Environment-aware security tokens

US 9,449,187 B2
Filed: 08/11/2014
Issued: 09/20/2016
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

receiving, at a processing device, information about multiple assets associated with a network of devices, the multiple assets including at least two electronic files;

generating, for a first electronic file of the multiple assets, a first security token that is based at least on a portion of the received information about the first electronic file, wherein the first security token is configured to identify a first home network defined for the first electronic file, the first home network being specific to the first electronic file and being defined by a first selection of other assets;

generating, for a second electronic file of the multiple assets, a second security token that is based at least on a portion of the received information about the second electronic file, wherein the second security token is configured to identify a second home network defined for the second electronic file, the second home network being specific to the second electronic file and being defined by a second selection of other assets;

storing, in a storage device, information about the first and second security tokens and information linking the first and second security tokens to the corresponding electronic files;

initiating integration of the first and second security tokens with the corresponding electronic files; and

restricting access to the first or second electronic file upon detecting an occurrence of an unauthorized activity involving the corresponding electronic file, wherein detecting the occurrence of the unauthorized activity comprises determining a dissociation of the first or second electronic file from the corresponding home network defined for the corresponding electronic file, and access to the corresponding electronic file is restricted by deletion of content of the corresponding electronic file upon determining the dissociation from the corresponding home network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices. The method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset.

Citations

53 Claims

1. A computer implemented method comprising:
- receiving, at a processing device, information about multiple assets associated with a network of devices, the multiple assets including at least two electronic files;
  
  generating, for a first electronic file of the multiple assets, a first security token that is based at least on a portion of the received information about the first electronic file, wherein the first security token is configured to identify a first home network defined for the first electronic file, the first home network being specific to the first electronic file and being defined by a first selection of other assets;
  
  generating, for a second electronic file of the multiple assets, a second security token that is based at least on a portion of the received information about the second electronic file, wherein the second security token is configured to identify a second home network defined for the second electronic file, the second home network being specific to the second electronic file and being defined by a second selection of other assets;
  
  storing, in a storage device, information about the first and second security tokens and information linking the first and second security tokens to the corresponding electronic files;
  
  initiating integration of the first and second security tokens with the corresponding electronic files; and
  
  restricting access to the first or second electronic file upon detecting an occurrence of an unauthorized activity involving the corresponding electronic file, wherein detecting the occurrence of the unauthorized activity comprises determining a dissociation of the first or second electronic file from the corresponding home network defined for the corresponding electronic file, and access to the corresponding electronic file is restricted by deletion of content of the corresponding electronic file upon determining the dissociation from the corresponding home network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the assets associated with the network comprises one or more of:
    - a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network.
  - 3. The method of claim 1, wherein initiating the integration of the first and second security tokens into the corresponding electronic files comprises initiating an encryption of the electronic files based on the corresponding security tokens.
  - 4. The method of claim 1, wherein the corresponding home network for at least one of the first and second electronic files is defined based on one or more security policies associated with the corresponding electronic file.
  - 5. The method of claim 1, wherein the information includes one or more of:
    - a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
  - 6. The method of claim 1, wherein the information about the multiple assets is received from an agent deployed on the network.
  - 7. The method of claim 6, wherein the agent is configured to scan the devices of the network to obtain the information.
  - 8. The method of claim 6, wherein the agent comprises an automated browser.
  - 9. The method of claim 1, wherein the security token comprises an object generated in accordance with Component Object Model (COM).
  - 10. The method of claim 1, wherein at least one of the first and second security tokens is generated in accordance with one or more security policies associated with the corresponding electronic file.
  - 11. The method of claim 1, wherein determining the dissociation of the first or second electronic file from the corresponding home network comprises determining that the corresponding electronic file is not stored on a device associated with the corresponding home network.
  - 12. The method of claim 1, wherein determining the dissociation of the first or second electronic file from the corresponding home network comprises detecting an access attempt from a user-profile not associated with the corresponding home network.
  - 13. The method of claim 1, wherein initiating an integration of the first and second security tokens into the corresponding electronic files comprises initiating a code injection to a header portion of at least one of the first and second electronic files.
  - 14. The method of claim 1, wherein initiating an integration of the first and second security tokens with the corresponding electronic files comprises initiating an encapsulation of at least one of the security tokens with the corresponding electronic file.
  - 15. The method of claim 14, wherein an executable file is generated via the encapsulation.
  - 16. The method of claim 1, wherein the first or second electronic file is an electronic document, and the corresponding security token is integrated into the document as a portion of a page description language of the document.
  - 17. The method of claim 1, wherein the other assets include one or more of a device and a user profile associated with a user permitted to access the corresponding electronic files.
  - 18. The method of claim 1, wherein the first home network is different from the second home network.

