Document de-registration

US 8,548,170 B2
Filed: 05/25/2004
Issued: 10/01/2013
Est. Priority Date: 12/10/2003
Status: Active Grant

First Claim

Patent Images

1. A method to be performed in an electronic environment in which network communications occur involving packets and at least one processor and a memory element, comprising:

monitoring security of a plurality of registered digital documents in a system, the monitoring including determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system, wherein the signatures of the registered documents are maintained in a signature database, each signature being associated with at least one of the plurality of registered digital documents, and respective signatures are removed from the database upon determining that respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;

receiving a particular document, in the plurality of the registered digital documents, to be de-registered in response to an expiration of a time interval associated with an initial registration of the particular document;

calculating a set of signatures associated with the received particular document;

identifying, in the signatures stored in the signature database, at least one signature included in the set of calculated signatures; and

removing from the signature database the at least one identified signature included in the set of calculated signatures associated with the particular document, wherein data in the network traffic detected to include a signature of a registered document is intercepted and data in the network traffic determined to not include a signature of a registered document is allowed to propagate unintercepted to its intended destination.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A document accessible over a network can be registered. A registered document, and the content contained therein, cannot be transmitted undetected over and off of the network. In one embodiment, a plurality of stored signatures are maintained in a signature database, each signature being associated with one of a plurality of registered documents. In one embodiment, the signature database is maintained by de-registering documents by removing the signatures associated with de-registered documents. In one embodiment, the database is maintained by removing redundant and high detection rate signatures. In one embodiment, the signature database is maintained by removing signatures based on the source text used to generate the signature.

375 Citations

32 Claims

1. A method to be performed in an electronic environment in which network communications occur involving packets and at least one processor and a memory element, comprising:
- monitoring security of a plurality of registered digital documents in a system, the monitoring including determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system, wherein the signatures of the registered documents are maintained in a signature database, each signature being associated with at least one of the plurality of registered digital documents, and respective signatures are removed from the database upon determining that respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  receiving a particular document, in the plurality of the registered digital documents, to be de-registered in response to an expiration of a time interval associated with an initial registration of the particular document;
  
  calculating a set of signatures associated with the received particular document;
  
  identifying, in the signatures stored in the signature database, at least one signature included in the set of calculated signatures; and
  
  removing from the signature database the at least one identified signature included in the set of calculated signatures associated with the particular document, wherein data in the network traffic detected to include a signature of a registered document is intercepted and data in the network traffic determined to not include a signature of a registered document is allowed to propagate unintercepted to its intended destination.
- View Dependent Claims (2, 9, 10)
- - 2. The method of claim 1, wherein the document to be de-registered has exceeded a temporal registration threshold for the document.
  - 9. The method of claim 1, wherein the threshold detection rate of the particular signature further includes a number of times the particular signature is generated from data objects detected in the network traffic during a time window.
  - 10. The method of claim 9, wherein the threshold detection rate of the particular signature further includes a rate of signature appearance per day.

3. A method to be performed in an electronic environment in which network communications occur involving packets and at least one processor and a memory element, comprising:
- monitoring security of a plurality of registered digital documents in a system using a capture system, the monitoring including determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system, wherein the signatures of the registered documents are maintained in a signature database, each signature being associated with at least one of the plurality of registered digital documents, and respective signatures are removed from the database upon determining that respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  receiving a request to de-register an identified document from the plurality of registered digital documents in response to an expiration of a time interval associated with an initial registration of the identified document; and
  
  de-registering the identified document by removing all signatures associated with the identified document from the signature database, wherein the capture system that maintains the stored signatures is configured to allow a received document to be forwarded from the capture system to its intended destination at a network node unless a capture rule prohibits forwarding the received document based on the detection of one or more of the signatures of the registered documents included in the received document.
- View Dependent Claims (4, 5)
- - 4. The method of claim 3, wherein the request identifies the identified document by a unique name.
  - 5. The method of claim 3, further comprising determining that the identified document exceeds a temporal registration threshold.

6. A method to be performed in an electronic environment in which network communications occur involving packets and at least one processor and a memory element, comprising:
- monitoring security of a plurality of registered digital documents in a system, the monitoring including determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system, wherein the signatures of the registered documents are maintained in a signature database, each signature being associated with at least one of the plurality of registered digital documents, wherein respective signatures are removed from the database after determining that the respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate, which is designated as a threshold percentage of data objects detected in the network traffic;
  
  identifying at least one redundant signature maintained in the signature database, wherein a redundant signature is a signature shared by multiple different digital documents in the plurality of registered digital documents; and
  
  removing the at least one redundant signature from the signatures maintained in the signature database;
  
  identifying a particular document in the plurality of digital documents that is to be deregistered; and
  
  de-registering the particular document by removing all signatures associated with the particular document from the signature database;
  
  wherein registered data that is detected as including a signature of at least one of the plurality of registered digital documents is intercepted prior to its intended destination and data that is detected as not including a signature of at least one of the plurality of registered digital documents is allowed to be forwarded to its intended destination at a network node.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, wherein identifying the set of redundant signatures comprises identifying a plurality of identical signatures.
  - 8. The method of claim 6, wherein identifying the set of redundant signatures comprises identifying a threshold number of identical signatures associated with a threshold number of different registered documents.

