Data leak protection in upper layer protocols

US 9,197,628 B1
Filed: 03/13/2015
Issued: 11/24/2015
Est. Priority Date: 09/10/2014
Status: Active Grant

First Claim

Patent Images

1. A data leak prevention (DLP) method comprising:

receiving from a network administrator, by a network security appliance within a private network, (i) information defining a DLP rule to be applied by the network security appliance to packets associated with an upper layer protocol and (ii) information defining an action to take when one or more conditions associated with the DLP rule are satisfied, wherein the packets are originated within the private network and addressed to a destination residing outside of the private network and wherein the DLP rule is defined in terms of one or more of a regular expression and a string that are configured to detect existence of one or more forms of sensitive information carried by the packets;

receiving, by the network security appliance, a packet originated by a host device within the private network and directed to a destination device outside of the private network;

determining, by the network security appliance, the received packet is associated with the upper layer protocol;

identifying, by the network security appliance, a command, request or method of the upper layer protocol that is specified by or represented by the received packet;

scanning, by the network security appliance, the received packet for sensitive information by applying the DLP rule to one or more fields of the command, request or method, wherein the command, request or method is not designed or intended to carry data or information in a form of a message or file to a target of the command, request or method;

when the scanning results in a conclusion that the sensitive information is contained within the received packet, then performing, by the network security appliance, the defined action;

wherein the one or more forms of sensitive information comprise a payment card number or a social security number;

wherein the regular expression detects a format and type of content corresponding to a credit card number associated with a particular payment processing provider or the social security number; and

wherein the regular expression comprises;

^4[0-9]{12}(?;

[0-9]{3})?$;

^5[1-5][0-9]{14}$;

or^([[;

digit;

]]{3}[-][[;

digit;

]]{2}[[;

digit;

]]{4}|[[;

digit;

]]{9})$.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for Data Leak Prevention (DLP) in a private network are provided. According to one embodiment, information is received from an administrator (i) defining a DLP rule to be applied to packets associated with an upper layer protocol and (ii) defining an action to take when a condition associated with the rule is satisfied. The rule includes a regular expression and/or a string that is configured to detect existence of sensitive information. A packet originated by a host device is received. The packet is determined to be associated with the upper layer protocol. A command, request or method of the protocol is identified that is specified by or represented by the packet. The packet is scanned for sensitive information based on the rule. When the scanning results in a conclusion that sensitive information is contained within the packet, then the defined action is performed.

50 Citations

View as Search Results

14 Claims

1. A data leak prevention (DLP) method comprising:
- receiving from a network administrator, by a network security appliance within a private network, (i) information defining a DLP rule to be applied by the network security appliance to packets associated with an upper layer protocol and (ii) information defining an action to take when one or more conditions associated with the DLP rule are satisfied, wherein the packets are originated within the private network and addressed to a destination residing outside of the private network and wherein the DLP rule is defined in terms of one or more of a regular expression and a string that are configured to detect existence of one or more forms of sensitive information carried by the packets;
  
  receiving, by the network security appliance, a packet originated by a host device within the private network and directed to a destination device outside of the private network;
  
  determining, by the network security appliance, the received packet is associated with the upper layer protocol;
  
  identifying, by the network security appliance, a command, request or method of the upper layer protocol that is specified by or represented by the received packet;
  
  scanning, by the network security appliance, the received packet for sensitive information by applying the DLP rule to one or more fields of the command, request or method, wherein the command, request or method is not designed or intended to carry data or information in a form of a message or file to a target of the command, request or method;
  
  when the scanning results in a conclusion that the sensitive information is contained within the received packet, then performing, by the network security appliance, the defined action;
  
  wherein the one or more forms of sensitive information comprise a payment card number or a social security number;
  
  wherein the regular expression detects a format and type of content corresponding to a credit card number associated with a particular payment processing provider or the social security number; and
  
  wherein the regular expression comprises;
  
  ^4[0-9]{12}(?;
  
  [0-9]{3})?$;
  
  ^5[1-5][0-9]{14}$;
  
  or^([[;
  
  digit;
  
  ]]{3}[-][[;
  
  digit;
  
  ]]{2}[[;
  
  digit;
  
  ]]{4}|[[;
  
  digit;
  