19. A system comprising:
- memory; and
  
  one or more processors configured to;
  
  receive information about multiple assets associated with a network of devices, the multiple assets including at least two electronic files,generate, for a first electronic file of the multiple assets, a first security token that is based at least on a portion of the received information about the first electronic file, wherein the first security token is configured to identify a first home network defined for the first electronic file, the first home network being specific to the first electronic file and being defined by a first selection of other assets,generate, for a second electronic file of the multiple assets, a second security token that is based at least on a portion of the received information about the second electronic file, wherein the second security token is configured to identify a second home network defined for the second electronic file, the second home network being specific to the second electronic file and being defined by a second selection of other assets,store, in a storage device, information about the first and second security tokens and information linking the first and second security tokens to the corresponding electronic files,initiate integration of the first and second security tokens with the corresponding electronic files, andrestrict access to the first or second electronic file upon detecting an occurrence of an unauthorized activity involving the corresponding electronic file, wherein detecting the occurrence of the unauthorized activity comprises determining a dissociation of the first or second electronic file from the corresponding home network defined for the corresponding electronic file, and access to the corresponding electronic file is restricted by deletion of content of the corresponding electronic file upon determining the dissociation from the corresponding home network.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 20. The system of claim 19, wherein the assets associated with the network comprises one or more of:
    - a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network.
  - 21. The system of claim 19, wherein initiating the integration of the first and second security tokens into the corresponding electronic files comprises initiating an encryption of the electronic files based on the corresponding security tokens.
  - 22. The system of claim 19, wherein the corresponding home network for at least one of the first and second electronic files is defined based on one or more security policies associated with the corresponding electronic file.
  - 23. The system of claim 19, wherein the information includes one or more of:
    - a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
  - 24. The system of claim 19, wherein the information about the multiple assets is received from an agent deployed on the network.
  - 25. The system of claim 24, wherein the agent is configured to scan the devices of the network to obtain the information.
  - 26. The system of claim 24, wherein the one or more processors are configured to deploy the agent on the network.
  - 27. The system of claim 19, wherein the security token comprises an object generated in accordance with Component Object Model (COM).
  - 28. The system of claim 19, wherein the one or more processors are configured to generate at least one of the first and second security tokens in accordance with one or more security policies associated with the corresponding electronic file.
  - 29. The system of claim 19, wherein determining the dissociation of the first or second electronic file from the corresponding home network comprises determining that the corresponding electronic file is not stored on a device associated with the corresponding home network.
  - 30. The system of claim 19, wherein determining the dissociation of the first or second electronic file from the corresponding home network comprises detecting an access attempt from a user-profile not associated with the corresponding home network.
  - 31. The system of claim 19, wherein the information about the first or second security token and the information linking the first or second security token to the corresponding electronic file are stored in a database.
  - 32. The system of claim 19, wherein the one or more processors are configured to initiate an integration of the first and second security tokens into the corresponding electronic files by initiating a code injection to a header portion of at least one of the electronic files.
  - 33. The system of claim 19, wherein the one or more processors are configured to initiate an integration of the first and second security tokens with the corresponding electronic files by initiating an encapsulation of at least one of the security tokens with the corresponding electronic file.
  - 34. The system of claim 33, wherein an executable file is generated via the encapsulation.
  - 35. The system of claim 19, wherein the first or second electronic file is an electronic document, and the corresponding security token is integrated into the document as a portion of a page description language of the document.
  - 36. The system of claim 19, wherein the other assets include one or more of a device and a user profile associated with a user permitted to access the corresponding electronic files.
  - 37. The system of claim 19, wherein the first home network is different from the second home network.

