Network data transmission analysis

US 8,565,108 B1
Filed: 09/28/2010
Issued: 10/22/2013
Est. Priority Date: 09/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing data transmitted through a virtual network, the method comprising:

under control of a virtual network comprising a substrate network associated with an overlay network, the substrate network comprising a plurality of physical computing nodes, the overlay network at least partially simulated by the substrate network,configuring the virtual network based at least in part on a DLP policy that includes context criteria and content criteria, the context criteria comprising information about organizational structure or services of a user of the virtual network, wherein the configuring comprises associating the information about the organizational structure or services of the virtual network user with at least one of the substrate network and the overlay network;

receiving a network flow transmitted via the virtual network, the network flow comprising information related to the information about the organizational structure or services of the virtual network user;

analyzing the network flow to detect a first subset of the network flow that includes matches to at least one of the context criteria;

analyzing the first subset of the network flow to detect a second subset of the network flow that includes matches to at least one of the content criteria; and

performing an action on at least a portion of the second subset of the network flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network computing systems may implement data loss prevention (DLP) techniques to reduce or prevent unauthorized use or transmission of confidential information or to implement information controls mandated by statute, regulation, or industry standard. Implementations of network data transmission analysis systems and methods are disclosed that can use contextual information in a DLP policy to monitor data transmitted via the network. The contextual information may include information based on a network user'"'"'s organizational structure or services or network infrastructure. Some implementations may detect bank card information in network data transmissions. Some of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network.

235 Citations

30 Claims

1. A method for analyzing data transmitted through a virtual network, the method comprising:
- under control of a virtual network comprising a substrate network associated with an overlay network, the substrate network comprising a plurality of physical computing nodes, the overlay network at least partially simulated by the substrate network,configuring the virtual network based at least in part on a DLP policy that includes context criteria and content criteria, the context criteria comprising information about organizational structure or services of a user of the virtual network, wherein the configuring comprises associating the information about the organizational structure or services of the virtual network user with at least one of the substrate network and the overlay network;
  
  receiving a network flow transmitted via the virtual network, the network flow comprising information related to the information about the organizational structure or services of the virtual network user;
  
  analyzing the network flow to detect a first subset of the network flow that includes matches to at least one of the context criteria;
  
  analyzing the first subset of the network flow to detect a second subset of the network flow that includes matches to at least one of the content criteria; and
  
  performing an action on at least a portion of the second subset of the network flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the DLP policy is associated with a policy related to statutory or regulatory compliance.
  - 3. The method of claim 1, wherein the context criteria comprise information about one or more departments of the organizational structure.
  - 4. The method of claim 1, wherein the context criteria further comprise information associated with network infrastructure related to intended or expected use or behavior of the computing nodes of the virtual network.
  - 5. The method of claim 1, wherein the content criteria are associated with confidential information of the network user.
  - 6. The method of claim 5, wherein the confidential information comprises a trade secret or financial information.
  - 7. The method of claim 1, wherein the content criteria are associated with confidential information of a customer or client of the network user.
  - 8. The method of claim 7, wherein the confidential information comprises a bank card number or a social security number.
  - 9. The method of claim 8, wherein the confidential information comprises a bank card number, the method further comprising:
    - determining an Issuer Identification Number (IIN) from the bank card number; and
      
      comparing the IIN to a database comprising IINs for valid issuers of bank cards.
  - 10. The method of claim 7, wherein the confidential information comprises a medical record.
  - 11. The method of claim 1, wherein the network flow comprises a plurality of network packets, each network packet comprising control information and payload information.
  - 12. The method of claim 11, wherein analyzing the network flow to detect a first subset of the network flow that includes matches to at least one of the context criteria comprises analyzing the control information of a network packet.
  - 13. The method of claim 11, wherein analyzing the first subset of the network flow to detect a second subset of the network flow that includes matches to at least one of the content criteria comprises analyzing the payload information of a network packet.
  - 14. The method of claim 1, wherein performing the action comprises at least one of:
    - (1) tracing a network route taken by the at least a portion of the second subset of the network flow, (2) storing a snapshot of the at least a portion of the second subset of the network flow, (3) permitting or denying the at least a portion of the second subset of the network flow, (4) logging event data associated with the at least a portion of the second subset of the network flow, and (5) redirecting the at least a portion of the second subset of the network flow.
  - 15. The method of claim 1, further comprising receiving the DLP policy from the user of the virtual network.
  - 16. The method of claim 15, wherein the virtual network provides an Application Programming Interface (API) for programmatically interacting with the virtual network, and wherein receiving the DLP policy comprises receiving the DLP policy via the API.
  - 17. The method of claim 16, further comprising, in response to receiving the DLP policy, communicating confirmation information via the API.

