Token-based encryption determination process

US 9,727,491 B2
Filed: 06/29/2016
Issued: 08/08/2017
Est. Priority Date: 09/17/2014
Status: Active Grant

First Claim

Patent Images

1. A data storage system comprising:

a computing system comprising one or more hardware processors programmed to;

detect a file interaction event with respect to a file on a storage device;

responsive to detecting the file interaction event with respect to the file, access an encryption rule, the encryption rule including a set of rules for determining whether to encrypt files based on a set of context conditions, the set of context conditions including a geographic context;

determine a set of data tokens for the file, each of the data tokens comprising a portion of content of the file;

apply the encryption rule to the set of data tokens to determine whether the file includes content designated for protection, wherein application of the encryption rule includes;

determining whether one or more data tokens from the set of data tokens satisfy the encryption rule; and

ceasing said determining whether the one or more data tokens from the set of data tokens satisfy the encryption rule upon identification of a threshold number of data tokens satisfying the encryption rule regardless of whether each data token from the set of data tokens has been processed to determine whether it satisfies the encryption rule;

responsive to determining that the file includes content designated for protection;

determine a geographic location of the storage device;

determine whether the geographic location of the storage device satisfies the geographic context for encrypting the file; and

responsive to the geographic location of the storage device satisfying the geographic context, encrypting the file; and

responsive to an indication that the file does not include content designated for protection;

include the file with a set of training files used to generate one or more encryption rules; and

modify the encryption rule based at least in part on the set of training files and the file.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data storage systems are disclosed for automatically generating encryption rules based on a set of training files that are known to include sensitive information. The system may use a number of heuristic algorithms to generate one or more encryption rules for determining whether a file includes sensitive information. Further, the system may apply the heuristic algorithms to the content of the files, as determined by using natural language processing algorithms, to generate the encryption rules. Moreover, systems are disclosed that are capable of automatically determining whether to encrypt a file based on the generated encryption rules. The content of the file may be determined using natural language processing algorithms and then the encryption rules may be applied to the content of the file to determine whether to encrypt the file.

283 Citations

18 Claims

1. A data storage system comprising:
- a computing system comprising one or more hardware processors programmed to;
  
  detect a file interaction event with respect to a file on a storage device;
  
  responsive to detecting the file interaction event with respect to the file, access an encryption rule, the encryption rule including a set of rules for determining whether to encrypt files based on a set of context conditions, the set of context conditions including a geographic context;
  
  determine a set of data tokens for the file, each of the data tokens comprising a portion of content of the file;
  
  apply the encryption rule to the set of data tokens to determine whether the file includes content designated for protection, wherein application of the encryption rule includes;
  
  determining whether one or more data tokens from the set of data tokens satisfy the encryption rule; and
  
  ceasing said determining whether the one or more data tokens from the set of data tokens satisfy the encryption rule upon identification of a threshold number of data tokens satisfying the encryption rule regardless of whether each data token from the set of data tokens has been processed to determine whether it satisfies the encryption rule;
  
  responsive to determining that the file includes content designated for protection;
  
  determine a geographic location of the storage device;
  
  determine whether the geographic location of the storage device satisfies the geographic context for encrypting the file; and
  
  responsive to the geographic location of the storage device satisfying the geographic context, encrypting the file; and
  
  responsive to an indication that the file does not include content designated for protection;
  
  include the file with a set of training files used to generate one or more encryption rules; and
  
  modify the encryption rule based at least in part on the set of training files and the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to determine the set of data tokens for the file by executing one or more natural language processing algorithms with respect to the file.
  - 3. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to identify the encryption rule from a set of encryption rules using a pattern recognition process with respect to the set of data tokens.
  - 4. The data storage system of claim 1, wherein determining whether the geographic location of the storage device satisfies the geographic context comprises determining whether the storage device is located within a particular geographic area.
  - 5. The data storage system of claim 1, wherein determining whether the geographic location of the storage device satisfies the geographic context comprises determining whether the storage device is external to a particular geographic area.
  - 6. The data storage system of claim 1, wherein determining whether the geographic location of the storage device satisfies the geographic context comprises determining whether the storage device is located within a geographic area associated with a particular entity.
  - 7. The data storage system of claim 1, wherein the computing system further comprises the storage device.
  - 8. The data storage system of claim 1, wherein the one or more hardware processors are further programmed to:
    - request confirmation from a user that the file includes content designated for protection; and
      
