Network data transmission analysis

US 9,064,121 B2
Filed: 10/18/2013
Issued: 06/23/2015
Est. Priority Date: 09/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing data transmitted through a virtual network, the method comprising:

under control of a virtual network comprising a substrate network associated with a plurality of physical computing nodes that are configured to at least partially simulate operation of the virtual network,receiving a DLP policy that includes (i) context criteria and (ii) content criteria, the context criteria comprising information about organizational structure or services of a user of the virtual network;

associating the information about the organizational structure or services of the virtual network user with at least one of the virtual network or the substrate network;

analyzing, based at least in part on the DLP policy, a network flow transmitted via the virtual network;

detecting a subset of the network flow that includes a match to at least one of the context criteria of the DLP policy or a match to at least one of the content criteria of the DLP policy; and

performing an action on at least a portion of the detected subset of the network flow based at least in part on the DLP policy.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network computing systems may implement data loss prevention (DLP) techniques to reduce or prevent unauthorized use or transmission of confidential information or to implement information controls mandated by statute, regulation, or industry standard. Implementations of network data transmission analysis systems and methods are disclosed that can use contextual information in a DLP policy to monitor data transmitted via the network. The contextual information may include information based on a network user'"'"'s organizational structure or services or network infrastructure. Some implementations may detect bank card information in network data transmissions. Some of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network.

Citations

22 Claims

1. A method for analyzing data transmitted through a virtual network, the method comprising:
- under control of a virtual network comprising a substrate network associated with a plurality of physical computing nodes that are configured to at least partially simulate operation of the virtual network,receiving a DLP policy that includes (i) context criteria and (ii) content criteria, the context criteria comprising information about organizational structure or services of a user of the virtual network;
  
  associating the information about the organizational structure or services of the virtual network user with at least one of the virtual network or the substrate network;
  
  analyzing, based at least in part on the DLP policy, a network flow transmitted via the virtual network;
  
  detecting a subset of the network flow that includes a match to at least one of the context criteria of the DLP policy or a match to at least one of the content criteria of the DLP policy; and
  
  performing an action on at least a portion of the detected subset of the network flow based at least in part on the DLP policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein at least some of the plurality of physical computing nodes are configured to host one or more virtual machines, and the network flow is transmitted from or transmitted to one of the one or more virtual machines.
  - 3. The method of claim 1, wherein the DLP policy is associated with one or more of:
    - a policy related to statutory or regulatory compliance, a policy related to industry security standards, or confidential information of the virtual network user or a customer or client of the virtual network user.
  - 4. The method of claim 1, wherein the context criteria comprise information about one or more departments of the organizational structure.
  - 5. The method of claim 1, wherein the context criteria further comprise information associated with network infrastructure related to intended or expected use or behavior of the virtual network.
  - 6. The method of claim 1, wherein performing the action comprises at least one of:
    - (1) tracing a network route taken by the at least a portion of the detected subset of the network flow, (2) storing a snapshot of the at least a portion of the detected subset of the network flow, (3) permitting or denying transmission of the at least a portion of the detected subset of the network flow, (4) logging event data associated with the at least a portion of the detected subset of the network flow, or (5) redirecting the at least a portion of the detected subset of the network flow.
  - 7. The method of claim 1, wherein the virtual network provides an Application Programming Interface (API) for programmatically interacting with the virtual network, and wherein the DLP policy is received via the API.

8. A system for analyzing network data, the system comprising:
- one or more physical computing devices configured to;
  
  associate a data loss prevention (DLP) policy with a virtual network that is overlaid on one or more physical computing networks, the DLP policy specifying (i) context criteria and (ii) content criteria, the context criteria comprising information about organizational structure or services of a user of the virtual network;
  
  track data transmitted via the virtual network;
  
  determine whether at least a portion of the tracked data violates the DLP policy; and
  
  perform an action on the at least a portion of the tracked data based at least in part on the DLP policy.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. The system of claim 8, wherein the virtual network comprises one or more virtual machines.
  - 10. The system of claim 9, wherein the data is transmitted from or transmitted to one of the one or more virtual machines.
  - 11. The system of claim 8, wherein the DLP policy is associated with one or more of:
    - a policy related to statutory or regulatory compliance, a policy related to industry security standards, or confidential information of a user of the virtual network or a customer or client of the user of the virtual network.
  - 12. The system of claim 8, wherein the context criteria comprise information about one or more departments of the organizational structure.
  - 13. The system of claim 8, wherein the context criteria further comprise information associated with network infrastructure related to intended or expected use or behavior of the virtual network.
  - 14. The system of claim 8, wherein the action comprises at least one of:
    - (1) tracing a network route taken by the at least a portion of the tracked data, (2) storing a snapshot of the at least a portion of the tracked data, (3) permitting or denying transmission of the at least a portion of the tracked data, (4) logging event data associated with the at least a portion of the tracked data, or (5) redirecting the at least a portion of the tracked data.
  - 15. The system of claim 8, wherein the action comprises storing events associated with the at least a portion of the tracked data in a compliance log, and the events comprise information associated with one or more of:
    - (1) DLP policy changes, (2) network configuration changes, (3) user account changes, or (4) attempts to access the compliance log.
  - 16. The system of claim 8, wherein the data comprises a bank card number, and to determine whether at least a portion of the tracked data violates the DLP policy, the one or more physical computing devices are configured to:
    - determine an Issue Identification Number (IIN) from the bank card number; and
      
      compare the IIN to a database comprising IINs for valid issuers of bank cards.
  - 17. The system of claim 8, wherein to determine whether at least a portion of the tracked data violates the DLP policy, the one or more physical computing devices are configured to:
    - analyze the tracked data to detect a first subset of the tracked data that includes a match to at least one of the context criteria; and
      
      analyze the first subset of the tracked data to detect a second subset of the tracked data that includes a match to at least one of the content criteria.
  - 18. The system of claim 8, wherein the data comprises a plurality of network packets transmitted via the virtual network.

19. Non-transitory computer storage having computer-executable instructions stored thereon for analyzing network data, the non-transitory computer storage comprising computer-executable instructions for:
- analyzing data transmitted via a virtual network;
  
  detecting a subset of the data that matches one or more criteria specified by a data loss prevention (DLP) policy, the DLP policy specifying (i) context criteria and (ii) content criteria, the context criteria comprising information about organizational structure or services of a user of the virtual network; and
  
  in response to detection of the match, storing information associated with the data in a log.
- View Dependent Claims (20, 21, 22)
- - 20. The non-transitory computer storage of claim 19, wherein the computer-executable instructions further include instructions for configuring the virtual network such that data transmitted by the virtual network can be associated with the organization structure or services of the user of the virtual network.
  - 21. The non-transitory computer storage of claim 19, wherein the computer-executable instructions include instructions for analyzing the log to determine additional matches to the DLP policy.
  - 22. The non-transitory computer storage of claim 19, wherein the data comprise a plurality of network packets transmitted via the virtual network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Marshall, Bradley E., Phillips, Charles D., Brandwine, Eric J.
Primary Examiner(s)
MEW, KEVIN D

Application Number

US14/057,359
Publication Number

US 20140047503A1
Time in Patent Office

613 Days
Field of Search

370/241, 370/252, 726/1, 709223-225
US Class Current

1/1
CPC Class Codes

G06F 21/60   Protecting data

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

Network data transmission analysis

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Network data transmission analysis

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links