Data Leakage Prevention for Cloud and Enterprise Networks

US 20130212710A1
Filed: 02/09/2012
Published: 08/15/2013
Est. Priority Date: 02/09/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a data storage device; and

a processor communicatively coupled to the data storage device, the processor in cooperation with the data storage device configured to;

determine a signature of a transmitted document, the transmitted document being in transit to a location beyond a network boundary;

compare the signature of the document with one or more signatures of documents authorized to be transmitted beyond the network boundary; and

prevent the transmitted document from being transmitted beyond the network boundary if the signature of the transmitted document does not correspond to a signature of a document authorized to be transmitted beyond the network boundary.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatuses, methods and articles of manufacture for performing data leakage prevention are provided. Data leakage prevention may be performed by determining a signature of a transmitted document, the transmitted document being in transit to a location beyond a network boundary. The signature of the transmitted document is compared with one or more signatures of documents authorized to be transmitted beyond the network boundary. The transmitted document is prevented from being transmitted beyond the network boundary if the signature of the document does not correspond to a signature of a document authorized to be transmitted beyond the network boundary.

23 Citations

View as Search Results

22 Claims

1. An apparatus comprising:
- a data storage device; and
  
  a processor communicatively coupled to the data storage device, the processor in cooperation with the data storage device configured to;
  
  determine a signature of a transmitted document, the transmitted document being in transit to a location beyond a network boundary;
  
  compare the signature of the document with one or more signatures of documents authorized to be transmitted beyond the network boundary; and
  
  prevent the transmitted document from being transmitted beyond the network boundary if the signature of the transmitted document does not correspond to a signature of a document authorized to be transmitted beyond the network boundary.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein preventing the transmitted document from being transmitted beyond the network boundary includes terminating a transmission control protocol-based connection associated with the transmitted document.
  - 3. The apparatus of claim 1, wherein the processor is further configured to:
    - determine a segment of the transmitted document; and
      
      determine a signature corresponding to the segment of the transmitted document.
  - 4. The apparatus of claim 3, wherein the processor is further configured to:
    - receive a transmission control sequence number corresponding to a first byte of a transmitted document;
      
      receive a transmission control sequence number corresponding to a subsequent byte of a transmitted document; and
      
      determine the segment of the transmitted document based on the received transmission control sequence numbers corresponding to the first and the subsequent bytes.
  - 5. The apparatus of claim 3, wherein:
    - comparing the signature includes comparing the signature corresponding to the segment of the transmitted document with one or more signatures of documents authorized to be transmitted beyond the network boundary; and
      
      preventing the transmitted document from being transmitted beyond the network boundary includes preventing the transmission if the signature corresponding the segment of the transmitted document does not correspond to a signature of a document authorized to be transmitted beyond the network boundary.

6. An apparatus comprising:
- a data storage device; and
  
  a processor communicatively coupled to the data storage device, the processor configured to;
  
  generate a random number having a fixed number of bytes;
  
  determine a byte value corresponding to a byte in a document authorized to be transmitted beyond a network boundary;
  
  determine a position value corresponding to a position of the byte in the document; and
  
  execute a logical function between the byte value, the position value and a byte of the random number corresponding to the position value to generate a signature for the document.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the logical function comprises an exclusive-OR logical operator.
  - 8. The apparatus of claim 6, wherein determining a position of a byte includes determining a transmission control protocol sequence number corresponding to the byte.
  - 9. The apparatus of claim 6, wherein the processor is further configured to:
    - select one or more segments of the document authorized to be transmitted beyond the network boundary, wherein executing the logical function between the byte value, position value and the byte of the random number generates a signature for one or more bytes in a segment of the document.
  - 10. The apparatus of claim 9, wherein the one or more segments are selected based on a byte length of the document.

