Method and system for protection against information stealing software

US 9,130,986 B2
Filed: 03/19/2008
Issued: 09/08/2015
Est. Priority Date: 03/19/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of controlling dissemination of sensitive information over an electronic network to a destination, the method comprising:

analyzing traffic on the electronic network to detect an attempt to transmit a password to the destination, wherein the destination is an external site on the Internet;

determining a strength of the password based on one or more of a length of the password, a similarity of the password to a set of other passwords, and an entropy score of the password;

determining a sensitivity of information protected by the password based on the strength of the password, wherein the sensitivity is positively correlated with the strength of the password such that a stronger password results in a determination of higher sensitivity and a weaker password result in a determination of lower sensitivity;

in response to the attempt to transmit the password to the destination, classifying content at the destination to determine a category of the content by executing computer instructions on a processor, wherein the category denotes whether the destination node is malicious;

assessing a risk level incurred if the password leaves the electronic network and is passed to the destination based at least in part on the category and the sensitivity of information protected by the password; and

determining a required action based on the risk level, wherein the required action includes one or more of blocking, quarantining, or alerting, wherein relatively stronger passwords receive relatively stronger protection from being passed in clear-text over a non-secure connection.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.

237 Citations

15 Claims

1. A computer-implemented method of controlling dissemination of sensitive information over an electronic network to a destination, the method comprising:
- analyzing traffic on the electronic network to detect an attempt to transmit a password to the destination, wherein the destination is an external site on the Internet;
  
  determining a strength of the password based on one or more of a length of the password, a similarity of the password to a set of other passwords, and an entropy score of the password;
  
  determining a sensitivity of information protected by the password based on the strength of the password, wherein the sensitivity is positively correlated with the strength of the password such that a stronger password results in a determination of higher sensitivity and a weaker password result in a determination of lower sensitivity;
  
  in response to the attempt to transmit the password to the destination, classifying content at the destination to determine a category of the content by executing computer instructions on a processor, wherein the category denotes whether the destination node is malicious;
  
  assessing a risk level incurred if the password leaves the electronic network and is passed to the destination based at least in part on the category and the sensitivity of information protected by the password; and
  
  determining a required action based on the risk level, wherein the required action includes one or more of blocking, quarantining, or alerting, wherein relatively stronger passwords receive relatively stronger protection from being passed in clear-text over a non-secure connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the risk level is further assessed based on at least one of geolocation, analysis of a recipient URL identifying content at the destination, and previous knowledge about the destination.
  - 3. The method of claim 1, wherein the required action is based, at least in part, on parameters settable by an operator.
  - 4. The method of claim 1, further comprising determining longer passwords are stronger than shorter passwords.
  - 5. The method of claim 1, further comprising determining less similar passwords are stronger than more similar passwords.
  - 6. The method of claim 1, further comprising determining higher entropy passwords are stronger than lower entropy passwords.
  - 7. The method of claim 1, further comprising determining a higher level of risk with a stronger password than with a weaker password.

8. A system for controlling dissemination of sensitive information over an electronic network to a destination, the system comprising:
- a processor configured to execute computer instructions, wherein the computer instructions implement a traffic analyzer, the traffic analyzer in communication with the electronic network and configured to detect an attempt to transmit a password to the destination, wherein the destination is an external site on the Internet;
  
  the traffic analyzer configured to, in response to the attempt to transmit the password to the destination;
  
  determine a strength of the password based on one or more of a length of the password, a similarity of the password to a set of other passwords, and an entropy score of the password;
  
  determine a sensitivity of information protected by the password based on the strength of the password, wherein the sensitivity is positively correlated with the strength of the password such that a stronger password results in a determination of higher sensitivity and a weaker password result in a determination of lower sensitivity,classify content at the destination to determine a category of the content,assess a risk level incurred if the password leaves the electronic network and is passed to the destination based at least in part on the category and the sensitivity of the information protected by the password, and todetermine a required action in response to the risk level, wherein the required action includes one or more of blocking, quarantining, or alerting, wherein relatively stronger passwords receive relatively stronger protection from being passed in clear-text over a non-secure connection.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the risk level is further assessed based on at least one of geolocation, analysis of a URL identifying content at the destination, and previous knowledge about the destination.
  - 10. The system of claim 8, wherein the traffic analyzer is configured to block transmission of the password over the network in response to the risk level.
  - 11. The system of claim 8, wherein the required action is based, at least in part, on parameters settable by an operator.
  - 12. The system of claim 8, wherein the traffic analyzer is further configured to, in response to the attempt to transmit the password to the destination, determine longer passwords are stronger than shorter passwords.
  - 13. The system of claim 8, wherein the traffic analyzer is further configured to, in response to the attempt to transmit the password to the destination determine less similar passwords are stronger than more similar passwords.
  - 14. The system of claim 8, wherein the traffic analyzer is further configured to, in response to the attempt to transmit the password to the destination, determine higher entropy passwords are stronger than lower entropy passwords.
  - 15. The system of claim 8, wherein the traffic analyzer is further configured to, in response to the attempt to transmit the password to the destination, determine a higher level of risk with a stronger password than with a weaker password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Troyansky, Lidror
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
ZHAO, DON GORDON

Application Number

US12/051,616
Publication Number

US 20090241173A1
Time in Patent Office

2,729 Days
Field of Search

726/4, 726 22- 26, 726150-155, 726/182, 726/5, 726/6
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6218   to a system of files or obj...

H04L 63/04   for providing a confidentia...

H04L 63/083   using passwords cryptograph...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Method and system for protection against information stealing software

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

237 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protection against information stealing software

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links