Deriving encryption rules based on file content

US 9,405,928 B2
Filed: 09/17/2014
Issued: 08/02/2016
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. A data storage system comprising:

a content analyzer comprising computer hardware, the content analyzer configured to;

access a set of training files that include content designated as sensitive information; and

use one or more processing algorithms with respect to the set of training files to obtain a set of data tokens for each training file, each of the data tokens from the set of data tokens comprising a portion of a training file from the set of training files, the portion of the training file comprising content included in the training file, at least some of the training files including at least some of the sensitive information;

an encryption rules generator comprising computer hardware, the encryption rules generator configured to;

use one or more algorithms to generate a set of encryption rules based on the set of data tokens obtained for each training file, wherein at least some of the set of encryption rules are configured to identify a file to encrypt based at least in part on a correspondence between portions of the file and at least some of the set of data tokens;

generate a prospective encryption rule based on an aggregated set of data tokens, the aggregated set of data tokens based on the set of data tokens for each training file;

perform the prospective encryption rule using the set of training files;

determine a number of training files from the set of training files identified for encryption based on the prospective encryption rule; and

responsive, at least in part, to the number of training files identified for encryption satisfying a threshold, adding the prospective encryption rule to the set of encryption rules; and

an encryption processor comprising computer hardware, the encryption processor configured to encrypt the file based at least in part on one of the encryption rules from the set of encryption rules.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data storage systems are disclosed for automatically generating encryption rules based on a set of training files that are known to include sensitive information. The system may use a number of heuristic algorithms to generate one or more encryption rules for determining whether a file includes sensitive information. Further, the system may apply the heuristic algorithms to the content of the files, as determined by using natural language processing algorithms, to generate the encryption rules. Moreover, systems are disclosed that are capable of automatically determining whether to encrypt a file based on the generated encryption rules. The content of the file may be determined using natural language processing algorithms and then the encryption rules may be applied to the content of the file to determine whether to encrypt the file.

267 Citations

18 Claims

1. A data storage system comprising:
- a content analyzer comprising computer hardware, the content analyzer configured to;
  
  access a set of training files that include content designated as sensitive information; and
  
  use one or more processing algorithms with respect to the set of training files to obtain a set of data tokens for each training file, each of the data tokens from the set of data tokens comprising a portion of a training file from the set of training files, the portion of the training file comprising content included in the training file, at least some of the training files including at least some of the sensitive information;
  
  an encryption rules generator comprising computer hardware, the encryption rules generator configured to;
  
  use one or more algorithms to generate a set of encryption rules based on the set of data tokens obtained for each training file, wherein at least some of the set of encryption rules are configured to identify a file to encrypt based at least in part on a correspondence between portions of the file and at least some of the set of data tokens;
  
  generate a prospective encryption rule based on an aggregated set of data tokens, the aggregated set of data tokens based on the set of data tokens for each training file;
  
  perform the prospective encryption rule using the set of training files;
  
  determine a number of training files from the set of training files identified for encryption based on the prospective encryption rule; and
  
  responsive, at least in part, to the number of training files identified for encryption satisfying a threshold, adding the prospective encryption rule to the set of encryption rules; and
  
  an encryption processor comprising computer hardware, the encryption processor configured to encrypt the file based at least in part on one of the encryption rules from the set of encryption rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The data storage system of claim 1, further comprising an encryption rules repository configured to store the set of encryption rules, wherein the encryption rules repository is accessible by one or more computing systems.
  - 3. The data storage system of claim 1, wherein the encryption rules generator is further configured to:
    - determine a context condition for an encryption rule of the set of encryption rules, the context condition identifying when to apply the encryption rule to the file; and
      
      associate the context condition with the encryption rule.
  - 4. The data storage system of claim 3, wherein the context condition comprises at least one of an identity of a user, an identity of a department that includes the user within an entity, a geographic location of a computing device storing the file, a network location of a computing device storing the file, and a device type of the computing device.
  - 5. The data storage system of claim 1, wherein the encryption rules generator is configured to determine an encryption rule based on the set of data tokens obtained for a plurality of training files.
  - 6. The data storage system of claim 1, wherein the encryption rules generator is further configured to:
    - present the prospective encryption rule to a user;
      
      receive an input from the user responsive to presenting the prospective encryption rule to the user; and
      
      determine whether to include the prospective encryption rule in the set of encryption rules based at least in part on the input received from the user.
  - 7. The data storage system of claim 1, wherein the content analyzer is further configured to remove a data token from a set of data tokens of a training file based on an identified set of non-sensitive data tokens.
  - 8. The data storage system of claim 1, further comprising:
    - a file monitor configured to monitor creation of the file; and
      
      an encryption rules engine configured to determine whether the file satisfies an encryption rule from the set of encryption rules.

