Method and apparatus for automatically correlating related incidents of policy violations
First Claim
Patent Images
1. A method, comprising:
- identifying a plurality of incidents of violations of a policy upon detecting presence of confidential information in a plurality of messages;
storing the plurality of violation incidents of the policy in a data repository, wherein each of the plurality of violation incidents is associated with one or more message attribute values;
receiving a user request to correlate one of the plurality of violation incidents of the policy stored in the data repository to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value;
in response to the user request, correlating, by a processing device, a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one common message attribute value of the one or more message attribute values, wherein the correlating comprises searching the data repository using the at least one common message attribute value;
providing, for a user interface, resulting correlation information that identifies, for each of a plurality of time periods, a count of a number of incidents similar to the one of the plurality of violation incidents that occurred during a corresponding time period of the plurality of time periods; and
providing the incidents similar to the one of the plurality of violation incidents that occurred during the corresponding time period of the plurality of time periods in response to a selection associated with the count for the corresponding time period of the plurality of time periods.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for automatically correlating policy violation incidents. In one embodiment, the method includes receiving user input identifying one of policy violation incidents stored in a data repository, where each policy violation incident is associated with one or more attributes. The method further includes automatically correlating the identified policy violation incident with other policy violation incidents that have in common at least one attribute with the identified policy violation incident, and presenting the resulting correlation information to a user.
186 Citations
19 Claims
-
1. A method, comprising:
-
identifying a plurality of incidents of violations of a policy upon detecting presence of confidential information in a plurality of messages; storing the plurality of violation incidents of the policy in a data repository, wherein each of the plurality of violation incidents is associated with one or more message attribute values; receiving a user request to correlate one of the plurality of violation incidents of the policy stored in the data repository to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value; in response to the user request, correlating, by a processing device, a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one common message attribute value of the one or more message attribute values, wherein the correlating comprises searching the data repository using the at least one common message attribute value; providing, for a user interface, resulting correlation information that identifies, for each of a plurality of time periods, a count of a number of incidents similar to the one of the plurality of violation incidents that occurred during a corresponding time period of the plurality of time periods; and providing the incidents similar to the one of the plurality of violation incidents that occurred during the corresponding time period of the plurality of time periods in response to a selection associated with the count for the corresponding time period of the plurality of time periods. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus comprising:
-
a memory to store a plurality of violation incidents of a policy, wherein each of the plurality of violation incidents is associated with one or more message attributes values; and a processing device, coupled to the memory, to; identify the plurality of violation incidents of the policy upon detecting presence of confidential information in a plurality of messages; receive a user request to correlate one of the plurality of violation incidents of the policy stored in the data repository to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value; correlate a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one common message attribute value of the one or more message attribute values, wherein the correlating comprises searching the data repository using the at least one common message attribute value; and provide, for a user interface, resulting correlation information that identifies, for each of a plurality of time periods, a count of a number of incidents similar to the one of the plurality of violation incidents that occurred during a corresponding time period of the plurality of time periods; and provide the incidents similar to the one of the plurality of violation incidents that occurred during the corresponding time period of the plurality of time periods in response to a selection associated with the count for the corresponding time period of the plurality of time periods. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium having instructions stored thereon that when executed by a processing device cause the processing device to perform operations comprising:
-
receiving a user request to correlate one of a plurality of violation incidents of a policy stored in a data repository to other incidents of the plurality of violation incidents of the policy based on at least one common message attribute value, the user request comprising a plurality of common message attribute values associated with the incident to be correlated; in response to the user request, correlating a requested violation incident with the other incidents of the plurality of violation incidents of the policy based on the at least one common message attribute value of the one or more message attribute values, wherein the correlating comprises searching the data repository using the at least one common message attribute value; providing, for a user interface, resulting correlation information that identifies, for each of a plurality of time periods, a count of a number of incidents similar to the one of the plurality of violation incidents that occurred during a corresponding time period of the plurality of time periods; and providing the incidents similar to the one of the plurality of violation incidents that occurred during the corresponding time period of the plurality of time periods in response to a selection associated with the count for the corresponding time period of the plurality of time periods. - View Dependent Claims (19)
-
Specification