Systems and methods for detecting information leakage by an organizational insider

US 9,652,597 B2
Filed: 04/25/2014
Issued: 05/16/2017
Est. Priority Date: 03/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting information leakage by an organizational insider, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a set of organizational insiders of an organization;

identifying a set of public forums used by at least one organizational insider in the set of organizational insiders;

identifying a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums;

creating a message record corresponding to each message in the set of messages, the message record comprising;

a message summary; and

a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message;

generating a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records;

for each message summary record in the plurality of message summary records, determining a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record;

identifying an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data; and

initiating, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.

39 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting information leakage by an organizational insider, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a set of organizational insiders of an organization;
  
  identifying a set of public forums used by at least one organizational insider in the set of organizational insiders;
  
  identifying a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums;
  
  creating a message record corresponding to each message in the set of messages, the message record comprising;
  
  a message summary; and
  
  a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message;
  
  generating a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records;
  
  for each message summary record in the plurality of message summary records, determining a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record;
  
  identifying an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data; and
  
  initiating, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 19, 20)
- - 2. The computer-implemented method of claim 1, wherein the set of public forums comprises at least one of:
    - a social media site;
      
      a website;
      
      a blog;
      
      an electronic mailing list;
      
      a discussion board;
      
      an electronic bulletin board; and
      
      a wiki.
  - 3. The computer-implemented method of claim 1, wherein identifying the set of messages posted on the public forum comprises:
    - identifying a set of keywords pertaining to at least one of;
      
      organizational infrastructure of the organization;
      
      confidential organizational information of the organization; and
      
      organizational insider personal information of the organizational insiders in the organization; and
      
      searching the public forum for messages containing at least one keyword in the set of keywords.
  - 4. The computer-implemented method of claim 3, wherein identifying the set of keywords comprises:
    - intercepting network communications transmitted by at least one of;
      
      a network gateway;
      
      a network router;
      
      an email gateway;
      
      a network firewall;
      
      a proxy server; and
      
      a data-loss-prevention program; and
      
      compiling the set of keywords from the intercepted network communications.
  - 5. The computer-implemented method of claim 3, wherein searching the public forum for messages containing the keyword comprises at least one of:
    - searching the public forum using a search engine;
      
      searching the public forum using a web crawler; and
      
      searching the public forum using a database query.
  - 6. The computer-implemented method of claim 1, wherein the set of message metadata fields further comprises at least one of:
    - a message source;
      
      a message destination;
      
      a timestamp;
      
      a message type;
      
      a user identification;
      
      a data loss prevention classification; and
      
      a sentiment.
  - 7. The computer-implemented method of claim 1, wherein generating the plurality of message summary records comprises consolidating sets of message records with at least one common message metadata field.
  - 8. The computer-implemented method of claim 1, wherein determining the likelihood that each message summary record represents leaked sensitive information comprises calculating an information leakage threat rating for each message summary record based on the risk score of the message record within each message summary record.
  - 19. The computer-implemented method of claim 1, wherein the security action comprises at least one of:
    - notifying an administrator of the information leakage threat;
      
      initiating a data security restriction policy for at least one organizational insider;
      
      initiating a data security restriction policy for at least one information resource; and
      
      initiating a network access restriction policy for at least one public forum.
  - 20. The computer-implemented method of claim 1, wherein identifying the information leakage threat further comprises at least one of:
    - identifying sensitive information included in at least one message summary record, the leaked sensitive information comprising at least one of;
      
      personal information;
      
      financial information;
      
      physical infrastructure information; and
      
      data security information;
      
      identifying an organizational insider that potentially leaked information to at least one public forum; and
      
      identifying a public forum where at least one organizational insider posted potentially leaked information.

