Method and system for tracing information leaks in organizations through syntactic and linguistic signatures

US 8,826,430 B2
Filed: 11/13/2012
Issued: 09/02/2014
Est. Priority Date: 11/13/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-executable method for tracing information leaks, comprising:

obtaining, by a computing device, a disseminated document to analyze;

determining, from a collection of original documents, an original document that is most similar to the disseminated document;

comparing the disseminated document to the most similar original document to determine differences between the disseminated document and the most similar original document;

querying a database containing changes to documents, using the determined differences, to determine a most similar changed document;

determining a distance value by comparing changes from the most similar changed document with the determined differences from the disseminated document; and

responsive to determining that the distance value is less than a threshold value, determining a user identifier for a user associated with the most similar changed document.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for tracing information leaks. The system introduces linguistic and syntactic changes to a document, and associates these changes with a user identifier, which facilitates identification of a user that may have leaked the document. During operation, the system receives a document. The system then determines a most similar original document based on the received document. The system determines difference between the most similar original document and the received document, and determines a user identifier based on the determined difference.

Citations

16 Claims

1. A computer-executable method for tracing information leaks, comprising:
- obtaining, by a computing device, a disseminated document to analyze;
  
  determining, from a collection of original documents, an original document that is most similar to the disseminated document;
  
  comparing the disseminated document to the most similar original document to determine differences between the disseminated document and the most similar original document;
  
  querying a database containing changes to documents, using the determined differences, to determine a most similar changed document;
  
  determining a distance value by comparing changes from the most similar changed document with the determined differences from the disseminated document; and
  
  responsive to determining that the distance value is less than a threshold value, determining a user identifier for a user associated with the most similar changed document.
- View Dependent Claims (2, 3, 4, 5, 16)
- - 2. The method of claim 1, further comprising:
    - searching among change records for changes that are most similar to a determined difference between a second most similar original document and a second disseminated document; and
      
      determining a second user identifier associated with the changes that are most similar to the determined difference.
  - 3. The method of claim 1, further comprising:
    - receiving a request for a specific document from a user;
      
      retrieving the requested document from a storage;
      
      determining a change to be applied to the requested document;
      
      changing the requested document according to the determined change; and
      
      providing the requested document to the user.
  - 4. The method of claim 3, wherein the change includes one or more of:
    - replacing a character in the requested document with an alternative character,replacing a word in the requested document with a synonym for the word,determining a part of speech category for the synonym,repeating a character in the requested document, and/oradding typographical errors to the requested document.
  - 5. The method of claim 3, further comprising:
    - storing, in a database, the determined changes with a document identifier and a particular user identifier associated with the user.
  - 16. The method of claim 1, wherein the changes associated with the most similar changed document include syntactical changes.

6. A computing system for tracing information leaks, the system comprising:
- one or more processors,a computer-readable medium coupled to the one or more processors having instructions stored thereon that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  obtaining a disseminated document to analyze;
  
  determining, from a collection of original documents, an original document that is most similar to the disseminated document;
  
  comparing the disseminated document to the most similar original document to determine differences between the disseminated document and the most similar original document;
  
  querying a database containing changes to documents, using the determined differences, to determine a most similar changed document;
  
  determining a distance value by comparing changes from the most similar changed document with the determined differences from the disseminated document; and
  
  responsive to determining that the distance value is less than a threshold value, determining a user identifier for a user associated with the most similar changed document.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computing system of claim 6, further comprising:
    - searching among change records for changes that are most similar to a determined difference between a second most similar original document and a second disseminated document; and
      
      determining a second user identifier associated with the changes that are most similar to the determined difference.
  - 8. The computing system of claim 6, wherein the computer-readable storage medium stores additional instructions that, when executed, cause the one or more processors to perform additional steps comprising:
    - receiving a request for a specific document from a user;
      
      retrieving the requested document from a storage;
      
      determining a change to be applied to the requested document;
      
      changing the requested document according to the determined change; and
      
      providing the requested document to the user.
  - 9. The computing system of claim 8, wherein the change includes one or more of:
    - replacing a character in the requested document with an alternative character,replacing a word in the requested document with a synonym for the word,determining a part of speech category for the synonym,repeating a character in the requested document, and/oradding typographical errors to the requested document.
  - 10. The computing system of claim 8, wherein the computer-readable storage medium stores additional instructions that, when executed, cause the one or more processors to perform additional steps comprising:
    - storing, in a database, the determined changes with a document identifier and a particular user identifier associated with the user.

11. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for tracing information leaks, the method comprising:
- obtaining a disseminated document to analyze;
  
  determining, from a collection of original documents, an original document that is most similar to the disseminated document;
  
  comparing the disseminated document to the most similar original document to determine differences between the disseminated document and the most similar original document;
  
  querying a database containing changes to documents, using the determined differences, to determine a most similar changed document;
  
  determining a distance value by comparing changes from the most similar changed document with the determined differences from the disseminated document; and
  
  responsive to determining that the distance value is less than a threshold value, determining a user identifier for a user associated with the most similar changed document.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer-readable storage medium of claim 11, wherein the method further comprises:
    - searching among change records for changes that are most similar to a determined difference between a second most similar original document and a second disseminated document; and
      
      determining a second user identifier associated with the changes that are most similar to the determined difference.
  - 13. The non-transitory computer-readable storage medium of claim 11, wherein the computer-readable storage medium stores additional instructions that, when executed, cause the one or more processors to perform additional steps comprising:
    - receiving a request for a specific document from a user;
      
      retrieving the requested document from a storage;
      
      determining a change to be applied to the requested document;
      
      changing the requested document according to the determined change; and
      
      providing the requested document to the user.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein the computer-readable storage medium stores additional instructions that, when executed, cause the one or more processors to perform additional steps comprising:
    - replacing a character in the requested document with an alternative character,replacing a word in the requested document with a synonym for the word,determining a part of speech category for the synonym,repeating a character in the requested document, and/oradding typographical errors to the requested document.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the computer-readable storage medium stores additional instructions that, when executed, cause the one or more processors to perform additional steps comprising:
    - storing, in a database, the determined changes with a document identifier and a particular user identifier associated with the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Brdiczka, Oliver, Likarish, Peter, Mahadevan, Priya
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US13/675,982
Publication Number

US 20140137238A1
Time in Patent Office

658 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/556   involving covert channels, ...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2117   User registration

Method and system for tracing information leaks in organizations through syntactic and linguistic signatures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for tracing information leaks in organizations through syntactic and linguistic signatures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links