      responsive to receiving from the user the indication that the file does not include content designated for protection, include the file with the set of training files used to generate the one or more encryption rules.
  - 9. The data storage system of claim 1, wherein detecting the file interaction event further comprises detecting a file context event.
  - 10. The data storage system of claim 9, wherein the file context event comprises a change in the geographic location of the storage device.

11. A method of performing context-based encryption, the method comprising:
- detecting, by an encryption system comprising one or more hardware processors, a file interaction event with respect to a file;
  
  accessing, by the encryption system, an encryption rule the encryption rule including a set of rules for determining whether to encrypt files based at least in part on a set of context conditions, the set of context conditions including a geographic context;
  
  determining, by the encryption system, a set of data tokens for the file, each of the data tokens comprising a portion of content of the file;
  
  applying, by the encryption system, the encryption rule to the set of data tokens to determine whether the file includes content designated for protection, wherein applying the encryption rule includes;
  
  determining whether one or more data tokens from the set of data tokens satisfy the encryption rule; and
  
  ceasing to determine whether the one or more data tokens from the set of data tokens satisfy the encryption rule upon identification of a threshold number of data tokens satisfying the encryption rule regardless of whether each data token from the set of data tokens has been processed to determine whether it satisfies the encryption rule;
  
  responsive to determining that the file includes content designated for protection;
  
  determining a geographic location of the file;
  
  determining whether the geographic location of the file satisfies the geographic context for encrypting the file; and
  
  responsive to the geographic location of the file satisfying the geographic context, encrypting, by the encryption system, the file; and
  
  responsive to an indication that the file does not include content designated for protection;
  
  including the file with a set of training files used to generate one or more encryption rules; and
  
  modifying the encryption rule based at least in part on the set of training files and the file.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein determining the set of data tokens for the file comprises performing one or more natural language processing algorithms with respect to the file.
  - 13. The method of claim 11, further comprising using a pattern recognition process with respect to the set of data tokens to identify the encryption rule from a set of encryption rules.
  - 14. The method of claim 11, wherein determining whether the geographic location of the file satisfies the geographic context comprises determining whether the geographic location of the file with respect to a particular geographic area.
  - 15. The method of claim 11, further comprising:
    - requesting confirmation from a user that the file includes content designated for protection; and
      
      responsive to receiving from the user the indication that the file does not include content designated for protection, adding the file to the set of training files used to generate the one or more encryption rules.
  - 16. The method of claim 11, wherein detecting the file interaction event further comprises detecting a file context event.
  - 17. The method of claim 16, wherein the file context event comprises a change in the geographic location of the storage device.
  - 18. The method of claim 11, wherein determining the geographic location of the file comprises determining a geographic location of a storage device that stores the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
CommVault Systems Incorporated
Inventors
Yuan, Yun, Amarendran, Arun Prasad, Chatterjee, Tirthankar, Liu, Yongtao
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/197,473
Publication Number

US 20160306751A1
Time in Patent Office

405 Days
Field of Search

713193
US Class Current
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 16/164   File meta data generation

G06F 21/602   Providing cryptographic fac...

G06F 21/6218   to a system of files or obj...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2221/2107   File encryption

G06F 40/20   Natural language analysis s...

G06N 20/00   Machine learning

G06N 5/02   Knowledge representation; S...

H04L 63/0428   wherein the data content is...

H04L 67/10   in which an application is ...

Token-based encryption determination process

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

283 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Token-based encryption determination process

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

283 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others