11. A non-transitory computer-readable medium having computer program instructions stored thereon, which, when executed on a processor, cause the processor to perform a method comprising:
- determining a signature of a transmitted document, the transmitted document being in transit to a location beyond a network boundary;
  
  comparing the signature of the transmitted document with one or more signatures of documents authorized to be transmitted beyond the network boundary; and
  
  preventing the transmitted document from being transmitted beyond the network boundary if the signature of the transmitted document does not correspond to a signature of a document authorized to be transmitted beyond the network boundary.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer-readable medium of claim 11, wherein preventing the transmitted document from being transmitted beyond the network boundary includes terminating a transmission control protocol-based connection associated with the transmitted document.
  - 13. The non-transitory computer-readable medium of claim 11, wherein the method further comprises:
    - determining a segment of the transmitted document; and
      
      determining a signature corresponding to the segment of the transmitted document.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the method further comprises:
    - receiving a transmission control sequence number corresponding to a first byte of a transmitted document;
      
      receiving a transmission control sequence number corresponding to a subsequent byte of a transmitted document; and
      
      determining the segment of the transmitted document based on the received transmission control sequence numbers corresponding to the first and the subsequent bytes.
  - 15. The non-transitory computer-readable medium of claim 13, wherein:
    - comparing the signature includes comparing the signature corresponding to the segment of the transmitted document with one or more signatures of documents authorized to be transmitted beyond the network boundary; and
      
      preventing the transmitted document from being transmitted beyond the network boundary includes preventing the transmission if the signature corresponding the segment of the transmitted document does not correspond to a signature of a document authorized to be transmitted beyond the network boundary.

16. A non-transitory computer-readable medium having computer program instructions stored thereon, which, when executed on a processor, cause the processor to perform a method comprising:
- generating a random number having a fixed number of bytes;
  
  determining a byte value corresponding to a byte in a document authorized to be transmitted beyond a network boundary;
  
  determining a position value corresponding to a position of the byte in the document; and
  
  executing a logical function between the byte value, the position value and a byte of the random number corresponding to the position value to generate a signature for the document.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the logical function comprises an exclusive-OR logical operator.
  - 18. The non-transitory computer-readable medium of claim 16, wherein determining a position of a byte includes determining a transmission control protocol sequence number corresponding to the byte.
  - 19. The non-transitory computer-readable medium of claim 16, the method further comprising selecting one or more segments of the document authorized to be transmitted beyond the network boundary, wherein executing the logical function between the byte value, position value and the byte of the random number generates a signature for one or more bytes in a segment of the document.
  - 20. The non-transitory computer-readable medium of claim 19, wherein the one or more segments are selected based on a byte length of the document.

21. A method comprising:
- at a processor communicatively coupled to a data storage device, determining a signature of a transmitted document, the transmitted document being in transit to a location beyond a network boundary;
  
  comparing, by the processor in cooperation with the data storage device, the signature of the transmitted document with one or more signatures of documents authorized to be transmitted beyond the network boundary; and
  
  preventing, by the processor in cooperation with the data storage device, the transmitted document from being transmitted beyond the network boundary if the signature of the transmitted document does not correspond to a signature of a document authorized to be transmitted beyond the network boundary.

22. A method comprising:
- at a processor communicatively coupled to a data storage device, generating a random number having a fixed number of bytes;
  
  determining, by the processor in cooperation with the data storage device, a byte value corresponding to a byte in a document authorized to be transmitted beyond a network boundary;
  
  determining, by the processor in cooperation with the data storage device, a position value corresponding to a position of the byte in the document; and
  
  executing, by the processor in cooperation with the data storage device, a logical function between the byte value, the position value and a byte of the random number corresponding to the position value to generate a signature for the document.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Inventors
Puttaswamy Naga, Krishna P., Hao, Fang, Kodialam, Muralidharan S., Lakshman, T.V.

Granted Patent

US 8,856,960 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/30
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/123   received data contents, e.g...

H04L 9/3247   involving digital signatures

Data Leakage Prevention for Cloud and Enterprise Networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Data Leakage Prevention for Cloud and Enterprise Networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others