more screenshots, and video of one or more operations that the application performs on the document;
  
  send the captured at least one of the one or more screenshots, and the video to an enforcement server associated with the endpoint DLP system; and
  
  receive one or more updated DLP policies from the enforcement server, the one or more updated DLP policies comprising changes based on the captured at least one of the one or more screenshots or the video;
  
  wherein the one or more updated DLP policies cause the endpoint DLP system to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The endpoint device of claim 7, wherein the one or more screenshots are taken at periodic time intervals over a time span that the application is in use.
  - 9. The endpoint device of claim 7, wherein the enforcement server analyzes the captured data to determine if at least one of malicious or suspicious activity occurred with respect to the document.
  - 10. The endpoint device of claim 7, wherein the whitelist comprises one or more different application and document type pairs that have been approved by an administrator of the endpoint DLP system as being an allowable combination.
  - 11. The endpoint device of claim 7, further comprising, prior to the capturing:
    - presenting a notice to a user of the application that the application may be subject to screenshot or video capture that present privacy issues; and
      
      allowing access to the document when the user acknowledges and accepts the notice.

12. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform a method comprising:
- receiving, by an enforcement server device of a data loss prevent (DLP) system, data representing captured at least one of one or more screenshots or video of an application manipulating a sensitive document at an endpoint DLP system of the DLP system;
  
  analyzing, by the enforcement server device, the received captured data to determine whether at least one of suspicious or malicious activity occurred with respect to the sensitive document;
  
  updating, by the enforcement server device, one or more DLP policies based on the results of the analysis; and
  
  deploying, by the enforcement server device, the one or more updated DLP policies to one or more endpoint DLP systems;
  
  wherein the one or more updated DLP policies cause the one or more endpoint DLP systems to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory computer readable storage medium of claim 12, wherein the one or more screenshots are taken at periodic time intervals over a time span that the application is in use.
  - 14. The non-transitory computer readable storage medium of claim 12, wherein the enforcement server maintains a whitelist comprising one or more different application and document type pairs that have been approved by an administrator of the enforcement server and is part of the one or more updated DLP policies.
  - 15. The non-transitory computer readable storage medium of claim 14, wherein the instructions, when executed by the processing device, cause the processing device to perform further operations of the method comprising:
    - if, based on the analysis, operations of the application manipulating the sensitive document are not at least one of suspicious or malicious, then adding a combination of the application and a type of the sensitive document to the whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Khetawat, Rupesh
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/360,084
Time in Patent Office

606 Days
Field of Search

726/1, 713/165
US Class Current

726/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

H04L 63/20   for managing network securi...

Method and system for detecting and protecting against potential data loss from unknown applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting and protecting against potential data loss from unknown applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links