Data leak protection in upper layer protocols

US 9,756,017 B2
Filed: 08/08/2016
Issued: 09/05/2017
Est. Priority Date: 09/10/2014
Status: Active Grant

First Claim

Patent Images

1. A data leak prevention (DLP) method comprising:

receiving, by a network security device associated with a private network, a packet originated by a host device within the private network and directed to a destination device outside of the private network;

identifying, by the network security device, an upper layer protocol associated with the received packet;

determining, by the network security device, whether the identified upper layer protocol is one of a plurality of candidate upper layer protocols having a potential to carry sensitive information out of the private network with reference to a database containing therein information regarding the plurality of candidate upper layer protocols, one or more corresponding requests or commands of interest for each of the plurality of candidate upper layer protocols and a corresponding suspect field within each of the one or more corresponding requests or commands of interest that is to be subjected to DLP scanning;

when a result of the determining is affirmative and a request or command represented by the received packet is among those of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then performing, by the network security device, a DLP scan on content contained within the corresponding suspect field of the received packet by;

applying a plurality of DLP rules to the content, wherein each of the plurality of DLP rules include (i) a regular expression or a string defining a search pattern indicative of existence of one of a plurality of forms of sensitive information and (ii) information defining an action to take when the search pattern matches the content; and

when a match is found between the content and the search pattern of a DLP rule of the plurality of DLP rules, then performing, by the network security device, the defined action of the DLP rule; and

when the result is negative or the request or command represented by the received packet is not among those of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then skipping performance, by the network security device, the DLP scan for the received packet;

wherein the one or more corresponding requests or commands of interest for each of the plurality of candidate upper layer protocols are configurable by a network administrator of the private network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for Data Leak Prevention (DLP) in a private network are provided. According to one embodiment, a packet is received by a network security device. An upper layer protocol associated with the packet is identified. It is determined whether the identified upper layer protocol is one of multiple candidate upper layer protocols having a potential to carry sensitive information with reference to a database identifying the candidate upper layer protocols, corresponding commands of interest and a corresponding suspect field within each of the commands that is to be subjected to DLP scanning. Responsive to an affirmative determination and when a command represented by the packet is one of the corresponding commands of interest for the identified upper layer protocol, then a DLP scan is performed on content contained within the corresponding suspect field of the packet. Otherwise, performance of the DLP scan for the received packet is skipped.

30 Citations

View as Search Results

19 Claims

1. A data leak prevention (DLP) method comprising:
- receiving, by a network security device associated with a private network, a packet originated by a host device within the private network and directed to a destination device outside of the private network;
  
  identifying, by the network security device, an upper layer protocol associated with the received packet;
  
  determining, by the network security device, whether the identified upper layer protocol is one of a plurality of candidate upper layer protocols having a potential to carry sensitive information out of the private network with reference to a database containing therein information regarding the plurality of candidate upper layer protocols, one or more corresponding requests or commands of interest for each of the plurality of candidate upper layer protocols and a corresponding suspect field within each of the one or more corresponding requests or commands of interest that is to be subjected to DLP scanning;
  
  when a result of the determining is affirmative and a request or command represented by the received packet is among those of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then performing, by the network security device, a DLP scan on content contained within the corresponding suspect field of the received packet by;
  
  applying a plurality of DLP rules to the content, wherein each of the plurality of DLP rules include (i) a regular expression or a string defining a search pattern indicative of existence of one of a plurality of forms of sensitive information and (ii) information defining an action to take when the search pattern matches the content; and
  
  when a match is found between the content and the search pattern of a DLP rule of the plurality of DLP rules, then performing, by the network security device, the defined action of the DLP rule; and
  
  when the result is negative or the request or command represented by the received packet is not among those of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then skipping performance, by the network security device, the DLP scan for the received packet;
  