38. One or more machine-readable storage devices storing instructions that are executable by one or more processing devices to perform operations comprising:
- receiving information about multiple assets associated with a network of devices, the multiple assets including at least two electronic files;
  
  generating, a first electronic file of the multiple assets, a first security token that is based at least on a portion of the received information about the first electronic file, wherein the first security token is configured to identify a first home network defined for the first electronic file, the first home network being specific to the first electronic file and being defined by a first selection of other assets;
  
  generating, for a second electronic file of the multiple assets, a second security token that is based at least on a portion of the received information about the second electronic file, wherein the second security token is configured to identify a second home network defined for the second electronic file, the second home network being specific to the second electronic file and being defined by a second selection of other assets;
  
  storing, in a storage device, information about the first and second security tokens and information linking the first and second security tokens to the corresponding electronic files;
  
  initiating integration of the first and second security tokens with the corresponding electronic files; and
  
  restricting access to the first or second electronic file upon detecting an occurrence of an unauthorized activity involving the corresponding electronic file, wherein detecting the occurrence of the unauthorized activity comprises determining a dissociation of the first or second electronic file from the corresponding home network defined for the asset, and access to the corresponding electronic file is restricted by deletion of content of the corresponding electronic file upon determining the dissociation from the corresponding home network.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 39. The one or more machine-readable storage devices of claim 38, wherein the assets associated with the network comprises one or more of:
    - a device connected to the network, a file stored on a storage device connected to the network, and a user-profile associated with the network.
  - 40. The one or more machine-readable storage devices of claim 38, wherein initiating the integration of the first and second security tokens into the corresponding electronic files comprises initiating an encryption of the electronic files based on the corresponding security tokens.
  - 41. The one or more machine-readable storage devices of claim 38, wherein the corresponding home network for at least one of the first and second electronic files is defined based on one or more security policies associated with the corresponding electronic file.
  - 42. The one or more machine-readable storage devices of claim 38, wherein the information includes one or more of:
    - a serial number of a device, a media access control (MAC) address, a file path, a registry key, a network identifier, an internet protocol (IP) address, a file-type identifier, a user-profile identifier, and one or more policies associated with the network.
  - 43. The one or more machine-readable storage devices of claim 38, wherein the information about the multiple assets is received from an agent deployed on the network.
  - 44. The one or more machine-readable storage devices of claim 38, wherein the security token comprises an object generated in accordance with Component Object Model (COM).
  - 45. The one or more machine-readable storage devices of claim 38, wherein at least one of the first and second security tokens is generated in accordance with one or more security policies associated with the corresponding electronic file.
  - 46. The one or more machine-readable storage devices of claim 38, wherein determining the dissociation of the first or second electronic file from the corresponding home network comprises determining that the corresponding electronic file is not stored on a device associated with the corresponding home network.
  - 47. The one or more machine-readable storage devices of claim 38, wherein determining the dissociation of the first or second electronic file from the corresponding home network comprises detecting an access attempt from a user-profile not associated with the corresponding home network.
  - 48. The one or more machine-readable storage devices of claim 38, wherein initiating an integration of the first and second security tokens into the corresponding electronic files comprises initiating a code injection to a header portion of at least one of the first and second electronic files.
  - 49. The one or more machine-readable storage devices of claim 38, wherein initiating an integration of the first and second security tokens with the corresponding electronic files comprises initiating an encapsulation of at least one of the security tokens with the corresponding electronic file.
  - 50. The one or more machine-readable storage devices of claim 49, wherein an executable file is generated via the encapsulation.
  - 51. The one or more machine-readable storage devices of claim 38, wherein the first or second electronic file is an electronic document, and the corresponding security token is integrated into the document as a portion of a page description language of the document.
  - 52. The one or more machine-readable storage devices of claim 38, wherein the other assets include one or more of a device and a user profile associated with a user permitted to access the corresponding electronic files.
  - 53. The one or more machine-readable storage devices of claim 38, wherein the first home network is different from the second home network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Document Dynamics, LLC
Original Assignee
Document Dynamics, LLC
Inventors
Caffary, Robert G. Jr.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US14/456,777
Publication Number

US 20160044040A1
Time in Patent Office

771 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2143   Clearing memory, e.g. to pr...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

H04L 9/006   involving public key infras...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

Environment-aware security tokens

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Environment-aware security tokens

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links