Token-based encryption rule generation process

US 9,720,849 B2
Filed: 06/28/2016
Issued: 08/01/2017
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. A data storage system comprising:

a computing system comprising one or more hardware processors programmed to;

access a set of data tokens derived from a plurality of files comprising a set of training files, at least some of the set of data tokens comprising content designated as sensitive information, each of the data tokens comprising a portion of content of at least one file from the plurality of files;

generate a prospective encryption rule based at least in part on an aggregated set of data tokens, the aggregated set of data tokens including data tokens that appear in more than one file from the plurality of files;

perform the prospective encryption rule on the plurality of files;

determine a number of files from the plurality of files identified for encryption by performance of the prospective encryption rule;

responsive, at least in part, to the number of files identified for encryption satisfying a threshold number of files, add the prospective encryption rule to a set of available encryption rules; and

responsive, at least in part, to the number of files identified for encryption not satisfying the threshold number of files, iteratively modify the prospective encryption rule until the threshold number of files of the plurality of files are identified for encryption by performance of the modified prospective encryption rule.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data storage systems are disclosed for automatically generating encryption rules based on a set of training files that are known to include sensitive information. The system may use a number of heuristic algorithms to generate one or more encryption rules for determining whether a file includes sensitive information. Further, the system may apply the heuristic algorithms to the content of the files, as determined by using natural language processing algorithms, to generate the encryption rules. Moreover, systems are disclosed that are capable of automatically determining whether to encrypt a file based on the generated encryption rules. The content of the file may be determined using natural language processing algorithms and then the encryption rules may be applied to the content of the file to determine whether to encrypt the file.

285 Citations

20 Claims

1. A data storage system comprising:
- a computing system comprising one or more hardware processors programmed to;
  
  access a set of data tokens derived from a plurality of files comprising a set of training files, at least some of the set of data tokens comprising content designated as sensitive information, each of the data tokens comprising a portion of content of at least one file from the plurality of files;
  
  generate a prospective encryption rule based at least in part on an aggregated set of data tokens, the aggregated set of data tokens including data tokens that appear in more than one file from the plurality of files;
  
  perform the prospective encryption rule on the plurality of files;
  
  determine a number of files from the plurality of files identified for encryption by performance of the prospective encryption rule;
  
  responsive, at least in part, to the number of files identified for encryption satisfying a threshold number of files, add the prospective encryption rule to a set of available encryption rules; and
  
  responsive, at least in part, to the number of files identified for encryption not satisfying the threshold number of files, iteratively modify the prospective encryption rule until the threshold number of files of the plurality of files are identified for encryption by performance of the modified prospective encryption rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The data storage system of claim 1, further comprising an encryption rules repository configured to store the set of available encryption rules, wherein the encryption rules repository is accessible by one or more computing systems.
  - 3. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to:
    - determine a context condition for the prospective encryption rule, the context condition identifying when to apply the prospective encryption rule to a file; and
      
      associate the context condition with the prospective encryption rule.
  - 4. The data storage system of claim 3, wherein the context condition comprises at least one of an identity of a user, an identity of a department that includes the user within an entity, a geographic location of a computing device storing the file, a network location of the computing device storing the file, and a device type of the computing device.
  - 5. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to:
    - access the set of available encryption rules;
      
      identify a file using at least one encryption rule from the set of available encryption rules, wherein the file is identified based at least in part on a correspondence between portions of the file and at least one data token used to generate the at least one encryption rule from the set of available encryption rules; and
      
      encrypt the file using the at least one encryption rule.
  - 6. The data storage system of claim 1, wherein the plurality of files comprise a plurality of training files selected for generating one or more prospective encryption rules.
  - 7. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to:
    - present the prospective encryption rule to a user;
      
      receive an input from the user responsive to presenting the prospective encryption rule to the user; and
      
      determine whether to include the prospective encryption rule in the set of available encryption rules based at least in part on the input received from the user.
  - 8. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to remove a data token from the set of data tokens based at least in part on an identified set of non-sensitive data tokens.
  - 9. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to:
    - monitor creation of the file; and
      
      determine whether the file satisfies an encryption rule from the set of available encryption rules.

