Method and apparatus for detecting unauthorized bulk forwarding of sensitive data over a network
First Claim
1. An apparatus for automatically detecting bulk forwarding of email from a first network environment, the apparatus comprising:
- a memory; and
at least one hardware device, coupled to the memory, operative to;
determine an arrival rate for internal emails received from within said first network environment into one or more user accounts within said first network environment;
determine a sending rate for external emails sent from said one or more user accounts to a second network environment; and
detect said bulk forwarding of email from a given one of said user accounts by comparing said arrival rate for said internal emails and said sending rate for said external emails.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus are provided for detecting unauthorized bulk forwarding of sensitive data over a network. A bulk forwarding of email from a first network environment is automatically detected by determining an arrival rate for internal emails received from within the first network environment into one or more user accounts; determining a sending rate for external emails sent from the one or more user accounts to a second network environment; and detecting the bulk forwarding of email from a given user account by comparing the arrival rate for internal emails and the sending rate for external emails. The bulk forwarding of email from a given user account can be detected by determining whether statistical models of the arrival rate for internal emails and of the sending rate for external emails are correlated in time.
34 Citations
16 Claims
-
1. An apparatus for automatically detecting bulk forwarding of email from a first network environment, the apparatus comprising:
-
a memory; and at least one hardware device, coupled to the memory, operative to; determine an arrival rate for internal emails received from within said first network environment into one or more user accounts within said first network environment; determine a sending rate for external emails sent from said one or more user accounts to a second network environment; and detect said bulk forwarding of email from a given one of said user accounts by comparing said arrival rate for said internal emails and said sending rate for said external emails. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An article of manufacture for automatically detecting bulk forwarding of email from a first network environment, comprising a non-transitory machine readable recordable medium containing one or more programs which when executed implement the steps of:
-
determining an arrival rate for internal emails received from within said first network environment into one or more user accounts within said first network environment; determining a sending rate for external emails sent from said one or more user accounts to a second network environment; and detecting said bulk forwarding of email from a given one of said user accounts by comparing said arrival rate for said internal emails and said sending rate for said external emails. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
Specification