Systems and methods for applying data-loss-prevention policies

US 9,003,475 B1
Filed: 06/05/2012
Issued: 04/07/2015
Est. Priority Date: 06/05/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for applying data-loss-prevention policies, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

maintaining a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies;

monitoring loading of an application within the list of applications by one or more processes;

detecting an attempt by a process to access sensitive data;

determining that the process has loaded the application;

applying, based at least in part on the determination that the process has loaded the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for applying data-loss-prevention policies. The method may include (1) maintaining a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies, (2) detecting an attempt by a process to access sensitive data, (3) determining that the process has a parent-child relationship with an application within the list of applications, and (4) applying, based at least in part on the determination that the process has the parent-child relationship with the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data. Various other methods, systems, and computer-readable media are also disclosed.

22 Citations

View as Search Results

20 Claims

1. A computer-implemented method for applying data-loss-prevention policies, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- maintaining a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies;
  
  monitoring loading of an application within the list of applications by one or more processes;
  
  detecting an attempt by a process to access sensitive data;
  
  determining that the process has loaded the application;
  
  applying, based at least in part on the determination that the process has loaded the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein:
    - the process comprises a host process that is capable of simultaneously hosting multiple applications;
      
      the application comprises a hosted application that is hosted by the process.
  - 3. The computer-implemented method of claim 1, wherein:
    - the process comprises a host process that is capable of simultaneously executing multiple applications;
      
      the application comprises a hosted application that is executed by the process when the hosted application is loaded by the process.
  - 4. The computer-implemented method of claim 1, further comprising:
    - monitoring loading of an additional application within the list of applications by the one or more processes;
      
      determining that the process has loaded the additional application;
      
      determining, in response to determining that the process has loaded the application and the additional application, whether the application or the additional application originated the attempt to access sensitive data;
      
      applying the DLP policy associated with the application to the process if the application originated the attempt to access sensitive data;
      
      applying a DLP policy associated with the additional application to the process if the additional application originated the attempt to access sensitive data.
  - 5. The computer-implemented method of claim 1, further comprising:
    - monitoring unloading of the application by the one or more processes;
      
      upon detecting the attempt by the process to access sensitive data, determining that the process has unloaded the application;
      
      avoiding, based at least in part on the determination that the process has unloaded the application, application of the DLP policy associated with the application to the process.
  - 6. The computer-implemented method of claim 1, wherein:
    - monitoring loading of the application by the one or more processes comprises maintaining a list of processes that have loaded the application;
      
      determining that the process has loaded the application comprises identifying the process within the list of processes that have loaded the application.
  - 7. The computer-implemented method of claim 1, wherein determining that the process has loaded the application comprises:
    - examining, in response to detecting the attempt by the process to access sensitive data, a call stack of the process;
      
      determining, based at least in part on the examination of the call stack of the process, that the attempt to access sensitive data originated from the application.
  - 8. The computer-implemented method of claim 7, wherein the examination of the call stack of the process is performed in response to a determination that the process has loaded more than one application.
  - 9. The computer-implemented method of claim 1, wherein detecting the attempt by the process to access sensitive data comprises monitoring, in response to the determination that the process has loaded the application, the process for attempts to access sensitive data.

10. A system for applying data-loss-prevention policies, the system comprising:
- a maintenance module programmed to maintain a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies;
  
  a detection module programmed to detect an attempt by a process to access sensitive data;
  
  a relationship-determining module programmed to;
  
  monitor loading of an application within the list of applications by one or more processes;
  
  determine that the process has loaded the application;
  
  an enforcing module programmed to apply, based at least in part on the determination that the process has loaded the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data;
  
  at least one processor configured to execute the maintenance module, the detection module, the relationship-determining module, and the enforcing module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein:
    - the process comprises a host process that is capable of simultaneously hosting multiple applications;
      
      the application comprises a hosted application that is hosted by the process.
  - 12. The system of claim 10, wherein:
    - the process comprises a host process that is capable of simultaneously executing multiple applications;
      
      the application comprises a hosted application that is executed by the process when the hosted application is loaded by the process.
  - 13. The system of claim 10, wherein:
    - the relationship-determining module is further programmed to;
      
      monitor loading of an additional application within the list of applications by the one or more processes;
      
      determine that the process has loaded the additional application;
      
      determine, in response to determining that the process has loaded the application and the additional application, whether the application or the additional application originated the attempt to access sensitive data;
      
      the enforcing module is programmed to;
      
      apply the DLP policy associated with the application to the process if the application originated the attempt to access sensitive data;
      
      apply a DLP policy associated with the additional application to the process if the additional application originated the attempt to access sensitive data.
  - 14. The system of claim 10, wherein:
    - the relationship-determining module is further programmed to;
      
      monitor unloading of the application by the one or more processes;
      
      determine that the process has unloaded the application;
      
      the enforcing module is further programmed to avoid application of the DLP policy associated with the application to the process if the process has unloaded the application.
  - 15. The system of claim 10, wherein the relationship-determining module is programmed to:
    - monitor loading of the application by the one or more processes by maintaining a list of processes that have loaded the application;
      
      determine that the process has loaded the application by identifying the process within the list of processes that have loaded the application.
  - 16. The system of claim 10, wherein the relationship-determining module is programmed to determine that the process has loaded the application by:
    - examining, in response to detecting the attempt by the process to access sensitive data, a call stack of the process;
      
      determining, based at least in part on the examination of the call stack of the process, that the attempt to access sensitive data originated from the application.
  - 17. The system of claim 16, wherein the relationship-determining module is programmed to perform the examination of the call stack of the process in response to a determination that the process has loaded more than one application.
  - 18. The system of claim 10, wherein the detection module is programmed to detect the attempt by the process to access sensitive data by monitoring, in response to the determination that the process has loaded the application, the process for attempts to access sensitive data.

19. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- maintain a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies;
  
  monitor loading of an application within the list of applications by one or more processes;
  
  detect an attempt by a process to access sensitive data;
  
  determine that the process has loaded the application;
  
  apply, based at least in part on the determination that the process has loaded the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data.
- View Dependent Claims (20)
- - 20. The computer-readable-storage medium of claim 19, wherein:
    - the process comprises a host process that is capable of simultaneously hosting multiple applications;
      
      the application comprises a hosted application that is hosted by the process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Jaiswal, Sumesh, Manmohan, Sarin Sumit
Primary Examiner(s)
LE, CHAU D

Application Number

US13/489,416
Time in Patent Office

1,036 Days
Field of Search

726/1, 726/2, 726/21
US Class Current

726/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/20   for managing network securi...

Systems and methods for applying data-loss-prevention policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for applying data-loss-prevention policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links