Method and apparatus for detecting unauthorized bulk forwarding of sensitive data over a network

US 8,938,511 B2
Filed: 06/12/2012
Issued: 01/20/2015
Est. Priority Date: 06/12/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus for automatically detecting bulk forwarding of email from a first network environment, the apparatus comprising:

a memory; and

at least one hardware device, coupled to the memory, operative to;

determine an arrival rate for internal emails received from within said first network environment into one or more user accounts within said first network environment;

determine a sending rate for external emails sent from said one or more user accounts to a second network environment; and

detect said bulk forwarding of email from a given one of said user accounts by comparing said arrival rate for said internal emails and said sending rate for said external emails.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for detecting unauthorized bulk forwarding of sensitive data over a network. A bulk forwarding of email from a first network environment is automatically detected by determining an arrival rate for internal emails received from within the first network environment into one or more user accounts; determining a sending rate for external emails sent from the one or more user accounts to a second network environment; and detecting the bulk forwarding of email from a given user account by comparing the arrival rate for internal emails and the sending rate for external emails. The bulk forwarding of email from a given user account can be detected by determining whether statistical models of the arrival rate for internal emails and of the sending rate for external emails are correlated in time.

34 Citations

View as Search Results

16 Claims

1. An apparatus for automatically detecting bulk forwarding of email from a first network environment, the apparatus comprising:
- a memory; and
  
  at least one hardware device, coupled to the memory, operative to;
  
  determine an arrival rate for internal emails received from within said first network environment into one or more user accounts within said first network environment;
  
  determine a sending rate for external emails sent from said one or more user accounts to a second network environment; and
  
  detect said bulk forwarding of email from a given one of said user accounts by comparing said arrival rate for said internal emails and said sending rate for said external emails.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein said arrival rate for said internal emails is determined by obtaining a statistical model of said arriving internal emails.
  - 3. The apparatus of claim 1, wherein said sending rate for said external emails is determined by obtaining a statistical model of said sent internal emails.
  - 4. The apparatus of claim 1, wherein said sending rate for said external emails sent from said one or more user accounts is determined by deriving a sending rate for said external emails sent from one or more computer systems connected to said first network environment and mapping said one or more user accounts to said one or more computer systems.
  - 5. The apparatus of claim 1, wherein said bulk forwarding of email from said given one of said user accounts is detected by determining whether a statistical model of said arrival rate for said internal emails and a statistical model of said sending rate for said external emails are correlated in time.
  - 6. The apparatus of claim 5, wherein said determination of whether said statistical models are correlated in time comprises an evaluation of one or more of timing, size, and content characteristics of said internal emails received from within said first network environment and said external emails sent from said one or more user accounts.
  - 7. The apparatus of claim 5, wherein one or more of said statistical models comprise a discrete distribution of message sizes over a time window.
  - 8. The apparatus of claim 5, wherein one or more of said statistical models measure similarity between a stream of said arriving internal emails and a stream of said sent external emails.
  - 9. The apparatus of claim 1, wherein said at least one hardware device is further configured to generate an alert for review.

10. An article of manufacture for automatically detecting bulk forwarding of email from a first network environment, comprising a non-transitory machine readable recordable medium containing one or more programs which when executed implement the steps of:
- determining an arrival rate for internal emails received from within said first network environment into one or more user accounts within said first network environment;
  
  determining a sending rate for external emails sent from said one or more user accounts to a second network environment; and
  
  detecting said bulk forwarding of email from a given one of said user accounts by comparing said arrival rate for said internal emails and said sending rate for said external emails.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The article of manufacture of claim 10, wherein said step of determining said arrival rate for said internal emails further comprises the step of obtaining a statistical model of said arriving internal emails.
  - 12. The article of manufacture of claim 10, wherein said step of determining said sending rate for said external emails further comprises the step of obtaining a statistical model of said sent internal emails.
  - 13. The article of manufacture of claim 10, wherein said step of determining said sending rate for said external emails sent from said one or more user accounts further comprises the steps of deriving a sending rate for said external emails sent from one or more computer systems connected to said first network environment and mapping said one or more user accounts to said one or more computer systems.
  - 14. The article of manufacture of claim 10, wherein said step of detecting said bulk forwarding of email from said given one of said user accounts further comprises the step of determining whether a statistical model of said arrival rate for said internal emails and a statistical model of said sending rate for said external emails are correlated in time.
  - 15. The article of manufacture of claim 14, wherein one or more of said statistical models comprise a discrete distribution of message sizes over a time window.
  - 16. The article of manufacture of claim 14, wherein one or more of said statistical models measure similarity between a stream of said arriving internal emails and a stream of said sent external emails.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Christodorescu, Mihai, Rao, Josyula R., Sailer, Reiner, Schales, Douglas Lee
Primary Examiner(s)
Chang, Jungwon

Application Number

US13/494,101
Publication Number

US 20130332539A1
Time in Patent Office

952 Days
Field of Search

709/206, 709/201, 709/238, 709/224, 707/3, 370/236
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/52   for supporting social netwo...

Method and apparatus for detecting unauthorized bulk forwarding of sensitive data over a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting unauthorized bulk forwarding of sensitive data over a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links