Systems and methods employing delimiter searches to identify sensitive information in data

US 8,616,443 B2
Filed: 05/31/2011
Issued: 12/31/2013
Est. Priority Date: 05/28/2010
Status: Active Grant

First Claim

Patent Images

1. A system for identifying potentially sensitive information, comprising:

a scanning device configured to communicate with a memory device that stores data including potentially sensitive information, the scanning device programmed to;

identify a string of sequential bytes of at least one predetermined length in which each byte has a value corresponding to a decimal number;

evaluate a preceding byte immediately preceding the string of sequential bytes to determine whether the preceding byte has a value that corresponds to a known delimiter;

evaluate a following byte immediately following the string of sequential bytes to determine whether the following byte has a value that corresponds to a known delimiter;

identify each string immediately preceded by a preceding byte with a value corresponding to a known delimiter and immediately followed by a following byte with a value corresponding to a known delimiter as a suspected sensitive data string.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data string that includes potentially sensitive information, such as an account number for a payment card, may be evaluated using a delimiter search to provide an increased level of confidence that the data string encodes the sensitive information of interest. A delimiter search may include an evaluation of the bytes adjacent to the beginning and end of the data to determine whether or not those bytes have values that correspond to the values of known delimiters. A data string that is not surrounded by known delimiters may be disregarded (i.e., considered not to comprise sensitive information of interest), while a data string that is surrounded by known delimiters may warrant further evaluation.

Citations

29 Claims

1. A system for identifying potentially sensitive information, comprising:
- a scanning device configured to communicate with a memory device that stores data including potentially sensitive information, the scanning device programmed to;
  
  identify a string of sequential bytes of at least one predetermined length in which each byte has a value corresponding to a decimal number;
  
  evaluate a preceding byte immediately preceding the string of sequential bytes to determine whether the preceding byte has a value that corresponds to a known delimiter;
  
  evaluate a following byte immediately following the string of sequential bytes to determine whether the following byte has a value that corresponds to a known delimiter;
  
  identify each string immediately preceded by a preceding byte with a value corresponding to a known delimiter and immediately followed by a following byte with a value corresponding to a known delimiter as a suspected sensitive data string.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the scanning device is programmed to identify each string immediately preceded by a preceding byte with a value corresponding to a known delimiter and immediately followed by a following byte with a value corresponding to a known delimiter as the suspected sensitive data string when the value of the preceding byte and the value of the following byte correspond to a same known delimiter.
  - 3. The system of claim 1, wherein the at least one predetermined length of the string of sequential bytes corresponds to a length of sensitive information of interest.
  - 4. The system of claim 3, wherein the at least one predetermined length of the string of sequential bytes is about four bytes to about sixteen bytes.
  - 5. The system of claim 4, wherein the at least one predetermined length of the string of sequential bytes is about thirteen bytes to about sixteen bytes.
  - 6. The system of claim 1, wherein the scanning device is also programmed to:
    - intermittently scan the data to identify a data string of sequential bytes that correspond to decimal numerals, the data string having a length that corresponds to the at least one predetermined length.
  - 7. The system of claim 6, wherein the scanning device is programmed to evaluate each n-th byte of at least a portion of the data, with n corresponding to the at least one predetermined length.
  - 8. The system of claim 7, wherein the scanning device is also programmed to:
    - evaluate whether bytes of a substring of the suspected sensitive data string collectively correspond to a known identifier of sensitive data.
  - 9. The system of claim 8, wherein the scanning device is also programmed to:
    - compare the suspected sensitive data string to a trie to determine a likelihood that the suspected sensitive data string comprises an actual sensitive data string.
  - 10. The system of claim 1, wherein the scanning device is also programmed to:
    - evaluate whether bytes of a substring of the suspected sensitive data string collectively correspond to a known identifier of sensitive data.
  - 11. The system of claim 1, wherein the scanning device is also programmed to:
    - compare the suspected sensitive data string to a trie to determine a likelihood that the suspected sensitive data string comprises an actual sensitive data string.