11. A method to be performed in an electronic environment in which network communications occur involving packets and at least one processor and a memory element, comprising:
- providing a database of stored signatures, each signature being associated with one of a plurality of registered documents, wherein a particular signature is removed from the signature database based on identifying that the particular signature was detected within network traffic of a particular network in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  monitoring security of the plurality of registered documents, the monitoring including identifying attempts to forward registered documents to nodes outside of the particular network by identifying data propagating within the particular network that includes one or more signatures maintained in the signature database and associated with the plurality of registered documents;
  
  receiving a selected document, included in the plurality of registered documents, that is to be de-registered in response to an expiration of a time interval associated with an initial registration of the selected document; and
  
  de-registering the selected document by removing all signatures associated with the selected document from the signature database;
  
  wherein data propagating within the particular network that is detected as not including a signature of at least one of the plurality of registered digital documents is allowed to be forwarded outside of the particular network.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, wherein the set of signatures comprises signatures generated from unparsable source text.
  - 13. The method of claim 11, wherein the set of signatures comprises signatures generated from source text appearing on a signature blacklist.

14. A non-transitory machine-readable medium storing data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- monitoring security of a plurality of registered digital documents in a system, the monitoring including determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system, wherein the signatures of the registered documents are maintained in a signature database, each signature being associated with at least one of the plurality of registered digital documents, and respective signatures are removed from the database upon determining that respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  receiving a particular document, in the plurality of the registered digital documents, to be de-registered in response to an expiration of a time interval associated with an initial registration of the particular document;
  
  calculating a set of signatures associated with the received particular document;
  
  identifying, in the signatures stored in the signature database, at least one signature included in the set of calculated signatures; and
  
  removing from the signature database the at least one identified signature included in the set of calculated signatures associated with the particular document, wherein data in the network traffic detected to include a signature of a registered document is intercepted and data in the network traffic determined to not include a signature of a registered document is allowed to propagate unintercepted to its intended destination.
- View Dependent Claims (15, 22, 23)
- - 15. The machine-readable medium of claim 14, wherein the document to be de-registered has exceeded a temporal registration threshold for the document.
  - 22. The machine-readable medium of claim 14, wherein the threshold detection rate of the particular signature further includes a number of times the particular signature is generated from data objects detected in the network traffic during a time window.
  - 23. The machine-readable medium of claim 22, wherein the threshold detection rate of the particular signature further includes a rate of signature appearance per day.

16. A non-transitory machine-readable medium storing data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- monitoring security of a plurality of registered digital documents in a system using a capture system, the monitoring including determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system, wherein the signatures of the registered documents are maintained in a signature database, each signature being associated with at least one of the plurality of registered digital documents, and respective signatures are removed from the database upon determining that respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  receiving a request to de-register an identified document from the plurality of registered digital documents in response to an expiration of a time interval associated with an initial registration of the identified document;
  
  de-registering the identified document by removing all signatures associated with the identified document from the signature database; and
  
  allowing an attempt to forward the identified document to a particular network destination subsequent to the de-registering of the identified document, wherein the detection of one or more of the signatures of the registered documents in particular data propagating in network traffic prompts interception of the particular data.
- View Dependent Claims (17, 18)
- - 17. The machine-readable medium of claim 16, wherein the request identifies the identified document by a unique name.
  - 18. The machine-readable medium of claim 16, wherein the instructions further cause the processor to determine that the identified document exceeds a temporal registration threshold.

19. A non-transitory machine-readable medium storing data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- monitoring security of a plurality of registered digital documents in a system, the monitoring including determining whether signatures associated with the registered digital documents are included in data propagating in network traffic of the system, wherein the signatures of the registered documents are maintained in a signature database, each signature being associated with at least one of the plurality of registered digital documents, wherein respective signatures are removed from the database after determining that the respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate, which is designated as a threshold percentage of data objects detected in the network traffic;
  
  identifying at least one redundant signature maintained in the signature database, wherein a redundant signature is a signature shared by multiple different digital documents in the plurality of registered digital documents; and
  
  removing the at least one redundant signature from the signatures maintained in the signature database;
  
  identifying a particular document in the plurality of digital documents that is to be deregistered; and
  
  de-registering the particular document by removing all signatures associated with the particular document from the signature database;
  
  wherein registered data that is detected as including a signature of at least one of the plurality of registered digital documents is intercepted prior to its intended destination and data that is detected as not including a signature of at least one of the plurality of registered digital documents is allowed to be forwarded to its intended destination at a network node.
- View Dependent Claims (20, 21)
- - 20. The machine-readable medium of claim 19, wherein identifying the set of redundant signatures comprises identifying a plurality of identical signatures.
  - 21. The machine-readable medium of claim 19, wherein identifying the set of redundant signatures comprises identifying a threshold number of identical signatures associated with a threshold number of different registered documents.

