Method and system for detecting and protecting against potential data loss from unknown applications

US 8,943,546 B1
Filed: 06/05/2013
Issued: 01/27/2015
Est. Priority Date: 01/27/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method, comprising:

detecting, by a client computing device, that a local application has accessed a document on the client computing device;

determining that the document contains sensitive data according to one or more endpoint data loss prevention (DLP) polices;

determining that the local application and a type of the document is not included in a whitelist of the DLP policies;

presenting a notice to a user of the application that the application is subject to capture of visual data that presents privacy issues;

capturing visual data pertaining to one or more operations that the application performs on the document; and

sending the captured visual data to a server, wherein the server analyzes the captured visual data to determine if the captured visual data indicates at least one of a malicious or a suspicious activity occurred with respect to the document on the endpoint device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting and protecting against potential data loss from unknown applications is described. In one embodiment, a method includes detecting, by a client computing device, that a local application has accessed a document on the client computing device, determining that the document contains sensitive data according to one or more endpoint data loss prevention (DLP) polices, determining that the local application and a type of the document is not included in a whitelist of the DLP policies, capturing visual data pertaining to one or more operations that the application performs on the document, and sending the captured visual data to a server.

11 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- detecting, by a client computing device, that a local application has accessed a document on the client computing device;
  
  determining that the document contains sensitive data according to one or more endpoint data loss prevention (DLP) polices;
  
  determining that the local application and a type of the document is not included in a whitelist of the DLP policies;
  
  presenting a notice to a user of the application that the application is subject to capture of visual data that presents privacy issues;
  
  capturing visual data pertaining to one or more operations that the application performs on the document; and
  
  sending the captured visual data to a server, wherein the server analyzes the captured visual data to determine if the captured visual data indicates at least one of a malicious or a suspicious activity occurred with respect to the document on the endpoint device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising receiving one or more updated DLP policies from the server, the one or more updated DLP policies comprising changes based on the captured visual data.
  - 3. The computer-implemented method of claim 2, wherein the one or more updated DLP policies cause the client computing device to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.
  - 4. The computer-implemented method of claim 1, wherein the client computing device utilizes one or more application programming interfaces (APIs) of an operating system of the client computing device in order capture the visual data.
  - 5. The computer-implemented method of claim 1, wherein the visual data is captured at periodic time intervals over a time span that the application is in use.
  - 6. The computer-implemented method of claim 1, wherein the server is an enforcement server.
  - 7. The computer-implemented method of claim 1, wherein the whitelist comprises one or more different application and document type pairs that have been approved by an administrator of the client computing device as being an allowable combination.
  - 8. The computer-implemented method of claim 1, further comprising, prior to the capturing:
    - allowing access to the document when the user acknowledges and accepts the notice.

9. An endpoint device, comprising:
- a memory to store instructions for a data loss prevention (DLP) policy; and
  
  a processing device coupled with the memory, wherein the processing device is configured to;
  
  detect that a local application has accessed a document on the endpoint device;
  
  determine that the document contains sensitive data according to one or more endpoint data loss prevention (DLP) polices;
  
  determine that the local application and a type of the document is not included in a whitelist of the DLP policies;
  
  present a notice to a user of the application that the application may be subject to capture of visual data that presents privacy issues;
  
  capture visual data pertaining to one or more operations that the application performs on the document; and
  
  send the captured visual data to a server, wherein the server analyzes the captured visual data to determine if the captured visual data indicates at least one of a malicious or a suspicious activity occurred with respect to the document on the endpoint device.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The endpoint device of claim 9, further comprising receiving one or more updated DLP policies from the server, the one or more updated DLP policies comprising changes based on the captured visual data.
  - 11. The endpoint device of claim 10, wherein the one or more updated DLP policies cause the processing device to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.
  - 12. The endpoint device of claim 9, wherein the visual data is captured at periodic time intervals over a time span that the application is in use.
  - 13. The endpoint device of claim 9, wherein the server is an enforcement server.
  - 14. The endpoint device of claim 9, wherein the whitelist comprises one or more different application and document type pairs that have been approved by an administrator of the endpoint device as being an allowable combination.
  - 15. The endpoint device of claim 9, further comprising, prior to the capturing:
    - allowing access to the document when the user acknowledges and accepts the notice.

16. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
- receiving, by the processing device, data representing captured visual data pertaining to an application manipulating a sensitive document at a client computing device executing an endpoint data loss prevention (DLP) system, wherein the client computing device presents a notice to a user of the application that the application may be subject to capture of visual data that presents privacy issues;
  
  analyzing, by the processing device, the received captured visual data to determine whether at least one of suspicious or malicious activity occurred with respect to the sensitive document;
  
  updating, by the processing device, one or more DLP policies based on the results of the analysis; and
  
  deploying, by the processing device, the one or more updated DLP policies.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the one or more updated DLP policies are deployed to one or more endpoint DLP systems and cause the one or more endpoint DLP systems to at least one of blacklist the combination of the application and document type, restrict access to the document, encrypt the document, or move the document to a different location.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the visual data is captured at periodic time intervals over a time span that the application is in use.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein the operations further comprise maintaining a whitelist comprising one or more different application and document type pairs that have been approved by an administrator of computing device comprising the processing device and is part of the one or more updated DLP policies.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein the operations further comprise:
    - if, based on the analysis, operations of the application manipulating the sensitive document are not at least one of suspicious or malicious, then adding a combination of the application and a type of the sensitive document to the whitelist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Khetawat, Rupesh
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/910,892
Time in Patent Office

601 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

H04L 63/20   for managing network securi...

Method and system for detecting and protecting against potential data loss from unknown applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting and protecting against potential data loss from unknown applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links