Network data transmission auditing

US 8,555,383 B1
Filed: 09/28/2010
Issued: 10/08/2013
Est. Priority Date: 09/28/2010
Status: Active Grant

First Claim

Patent Images

1. A system for analyzing network transmissions, the system comprising:

a computing interface configured to receive a data loss prevention (DLP) policy customizable by a user of a virtual network; and

a computing system comprising computer hardware, the computing system configured to;

associate virtual components of a virtual network with one or more nodes of a substrate network, the one or more nodes of the substrate network configured to at least partially simulate operation of the virtual components;

generate data transmission routes through the virtual network;

analyze data transmitted via the data transmission routes through the virtual network to detect a match to one or more criteria specified by the DLP policy;

in response to detection of the match, perform at least one of the following;

store at least a portion of the data in a snapshot;

orstore events associated with the data in a compliance log;

orprevent further transmission of at least a portion of the data; and

analyze at least one of the snapshot or the compliance log for additional matches to the DLP policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network computing systems may implement data loss prevention (DLP) techniques to reduce or prevent unauthorized use or transmission of confidential information or to implement information controls mandated by statute, regulation, or industry standard. Implementations of network data transmission analysis systems and methods are disclosed that can use contextual information in a DLP policy to monitor data transmitted via the network. The contextual information may include information based on a network user'"'"'s organizational structure or services or network infrastructure. Some implementations may detect bank card information in network data transmissions. Some of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network.

83 Citations

View as Search Results

24 Claims

1. A system for analyzing network transmissions, the system comprising:
- a computing interface configured to receive a data loss prevention (DLP) policy customizable by a user of a virtual network; and
  
  a computing system comprising computer hardware, the computing system configured to;
  
  associate virtual components of a virtual network with one or more nodes of a substrate network, the one or more nodes of the substrate network configured to at least partially simulate operation of the virtual components;
  
  generate data transmission routes through the virtual network;
  
  analyze data transmitted via the data transmission routes through the virtual network to detect a match to one or more criteria specified by the DLP policy;
  
  in response to detection of the match, perform at least one of the following;
  
  store at least a portion of the data in a snapshot;
  
  orstore events associated with the data in a compliance log;
  
  orprevent further transmission of at least a portion of the data; and
  
  analyze at least one of the snapshot or the compliance log for additional matches to the DLP policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the one or more criteria specified by the DLP policy comprise context criteria associated with at least one of:
    - (1) organizational structure or services provided by the user of the virtual network or (2) network infrastructure associated with intended or expected use or behavior of the virtual components of the virtual network.
  - 3. The system of claim 2, wherein the data comprises a plurality of data packets, each data packet comprising control information and payload information, the computing system configured to analyze the control information to detect a match to the context criteria.
  - 4. The system of claim 2, wherein the computing system is further configured to associate the context criteria with one or more nodes of the substrate network.
  - 5. The system of claim 1, wherein the one or more criteria specified by the DLP policy comprise content criteria associated with content of data transmitted via the virtual network.
  - 6. The system of claim 5, wherein the data comprises a plurality of data packets, each data packet comprising control information and payload information, the computing system configured to analyze the payload information to detect a match to the content criteria.
  - 7. The system of claim 1, wherein the computing system is configured to buffer a portion of the data transmitted via the virtual network, and the snapshot comprises at least some of the buffered portion.
  - 8. The system of claim 1, wherein the events comprise information associated with one or more of:
    - (1) DLP policy changes, (2) network configuration changes, (3) user account changes, or (4) attempts to access the compliance log.
  - 9. The system of claim 1, wherein the data transmitted by the virtual network comprises data intended for storage in a data repository accessible by the virtual network.

10. A method for analyzing network transmissions, the method comprising:
- under control of a virtual network comprising a substrate network associated with an overlay network, the substrate network comprising a plurality of physical computing nodes, the overlay network at least partially simulated by the substrate network,configuring the virtual network based at least in part on a data loss prevention (DLP) policy of a user of the virtual network, wherein the configuring comprises associating the DLP policy with at least one of the substrate network;
  
  analyzing a network flow transmitted via the virtual network to detect a subset of the network flow that matches one or more criteria specified by the DLP policy; and
  
  in response to detection of the match, performing at least one of the following;
  
  storing at least a portion of a data in a snapshot;
  
  orstoring events associated with the data in a compliance log;
  
  orpreventing further transmission of at least a portion of the data; and
  
  analyzing at least one of the snapshot or the compliance log for additional matches to the DLP policy.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 11. The method of claim 10, wherein the one or more criteria specified by the DLP policy comprise context criteria associated with at least one of:
    - (1) organizational structure or services provided by the user of the virtual network or (2) network infrastructure associated with intended or expected use or behavior of the virtual components of the virtual network.
  - 12. The method of claim 10, further comprising buffering a portion of the data transmitted via the virtual network.
  - 13. The method of claim 12, wherein the buffering comprises buffering a portion of the data for a period of time.
  - 14. The method of claim 12, wherein the buffering comprises buffering a volume of the data.
  - 15. The method of claim 12, wherein the snapshot comprises at least some of the buffered portion of the data transmitted via the virtual network.
  - 16. The method of claim 10, wherein the events comprise information associated with one or more of:
    - (1) DLP policy changes, (2) network configuration changes, (3) user account changes, or (4) attempts to access the compliance log.
  - 17. The method of claim 10, further comprising receiving the DLP policy from the user of the virtual network.
  - 18. The method of claim 10, further comprising charging a fee to the user of the virtual network for analyzing the network flow.
  - 19. The method of claim 18, wherein the fee is based at least in part on one or more of:
    - (1) an amount of the network flow that is analyzed, (2) computing resources used for analyzing the network flow, or (3) storage capacity for the snapshot or the compliance log.
  - 20. The method of claim 10, wherein analyzing the network flow transmitted by the virtual network comprises analyzing all network flows that meet one or more criteria of the DLP policy.
  - 21. The method of claim 20, further comprising communicating a compliance assurance including information related to the analysis of the network flows.

22. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon for analyzing network transmissions, the computer-readable storage medium comprising computer executable instructions for:
- analyzing a network flow transmitted via a virtual network, a virtual network comprising a substrate network associated with an overlay network, the substrate network comprising a plurality of physical computing nodes, the overlay network at least partially simulated by the substrate network,detecting a subset of the network flow that matches one or more criteria specified by a data loss prevention (DLP) policy; and
  
  in response to detection of the match, performing at least one of the following;
  
  storing at least a portion of a data in a snapshot;
  
  orstoring events associated with the data in a compliance log;
  
  orpreventing further transmission of at least a portion of the data; and
  
  analyzing at least one of the snapshot or the compliance log for additional matches to the DLP policy.
- View Dependent Claims (23, 24)
- - 23. The computer-readable storage medium of claim 22, further comprising computer executable instructions for configuring the virtual network based at least in part on the DLP policy, wherein the configuring comprises associating the DLP policy with at least one of the substrate network and the overlay network.
  - 24. The computer-readable storage medium of claim 22, further comprising computer executable instructions for buffering a portion of the data transmitted via the virtual network, the snapshot comprising at least some of the buffered portion of the data transmitted via the virtual network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Marshall, Bradley E., Phillips, Charles D., Brandwine, Eric J.
Primary Examiner(s)
Rahman, Mohammad L

Application Number

US12/892,665
Time in Patent Office

1,106 Days
Field of Search

726/15, 726/22
US Class Current

726/22
CPC Class Codes

H04L 63/20 for managing network securi...

H04L 69/22 Parsing or analysis of headers

Network data transmission auditing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Network data transmission auditing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others