  ]]{9})$.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the upper layer protocol comprises domain name system (DNS) protocol, wherein the command, request or method comprises a DNS query request and wherein the one or more fields comprise a name field of the DNS query request.
  - 3. The method of claim 1, wherein the command, request or method comprises an authentication request and the one or more fields comprise a user name or password field of the authentication request.
  - 4. The method of claim 1, wherein the upper layer protocol comprises hypertext transfer protocol (HTTP), wherein the command, request or method comprises an HTTP GET method and the one or more fields comprise a uniform resource identifier (URI) of the HTTP GET method.
  - 5. The method of claim 1, wherein the upper layer protocol comprises file transfer protocol (FTP), wherein the command, request or method comprises an FTP command associated with directory operation and wherein the one or more fields comprise a directory field of the FTP command.
  - 6. The method of claim 1, wherein the upper layer protocol comprises file transfer protocol (FTP), wherein the command, request or method comprises an FTP command associated with a file download or a file upload operation and wherein the one or more fields comprise a file name field of the FTP command.
  - 7. The method of claim 1, wherein the upper layer protocol comprises telnet protocol, wherein the command, request or method comprises a telnet command having at least one parameter and wherein the one or more fields comprise the at least one parameter.

8. A non-transitory program storage device readable by a network security appliance, tangibly embodying a program of instructions executable by one or more computer processors of the network security appliance to perform a method of data leak prevention (DLP), the method comprising:
- receiving from a network administrator (i) information defining a DLP rule to be applied by the network security appliance to packets associated with an upper layer protocol and (ii) information defining an action to take when one or more conditions associated with the DLP rule are satisfied, wherein the packets are originated within a private network protected by the network security appliance and addressed to a destination residing outside of the private network and wherein the DLP rule is defined in terms of one or more of a regular expression and a string that are configured to detect existence of one or more forms of sensitive information carried by the packets;
  
  receiving a packet originated by a host device within the private network and directed to a destination device outside of the private network;
  
  determining the received packet is associated with the upper layer protocol;
  
  identifying a command, request or method of the upper layer protocol that is specified by or represented by the received packet;
  
  scanning the received packet for sensitive information by applying the DLP rule to one or more fields of the command, request or method, wherein the command, request or method is not designed or intended to carry data or information in a form of a message or file to a target of the command, request or method;
  
  when the scanning results in a conclusion that the sensitive information is contained within the received packet, then performing the defined action;
  
  wherein the one or more forms of sensitive information comprise a payment card number or a social security number;
  
  wherein the regular expression detects a format and type of content corresponding to a credit card number associated with a particular payment processing provider or the social security number; and
  
  wherein the regular expression comprises;
  
  ^4[0-9]{12}(?;
  
  [0-9]{3})?$;
  
  ^5[1-5][0-9]{14}$;
  
  or^([[;
  
  digit;
  
  ]]{3}[-][[;
  
  digit;
  
  ]]{2}[-][[;
  
  digit;
  
  ]]{4}|[[;
  
  digit;
  
  ]]{9})$.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory program storage device of claim 8, wherein the upper layer protocol comprises domain name system (DNS) protocol, wherein the command, request or method comprises a DNS query request and wherein the one or more fields comprise a name field of the DNS query request.
  - 10. The non-transitory program storage device of claim 8, wherein the command, request or method comprises an authentication request and the one or more fields comprise a user name or password field of the authentication request.
  - 11. The non-transitory program storage device of claim 8, wherein the upper layer protocol comprises hypertext transfer protocol (HTTP), wherein the command, request or method comprises an HTTP GET method and the one or more fields comprise a uniform resource identifier (URI) of the HTTP GET method.
  - 12. The non-transitory program storage device of claim 8, wherein the upper layer protocol comprises file transfer protocol (FTP), wherein the command, request or method comprises an FTP command associated with directory operation and wherein the one or more fields comprise a directory field of the FTP command.
  - 13. The non-transitory program storage device of claim 8, wherein the upper layer protocol comprises file transfer protocol (FTP), wherein the command, request or method comprises an FTP command associated with a file download or a file upload operation and wherein the one or more fields comprise a file name field of the FTP command.
  - 14. The non-transitory program storage device of claim 8, wherein the upper layer protocol comprises telnet protocol, wherein the command, request or method comprises a telnet command having at least one parameter and wherein the one or more fields comprise the at least one parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Hastings, Eric C.
Primary Examiner(s)
HO, DAO Q

Application Number

US14/657,735
Time in Patent Office

256 Days
Field of Search

713/153, 726/11, 726/23
US Class Current

1/1
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

Data leak protection in upper layer protocols

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Data leak protection in upper layer protocols

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links