24. A non-transitory machine-readable medium storing data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- providing a database of stored signatures, each signature being associated with one of a plurality of registered documents, wherein a particular signature is removed from the signature database based on identifying that the particular signature was detected within network traffic of a particular network in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  monitoring security of the plurality of registered documents, the monitoring including identifying attempts to forward registered documents to nodes outside of the particular network by identifying data propagating within the particular network that includes one or more signatures maintained in the signature database and associated with the plurality of registered documents;
  
  receiving a selected document, included in the plurality of registered documents, that is to be de-registered in response to an expiration of a time interval associated with an initial registration of the selected document; and
  
  de-registering the selected document by removing all signatures associated with the selected document from the signature database;
  
  wherein data propagating within the particular network that is detected as not including a signature of at least one of the plurality of registered digital documents is allowed to be forwarded outside of the particular network.
- View Dependent Claims (25, 26)
- - 25. The machine-readable medium of claim 24, wherein the set of signatures comprises signatures generated from unparsable source text.
  - 26. The machine-readable medium of claim 24, wherein the set of signatures comprises signatures generated from source text appearing on a signature blacklist.

27. An apparatus to be used in an electronic environment in which network communications occur involving packets and at least one processor and a memory element, comprising:
- a network interface module to connect the apparatus to a network;
  
  a storage medium including a signature database storing a plurality of signatures, each signature being associated with one of a plurality of registered digital documents, wherein a particular signature is removed from the signature database based on identifying that a detection rate, which reflects how often the particular signature is detected in particular captured objects propagating in network traffic, exceeds and over inclusive signatures are removed from the signature database upon determining that respective signatures are detected within the network traffic at a rate in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  a user interface to receive a particular digital document to be de-registered in response to an expiration of a time interval associated with an initial registration of the particular document; and
  
  a registration module comprising;
  
  a registration engine to generate a set of signatures associated with the received particular document, anda search engine to identify signatures in the signature database matching any of the signatures in the set of signatures associated with the received particular document,wherein the registration module is configured to remove the signatures matching any of the signatures in the set of signatures associated with the received particular document form the signature database;
  
  wherein data in the network traffic detected to include at least one of the plurality of signatures associated with at least one registered document is intercepted and data in the network traffic determined to not include at least one of the plurality of signatures is allowed to propagate unintercepted to its intended destination.
- View Dependent Claims (28, 29)
- - 28. The apparatus of claim 27, wherein the threshold detection rate of the particular signature further includes a number of times the particular signature is generated from data objects detected in the network traffic during a time window.
  - 29. The apparatus of claim 28, wherein the threshold detection rate of the particular signature further includes a rate of signature appearance per day.

30. An apparatus to be used in an electronic environment in which network communications occur involving packets and at least one processor and a memory element, comprising:
- a storage medium including a signature database to store a plurality of signatures, each signature being associated with one of a plurality of registered documents, wherein a particular signature is removed from the signature database based on identifying that the particular signature was detected within network traffic of a particular network in excess of a threshold detection rate designated as a threshold percentage of all data objects detected in the network traffic;
  
  a security monitor to monitor security of the plurality of registered documents, the monitoring including identifying attempts to forward registered documents to nodes outside of the particular network by identifying data propagating within the particular network that includes one or more signatures maintained in the signature database and associated with the plurality of registered documents; and
  
  a registration module to maintain the signature database by removing a set of signatures from the database based on identification of a selected document to be de-registered in response to an expiration of a time interval associated with an initial registration of the selected document, and wherein data propagating within the particular network that is detected as not including a signature of at least one of the plurality of registered digital documents is allowed to be forwarded outside of the particular network.
- View Dependent Claims (31, 32)
- - 31. The apparatus of claim 30, wherein the set of signatures comprises signatures generated from unparsable source text.
  - 32. The apparatus of claim 30, wherein the set of signatures comprises signatures generated from source text appearing on a signature blacklist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ahuja, Ratinder Paul Singh, Howard, Matthew, Lowe, Rick, de la Iglesia, Erik, Deninger, William
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US10/854,005
Publication Number

US 20050132198A1
Time in Patent Office

3,416 Days
Field of Search

713/189, 713155-159, 380/258, 380/255, 726 1- 36, 705/67
US Class Current

380/258
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 9/3247 involving digital signatures

Document de-registration

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

375 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Document de-registration

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

375 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links