9. A method of automatically generating encryption rules using machine learning techniques, the method comprising:
- accessing, by a rules generation system comprising computer hardware, a set of one or more training files that include content designated as sensitive information;
  
  applying, by the rules generation system, one or more processing algorithms to each training file included in the set of training files to obtain a set of data tokens for each training file, wherein each of the set of data tokens for a training file corresponds to a portion of the training file, the portion of the training file comprising content included in the training file, at least some of the training files including at least some of the sensitive information, wherein applying the one or more processing algorithms to the set of data tokens comprises;
  
  generating a prospective encryption rule based on the set of data tokens;
  
  performing the prospective encryption rule with respect to the set of training files;
  
  determining a percentage of training files from the set of training files identified for encryption using the prospective encryption rule; and
  
  responsive to the percentage of training files identified for encryption satisfying a threshold, adding the prospective encryption rule to the set of encryption rules;
  
  applying, by the rules generation system, one or more algorithms to the set of data tokens for each training file to generate a set of encryption rules for identifying files with sensitive information, wherein at least some of the set of encryption rules are configured to identify a file to encrypt based at least in part on a correspondence between portions of the file and at least some of the set of data tokens; and
  
  storing the set of encryption rules in an encryption rules repository accessible for one or more systems for determining whether to encrypt the file.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The method of claim 9, wherein the one or more processing algorithms comprise natural language processing algorithms.
  - 11. The method of claim 9, wherein the one or more algorithms comprise heuristic algorithms.
  - 12. The method of claim 9, wherein at least one of the one or more processing algorithms comprises a natural language processing algorithm and wherein applying the one or more processing algorithms comprises performing at least one of the following natural language processing tasks:
    - automatic summarization, coreference resolution, discourse analysis, machine translation, morphological segmentation, named entity recognition, natural language understanding, optical character recognition, part-of-speech tagging, parsing, relationship extraction, sentence boundary disambiguation, sentiment analysis, topic segmentation and recognition, word segmentation, word sense disambiguation, singular value decomposition, latent semantic analysis, latent Dirichlet allocation, pachinko allocation, and probabilistic latent semantic analysis.
  - 13. The method of claim 9, wherein applying the one or more algorithms to the set of data tokens for each training file comprises applying the one or more algorithms on a file-by-file basis, separately to each set of data tokens.
  - 14. The method of claim 9, wherein applying the one or more algorithms to the set of data tokens for each training file comprises applying the one or more algorithms to a cumulative set of data tokens formed by combining the sets of data tokens from a plurality of training files.
  - 15. The method of claim 9, further comprising presenting the set of encryption rules to a user for confirmation, wherein storing the set of encryption rules comprises storing encryption rules from the set of encryption rules confirmed by the user.
  - 16. The method of claim 9, further comprising filtering data tokens identified as non-sensitive by a user from the set of data tokens for each training file prior to applying the one or more algorithms.
  - 17. The method of claim 9, further comprising:
    - monitoring file creation and/or file modification activity;
      
      in response to detecting a file creation and/or modification event with respect to the file, determining whether the file satisfies an encryption rule from the set of encryption rules; and
      
      in response to determining that the file satisfies the encryption rule from the set of encryption rules, identifying the file as protected.
  - 18. The method of claim 17, further comprising:
    - determining whether the file satisfies a context condition associated with the encryption rule; and
      
      in response to determining that the context condition is satisfied, encrypting the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Yuan, Yun, Amarendran, Arun Prasad, Chatterjee, Tirthankar, Liu, Yongtao
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/489,222
Publication Number

US 20160078245A1
Time in Patent Office

685 Days
Field of Search

713/193, 713/165
US Class Current

1/1
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 16/164   File meta data generation

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2221/2107   File encryption

G06F 40/20   Natural language analysis s...

G06N 20/00   Machine learning

G06N 5/02   Knowledge representation; S...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

Deriving encryption rules based on file content

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

267 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Deriving encryption rules based on file content

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

267 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links