×

Techniques for preventing large-scale data breaches utilizing differentiated protection layers

  • US 9,674,202 B1
  • Filed: 12/29/2015
  • Issued: 06/06/2017
  • Est. Priority Date: 12/29/2015
  • Status: Active Grant
First Claim
Patent Images

1. A method in a security gateway for preventing large-scale data breaches, wherein the security gateway is communicatively coupled between a plurality of client end stations and one or more servers that store and serve a plurality of files, the method comprising:

  • receiving, at the security gateway from one or more of the plurality of client end stations, a plurality of file access requests seeking access to files of the plurality of files stored by the one or more servers, wherein each of the plurality of file access requests includes an immutable identifier of one of the files, wherein the plurality of files have been divided into a first subset that are currently classified as active files and a second subset that are currently classified as inactive files, wherein the current classification of the plurality of files into active files and inactive files is based upon a likelihood of further legitimate access to the files;

    determining, for each of the plurality of file access requests, whether the requested file is one of the first subset of the plurality of files that are currently classified as active files and thus is not in the second subset of the plurality of files that are currently classified inactive files, wherein the first subset includes less than fifty percent of the plurality of files, and wherein the second subset includes greater than fifty percent of the plurality of files;

    for those of the plurality of file access requests requesting files determined to be in the first subset of the plurality of files that are currently classified as active files, subjecting those file access requests to a first protection layer including a first set of zero or more protection mechanisms; and

    for those of the plurality of file access requests involving files determined to not be in the first subset of the plurality of files that are currently classified as active files, subjecting those file access requests to a second protection layer including a second set of one or more protection mechanisms, wherein the first protection layer is more permissive than the second protection layer in that certain file access requests that would be deemed acceptable if submitted to the first protection layer would not be deemed acceptable if submitted to the second protection layer, and in that all file access requests that would be deemed acceptable if submitted to the second protection layer would be deemed acceptable if submitted to the first protection layer, whereby large-scale data breaches are efficiently prevented without disruption to legitimate file access requests.

View all claims
  • 5 Assignments
Timeline View
Assignment View
    ×
    ×