  wherein the one or more corresponding requests or commands of interest for each of the plurality of candidate upper layer protocols are configurable by a network administrator of the private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the plurality of candidate upper layer protocols are configurable by a network administrator of the private network.
  - 3. The method of claim 1, wherein the corresponding suspect field is configurable by a network administrator of the private network.
  - 4. The method of claim 1, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocol comprises domain name system (DNS) protocol, wherein the one or more corresponding requests or commands of interest for the DNS protocol include a DNS query request and wherein the corresponding suspect field contained within the DNS query request comprises a name field.
  - 5. The method of claim 1, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises hypertext transfer protocol (HTTP), wherein the one or more corresponding requests or commands of interest for HTTP include an HTTP GET command and wherein the corresponding suspect field contained within the HTTP GET command comprises a uniform resource identifier (URI).
  - 6. The method of claim 1, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises file transfer protocol (FTP), wherein the one or more corresponding requests or commands of interest for FTP include an FTP command associated with a directory operation and wherein the corresponding suspect field contained within the FTP command comprises a directory field.
  - 7. The method of claim 1, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises file transfer protocol (FTP), wherein the one or more corresponding requests or commands of interest for FTP include an FTP command associated with a file download or a file upload operation and wherein the corresponding suspect field contained within the FTP command comprises a file name field.
  - 8. The method of claim 1, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises telnet protocol, wherein the one or more corresponding requests or commands of interest for the telnet protocol comprises a telnet command having at least one parameter and wherein the corresponding suspect field contained within the telnet command comprises the at least one parameter.
  - 9. The method of claim 1, wherein the plurality of forms of sensitive information include a payment card number.
  - 10. The method of claim 9, wherein the search pattern matches a format and type of content corresponding to a credit card number associated with a particular payment processing provider.
  - 11. The method of claim 1, wherein the plurality of forms of sensitive information include a social security number.

12. A non-transitory program storage device of a network security device, embodying a program of instructions executable by one or more computer processors of the network security device to perform a method of data leak prevention (DLP), the method comprising:
- receiving a packet originated by a host device within a private network protected by the network security device and directed to a destination device outside of the private network;
  
  identifying an upper layer protocol associated with the received packet;
  
  determining whether the identified upper layer protocol is one of a plurality of candidate upper layer protocols having a potential to carry sensitive information out of the private network with reference to a database containing therein information regarding the plurality of candidate upper layer protocols, one or more corresponding requests or commands of interest for each of the plurality of candidate upper layer protocols and a corresponding suspect field within each of the one or more corresponding requests or commands of interest that is to be subjected to DLP scanning;
  
  when a result of the determining is affirmative and a request or command represented by the received packet is among those of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then performing a DLP scan on content contained within the corresponding suspect field of the received packet by;
  
  applying a plurality of DLP rules to the content, wherein each of the plurality of DLP rules include (i) a regular expression or a string defining a search pattern indicative of existence of one of a plurality of forms of sensitive information and (ii) information defining an action to take when the search pattern matches the content; and
  
  when a match is found between the content and the search pattern of a DLP rule of the plurality of DLP rules, then performing the defined action of the DLP rule; and
  
  when the result is negative or the request or command represented by the received packet is not among those of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then skipping performance of the DLP scan for the received packet;
  
  wherein the one or more corresponding requests or commands of interest for each of the plurality of candidate upper layer protocols are configurable by a network administrator of the private network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The non-transitory program storage device of claim 12, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocol comprises domain name system (DNS) protocol, wherein the one or more corresponding requests or commands of interest for the DNS protocol include a DNS query request and wherein the corresponding suspect field contained within the DNS query request comprises a name field.
  - 14. The non-transitory program storage device of claim 12, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises hypertext transfer protocol (HTTP), wherein the one or more corresponding requests or commands of interest for HTTP include an HTTP GET command and wherein the corresponding suspect field contained within the HTTP GET command comprises a uniform resource identifier (URI).
  - 15. The non-transitory program storage device of claim 12, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises file transfer protocol (FTP), wherein the one or more corresponding requests or commands of interest for FTP include an FTP command associated with a directory operation and wherein the corresponding suspect field contained within the FTP command comprises a directory field.
  - 16. The non-transitory program storage device of claim 12, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises file transfer protocol (FTP), wherein the one or more corresponding requests or commands of interest for FTP include an FTP command associated with a file download or a file upload operation and wherein the corresponding suspect field contained within the FTP command comprises a file name field.
  - 17. The non-transitory program storage device of claim 12, wherein a candidate upper layer protocol of the plurality of candidate upper layer protocols comprises telnet protocol, wherein the one or more corresponding requests or commands of interest for the telnet protocol comprises a telnet command having at least one parameter and wherein the corresponding suspect field contained within the telnet command comprises the at least one parameter.
  - 18. The non-transitory program storage device of claim 12, wherein the plurality of forms of sensitive information include a payment card number.
  - 19. The non-transitory program storage device of claim 12, wherein the plurality of forms of sensitive information include a social security number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Hastings, Eric C.
Primary Examiner(s)
HO, DAO Q

Application Number

US15/231,560
Publication Number

US 20160344698A1
Time in Patent Office

393 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/08   for authentication of entit...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

Data leak protection in upper layer protocols

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data leak protection in upper layer protocols

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links