18. A system for analyzing data transmitted through a virtual network, the system comprising:
- one or more physical computing devices configured to;
  
  associate virtual components of a virtual network with one or more computing nodes of a substrate network, the one or more computing nodes of the substrate network configured to at least partially simulate operation of the virtual components;
  
  associate a data loss prevention (DLP) policy with at least one of the substrate network and the virtual components of the virtual network, the DLP policy specifying context criteria and content criteria, the context criteria comprising information about organizational structure or services of a user of the virtual network;
  
  receive a network flow transmitted via the virtual network, the network flow comprising information related to the organizational structure or services of the virtual network user;
  
  analyze the network flow to detect a subset of the network flow that includes matches to at least one of the context criteria and at least one of the content criteria; and
  
  perform an action on at least a portion of the second subset of the network flow.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The system of claim 18, wherein the context criteria further comprise information associated with network infrastructure related to intended or expected use or behavior of the computing nodes of the virtual network.
  - 20. The system of claim 18, wherein the network flow comprises a plurality of network packets, each network packet comprising control information and payload information.
  - 21. The system of claim 20, wherein the system is configured to analyze the control information of the network packet to detect the subset of the network flow that includes matches to at least one of the context criteria and at least one of the content criteria.
  - 22. The system of claim 20, wherein the system is configured to analyze the payload information of the network packet to detect the subset of the network flow that includes matches to at least one of the context criteria and at least one of the content criteria.
  - 23. The system of claim 18, wherein the action comprises at least one of:
    - (1) tracing a network route taken by the at least a portion of the second subset of the network flow, (2) storing a snapshot of the at least a portion of the second subset of the network flow, (3) permitting or denying the at least a portion of the second subset of the network flow, (4) logging event data associated with the at least a portion of the second subset of the network flow, and (5) redirecting the at least a portion of the second subset of the network flow.

24. A method for detecting bank card information in network data transmissions, the method comprising:
- by a computer system comprising one or more physical computing devices, the computing system configured to associate virtual components of a virtual network with one or more nodes of a substrate network, the one or more nodes of the substrate network configured to at least partially simulate operation of the virtual components,analyzing a network flow based at least in part on a data loss prevention (DLP) policy of a user of the virtual network, the DLP policy comprising a bank card policy associated with identification of bank card information, the bank card information comprising information associated with an Issuer Identification Number (IIN);
  
  detecting a portion of the network flow that includes matches based at least in part on the bank card policy; and
  
  performing an action on the portion of the network flow based at least in part on the DLP policy.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. The method of claim 24, wherein the action comprises at least one of:
    - (1) tracing a network route taken by the portion of the network flow, (2) storing a snapshot of the portion of the network flow, (3) permitting or denying the portion of the network flow, (4) logging event data associated with the portion of the network flow, and (5) redirecting the portion of the network flow.
  - 26. The method of claim 24, wherein detecting the portion of the network flow that includes matches based at least in part on the bank card policy comprises:
    - comparing the portion of the network flow to data comprising a plurality of IINs associated with valid issuers of bank cards, and wherein the comparing is used to determine whether an IIN included in the portion of the network flow is associated with a valid issuer.
  - 27. The method of claim 26, wherein the data comprising a plurality of IINs associated with valid issuers of bank cards is obtained by analyzing bank card information provided by customers of an e-commerce system.
  - 28. The method of claim 27, wherein the e-commerce system provides an electronic catalog of items, and the bank card information provided by customers is used to obtain items from the electronic catalog.
  - 29. The method of claim 26, further comprising:
    - if the IIN is associated with a valid issuer, flagging the bank card as valid; and
      
      if the IIN is not associated with a valid issuer, flagging the bank card as invalid.
  - 30. The method of claim 29, further comprising, if the bank card is flagged as valid, permitting a transaction for which the bank card is used to provide payment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Marshall, Bradley E., Phillips, Charles D., Brandwine, Eric J.
Primary Examiner(s)
MEW, KEVIN D

Application Number

US12/892,741
Time in Patent Office

1,120 Days
Field of Search

370/241, 370/252, 726/1, 709223-225
US Class Current

370/252
CPC Class Codes

G06F 21/60   Protecting data

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

Network data transmission analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

235 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Network data transmission analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

235 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others