Systems and methods for detecting information leakage by an organizational insider
First Claim
1. A computer-implemented method for detecting information leakage by an organizational insider, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a set of organizational insiders of an organization;
identifying a set of public forums used by at least one organizational insider in the set of organizational insiders;
identifying a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums;
creating a message record corresponding to each message in the set of messages, the message record comprising;
a message summary; and
a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message;
generating a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records;
for each message summary record in the plurality of message summary records, determining a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record;
identifying an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data; and
initiating, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.
39 Citations
20 Claims
-
1. A computer-implemented method for detecting information leakage by an organizational insider, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
identifying a set of organizational insiders of an organization; identifying a set of public forums used by at least one organizational insider in the set of organizational insiders; identifying a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums; creating a message record corresponding to each message in the set of messages, the message record comprising; a message summary; and a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message; generating a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records; for each message summary record in the plurality of message summary records, determining a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record; identifying an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data; and initiating, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20)
-
-
9. A system for detecting information leakage by an organizational insider, the system comprising:
-
an insider identification module, stored in memory, that identifies a set of organizational insiders of an organization; a forum identification module that identifies a set of public forums used by at least one organizational insider in the set of organizational insiders; a message identification module that identifies a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums; a message record module, stored in memory, that creates a message record corresponding to each message in the set of messages, the message record comprising; a message summary; and a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message; a consolidation module, stored in memory, that generates a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records; a threat identification module that; for each message summary record in the plurality of message summary records, determines a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record; and identifies an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing, based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data; a security module that initiates, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information; and at least one processor configured to execute the insider identification module, the forum identification module, the message identification module, the message record module, the consolidation module, the threat identification module, and the security module. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable-storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify a set of organizational insiders of an organization; identify a set of public forums used by at least one organizational insider in the set of organizational insiders; identify a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums; create a message record corresponding to each message in the set of messages, the message record comprising; a message summary; and a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message; generate a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records; for each message summary record in the plurality of message summary records, determine a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record; identify an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing, based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data; and initiate, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information. - View Dependent Claims (18)
-
Specification