9. A system for detecting information leakage by an organizational insider, the system comprising:
- an insider identification module, stored in memory, that identifies a set of organizational insiders of an organization;
  
  a forum identification module that identifies a set of public forums used by at least one organizational insider in the set of organizational insiders;
  
  a message identification module that identifies a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums;
  
  a message record module, stored in memory, that creates a message record corresponding to each message in the set of messages, the message record comprising;
  
  a message summary; and
  
  a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message;
  
  a consolidation module, stored in memory, that generates a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records;
  
  a threat identification module that;
  
  for each message summary record in the plurality of message summary records, determines a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record; and
  
  identifies an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing, based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data;
  
  a security module that initiates, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information; and
  
  at least one processor configured to execute the insider identification module, the forum identification module, the message identification module, the message record module, the consolidation module, the threat identification module, and the security module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the set of public forums comprises at least one of:
    - a social media site;
      
      a website;
      
      a blog;
      
      an electronic mailing list;
      
      a discussion board;
      
      an electronic bulletin board; and
      
      a wiki.
  - 11. The system of claim 9, wherein the message identification module identifies the set of messages posted on the public forum by:
    - identifying a set of keywords pertaining to at least one of;
      
      organizational infrastructure of the organization;
      
      confidential organizational information of the organization; and
      
      organizational insider personal information of the organizational insiders in the organization; and
      
      searching the public forum for messages containing at least one keyword in the set of keywords.
  - 12. The system of claim 11, wherein the message identification module identifies the set of keywords by:
    - intercepting network communications transmitted by at least one of;
      
      a network gateway;
      
      a network router;
      
      an email gateway;
      
      a network firewall;
      
      a proxy server; and
      
      a data-loss-prevention program; and
      
      compiling the set of keywords from the intercepted network communications.
  - 13. The system of claim 11, wherein the message identification module searches the public forum for messages containing the keyword by at least one of:
    - searching the public forum using a search engine;
      
      searching the public forum using a web crawler; and
      
      searching the public forum using a database query.
  - 14. The system of claim 9, wherein the set of message metadata fields further comprises at least one of:
    - a message source;
      
      a message destination;
      
      a timestamp;
      
      a message type;
      
      a user identification;
      
      a data loss prevention classification; and
      
      a sentiment.
  - 15. The system of claim 9, wherein the consolidation module generates the plurality of message summary records by consolidating sets of message records with at least one common message metadata field.
  - 16. The system of claim 9, wherein the threat identification module determines the likelihood that each message summary record represents leaked sensitive information by calculating an information leakage threat rating for each message summary record based on the risk score of the message record within each message summary record.

17. A non-transitory computer-readable-storage medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a set of organizational insiders of an organization;
  
  identify a set of public forums used by at least one organizational insider in the set of organizational insiders;
  
  identify a set of messages that contain sensitive information capable of being leveraged in a targeted attack on the organization and are posted by at least one organizational insider of the organization to at least one public forum in the set of public forums;
  
  create a message record corresponding to each message in the set of messages, the message record comprising;
  
  a message summary; and
  
  a set of message metadata fields that includes a message metadata field indicating a risk score that quantifies a sensitivity level of contents of the message;
  
  generate a plurality of message summary records that each comprise a consolidated set of message records that have been grouped based on the sets of message metadata fields within the message records;
  
  for each message summary record in the plurality of message summary records, determine a likelihood that the message summary record represents leaked sensitive information based on the risk score of the message record within the message summary record;
  
  identify an information leakage threat by identifying at least one message metadata field within the plurality of message summary records that indicates an information leak using a machine learning classifier built based on training data comprising metadata fields within message summary records that describe previously-detected information leaks, wherein the machine learning classifier identifies the message metadata field that indicates the information leak by comparing, based on the likelihood that each message summary record in the plurality of message summary records represents leaked sensitive information, metadata fields within the plurality of message summary records with the metadata fields within the training data; and
  
  initiate, based on the information leakage threat, a security action on at least one computing system to prevent a targeted attack that is based on the leaked information.
- View Dependent Claims (18)
- - 18. The non-transitory computer-readable-storage medium of claim 17, wherein the set of public forums comprises at least one of:
    - a social media site;
      
      a website;
      
      a blog;
      
      an electronic mailing list;
      
      a discussion board;
      
      an electronic bulletin board; and
      
      a wiki.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Roundy, Kevin Alejandro, Kashyap, Anand
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US14/262,471
Publication Number

US 20150261940A1
Time in Patent Office

1,117 Days
Field of Search

726 22- 26, 713168-169
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06Q 10/10   Office automation; Time man...

G06Q 50/01   Social networking

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/1097   for distributed storage of ...

H04L 67/535   Tracking the activity of th...

Systems and methods for detecting information leakage by an organizational insider

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting information leakage by an organizational insider

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links