10. A method of automatically generating encryption rules using machine learning techniques, the method comprising:
- accessing, by a rules generation system comprising computer hardware, a set of data tokens derived from a plurality of files comprising a set of training files, at least some of the set of data tokens comprising content designated as sensitive information, each of the data tokens comprising a portion of content of at least one file from the plurality of files;
  
  generating a prospective encryption rule based at least in part on the set of data tokens;
  
  performing the prospective encryption rule with respect to the plurality of files;
  
  determining a percentage of files from the plurality of files identified for encryption using the prospective encryption rule;
  
  responsive, at least in part, to the percentage of files identified for encryption not satisfying a threshold, iteratively modifying the prospective encryption rule until performance of the modified prospective encryption rule results in a threshold percentage of files being identified for encryption; and
  
  subsequent to said iteratively modifying, responsive, at least in part, to the threshold percentage of files being identified for encryption, adding the prospective encryption rule to a set of encryption rules.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, further comprising applying one or more natural language processing algorithms to the plurality of files to obtain the set of data tokens.
  - 12. The method of claim 11, wherein applying the one or more natural language processing algorithms comprises performing at least one of the following natural language processing tasks:
    - automatic summarization, coreference resolution, discourse analysis, machine translation, morphological segmentation, named entity recognition, natural language understanding, optical character recognition, part-of-speech tagging, parsing, relationship extraction, sentence boundary disambiguation, sentiment analysis, topic segmentation and recognition, word segmentation, word sense disambiguation, singular value decomposition, latent semantic analysis, latent Dirichlet allocation, pachinko allocation, and probabilistic latent semantic analysis.
  - 13. The method of claim 10, further comprising applying one or more heuristic algorithms to the plurality of files to obtain the set of data tokens.
  - 14. The method of claim 10, further comprising:
    - accessing the set of encryption rules;
      
      identifying a file using at least one encryption rule from the set of encryption rules, wherein the file is identified based at least in part on a correspondence between portions of the file and at least one data token used to generate the at least one encryption rule from the set of encryption rules; and
      
      encrypting the file using the at least one encryption rule.
  - 15. The method of claim 10, wherein generating the prospective encryption rule comprises applying the one or more algorithms to a cumulative set of data tokens formed by combining the sets of data tokens from a plurality of files.
  - 16. The method of claim 10, further comprising:
    - presenting the prospective encryption rule to a user for confirmation; and
      
      responsive, at least in part, to receiving confirmation of the prospective encryption rule from the user, adding the prospective encryption rule to the set of encryption rules.
  - 17. The method of claim 10, further comprising storing the set of encryption rules at an electronic data store accessible by a plurality of networked computing systems.
  - 18. The method of claim 10, wherein generating the prospective encryption rule comprises filtering data tokens identified as non-sensitive from the set of data tokens for each file from the plurality of files.
  - 19. The method of claim 10, further comprising:
    - monitoring file creation and/or file modification activity for a set of files;
      
      in response to detecting a file creation and/or modification event with respect to a file from the set of files, determining whether the file satisfies an encryption rule from the set of encryption rules; and
      
      in response to determining that the file satisfies the encryption rule from the set of encryption rules, identifying the file as protected.
  - 20. The method of claim 19, further comprising:
    - determining whether the file satisfies a context condition associated with the encryption rule; and
      
      in response to determining that the context condition is satisfied, encrypting the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Yuan, Yun, Liu, Yongtao, Amarendran, Arun Prasad, Chatterjee, Tirthankar
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/195,681
Publication Number

US 20160306984A1
Time in Patent Office

399 Days
Field of Search

726 1, 713193
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 16/164   File meta data generation

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2221/2107   File encryption

G06F 40/20   Natural language analysis s...

G06N 20/00   Machine learning

G06N 5/02   Knowledge representation; S...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

Token-based encryption rule generation process

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

285 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Token-based encryption rule generation process

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

285 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links