Data loss prevention for mobile computing devices

US 9,326,134 B2
Filed: 10/18/2013
Issued: 04/26/2016
Est. Priority Date: 10/19/2012
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

intercept a system call to a kernel of a mobile computing device, wherein the system call involves photograph data;

query a data loss prevention (DLP) agent on the mobile computing device to identify a particular DLP policy applicable to use of the photograph data, wherein the particular DLP policy conditionally restricts use of the photograph data based at least in part on location of the mobile computing device;

identify a current detected location of the mobile computing device; and

perform, based on the particular DLP policy and the current detected location, an action on the intercepted system call.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System calls to a kernel of a mobile computing device are monitored. A particular system call is intercepted relating to input/output (I/O) functionality of the mobile computing device. A data loss prevention (DLP) policy is identified that is applicable to the particular system call. An action is performed on the particular system call based at least in part on the DLP policy.

27 Citations

View as Search Results

23 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- intercept a system call to a kernel of a mobile computing device, wherein the system call involves photograph data;
  
  query a data loss prevention (DLP) agent on the mobile computing device to identify a particular DLP policy applicable to use of the photograph data, wherein the particular DLP policy conditionally restricts use of the photograph data based at least in part on location of the mobile computing device;
  
  identify a current detected location of the mobile computing device; and
  
  perform, based on the particular DLP policy and the current detected location, an action on the intercepted system call.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The storage medium of claim 1, wherein attempts to output the photograph data while the mobile computing device is located outside of a particular geographic location are to be blocked based on the particular DLP policy.
  - 3. The storage medium of claim 1, wherein the DLP agent is an application installed on the mobile computing device.
  - 4. The storage medium of claim 3, wherein the DLP agent interfaces with a remote security server for policy information corresponding to the mobile computing device.
  - 5. The storage medium of claim 1, wherein the DLP agent is included in a security module interfacing with the kernel.
  - 6. The storage medium of claim 1, wherein the particular system call includes at least one of an output of the photograph data utilizing SMS, email, and wireless communication functionality of the mobile computing device.
  - 7. The storage medium of claim 1, wherein applications of the mobile computing device capable of utilizing the photograph data are run in a process virtual machine container.
  - 8. The storage medium of claim 1, wherein the photograph data includes video data.

9. A method for providing computer security, the method comprising:
- intercepting a system call to a kernel of a mobile computing device, wherein the system call involves photograph data;
  
  querying a data loss prevention (DLP) agent on the mobile computing device to identify a particular DLP policy applicable to use of the photograph data, wherein the particular DLP policy conditionally restricts use of the photograph data based at least in part on location of the mobile computing device;
  
  identifying a current detected location of the mobile computing device; and
  
  performing, based on the particular DLP policy and the current detected location, an action on the intercepted system call.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, wherein identifying the particular DLP policy includesreceiving a result from the DLP agent identifying whether DLP policies apply to the photograph data, the result identifying the particular DLP policy.
  - 11. The method of claim 9, wherein the particular DLP policy restricts access to the photograph data outside of a particular geographic area.
  - 12. The method of claim 11, wherein the particular geographic area is defined using a geofence.
  - 13. The method of claim 11, wherein the particular geographic area corresponds to a location where the photograph data was created.
  - 14. The method of claim 9, wherein the system call involves an input of the photograph data and the photograph data originates from a camera on the mobile computing device.
  - 15. The method of claim 14, wherein the action includes tagging the photograph data with location information, wherein location-based DLP policies are enforced on the photograph data based on the tagged location information.
  - 16. The method of claim 15, wherein the location information corresponds to a location where the photograph data was captured.
  - 17. The method of claim 16, wherein the location information corresponds to geopositional data captured using the mobile computing device at the capturing of the photograph data.
  - 18. The method of claim 15, further comprising:
    - receiving a subsequent system call involving the photograph data;
      
      identifying the location information;
      
      communicating the location information in connection with a query of the DLP agent for DLP policies applicable to the photograph data; and
      
      performing an action on the subsequent system call based at least in part on the tagging.

19. A system for providing computer security, the system comprising:
- a processor device;
  
  a memory element; and
  
  a security manager interfacing with a kernel and adapted, when executed by the processor device to;
  
  intercept a system call involving photograph data to a kernel of a mobile computing device, wherein the system call involves photograph data;
  
  query a data loss prevention (DLP) agent on the mobile computing device to identify a particular DLP policy applicable to use of the photograph data, wherein the particular DLP policy conditionally restricts use of the photograph data based at least in part on location of the mobile computing device;
  
  identify a current detected location of the mobile computing device; and
  
  perform, based on the particular DLP policy and the current detected location, an action on the intercepted system call.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system of claim 19, further comprising a digital camera to generate the photograph data.
  - 21. The system of claim 19, wherein identifying the location-based DLP policy includesreceiving a result from the DLP agent identifying whether DLP policies apply to the photograph data, the result identifying the particular DLP policy.
  - 22. The system of claim 21, further comprising the DLP agent.
  - 23. The system of claim 19, wherein the system comprises the mobile computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ahuja, Ratinder Paul Singh, Singh, Balbir, Bhattacharjee, Rajbir, Kulkarni, Dattatraya
Primary Examiner(s)
Eisner, Ronald

Application Number

US14/126,714
Publication Number

US 20140194094A1
Time in Patent Office

921 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/107   wherein the security polici...

H04W 12/033   of the user plane, e.g. use...

H04W 12/088   using filters or firewalls

H04W 12/37   Managing security policies ...

H04W 12/80   Arrangements enabling lawfu...

H04W 4/021   Services related to particu...

H04W 4/029   Location-based management o...

Data loss prevention for mobile computing devices

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Data loss prevention for mobile computing devices

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links