12. A system for identifying potentially sensitive information, comprising:
- a memory device in which data including potentially sensitive information is stored; and
  
  a scanning device in communication with the memory device, the scanning device programmed to;
  
  identify a string of sequential bytes of at least one predetermined length in which each byte has a value corresponding to a decimal number;
  
  evaluate a preceding byte immediately preceding the string of sequential bytes to determine whether the preceding has a value that corresponds to a known delimiter;
  
  evaluate a following byte immediately following the string of sequential bytes to determine whether the following byte has a value that corresponds to a known delimiter;
  
  identify each string immediately preceded by a preceding byte with a value corresponding to a known delimiter and immediately followed by a following byte with a value corresponding to a known delimiter as a suspected sensitive data string.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, further comprising:
    - an administrator that commissions scanning of the memory device.
  - 14. The system of claim 13, wherein the scanning device is also programmed to:
    - report the suspected sensitive data string to the administrator.
  - 15. The system of claim 12, wherein the scanning device is also programmed to:
    - intermittently scan the data to identify a data string of sequential bytes that correspond to decimal numerals, the data string having a length that corresponds to the at least one predetermined length.
  - 16. The system of claim 15, wherein the scanning device is programmed to evaluate each n-th byte of at least a portion of the data, with n corresponding to the at least one predetermined length.
  - 17. The system of claim 12, wherein the scanning device is also programmed to:
    - evaluate whether bytes of a substring of the suspected sensitive data string collectively correspond to a known identifier of sensitive data.
  - 18. The system of claim 17, wherein the known identifier of sensitive data comprises a bank identification number.
  - 19. The system of claim 12, wherein the scanning device is also programmed to:
    - compare the suspected sensitive data string to a trie to determine a likelihood that the suspected sensitive data string comprises an actual sensitive data string.

20. A system for identifying potential payment card numbers, comprising:
- a scanning device for evaluating data stored by a memory device under control of a merchant, the data including potential payment card numbers, the scanning device programmed to;
  
  identify a string of sequential bytes of about thirteen bytes to about sixteen bytes in which each byte has a value corresponding to a decimal number;
  
  evaluate a preceding byte immediately preceding the string of sequential bytes to determine whether the preceding byte has a value that corresponds to a known delimiter;
  
  evaluate a following byte immediately following the string of sequential bytes to determine whether the following byte has a value that corresponds to a known delimiter;
  
  identify each string immediately preceded by a preceding byte with a value corresponding to a known delimiter and immediately followed by a following byte with a value corresponding to a known delimiter as a suspected payment card number.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The system of claim 20, wherein the known delimiter includes at least one of a space, a tab, a comma, a forward slash and a backslash.
  - 22. The system of claim 20, wherein the scanning device is programmed to identify a string of sequential bytes of about thirteen bytes to about sixteen bytes in which each byte has a value corresponding to a decimal number by:
    - evaluating every thirteenth byte of the data;
      
      tagging each thirteenth byte that corresponds to a decimal number to provide a tagged byte;
      
      enumerating the tagged byte;
      
      sequentially evaluating and enumerating bytes preceding and following each tagged byte until a value of a preceding sequentially evaluated byte and a value of a following sequentially evaluated byte does not correspond to a decimal number; and
      
      determining whether a number of sequential enumerated bytes is between thirteen and sixteen bytes, inclusive.
  - 23. The system of claim 20, wherein the scanning device is also programmed to:
    - evaluate whether a group of bytes of the suspected payment card number collectively corresponds to a known bank identification number.
  - 24. The system of claim 23, wherein the group of bytes of the suspected payment card number comprises a first four bytes, a first five bytes, or a first six bytes of the suspected payment card number.
  - 25. The system of claim 20, wherein the scanning device is also programmed to:
    - compare the suspected payment card number to a trie to determine a likelihood that the suspected payment card number comprises an actual payment card number.
  - 26. The system of claim 20, further comprising:
    - the merchant; and
      
      the memory device.
  - 27. The system of claim 26, further comprising:
    - an administrator that sets a data security standard and commissions scanning of the memory device to determine the merchant'"'"'s compliance with the data security standard.
  - 28. The system of claim 27, wherein the administrator comprises at least one of an acquirer and an issuer.
  - 29. The system of claim 27, further comprising:
    - a compliance monitor that operates the scanning device when commissioned by the administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecurityMetrics, Inc.
Original Assignee
SecurityMetrics, Inc.
Inventors
Butt, Alan B., Stocks, Nathan K.
Primary Examiner(s)
Lee, Wilson

Application Number

US13/149,566
Publication Number

US 20120016895A1
Time in Patent Office

945 Days
Field of Search

707802-812, 235380-3825, 705 39- 42, 726 22- 25
US Class Current

235/380
CPC Class Codes

G06F 16/90344 by using string matching te...

G06Q 20/4016 involving fraud or risk lev...

Systems and methods employing delimiter searches to identify sensitive information in data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods employing delimiter searches to identify sensitive information in data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links