System and Method for Real Time Data Awareness

US 20150341378A1
Filed: 08/03/2015
Published: 11/26/2015
Est. Priority Date: 03/11/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a sensor configured to;

passively read data in packets as the packets are in motion on a network; and

a processor cooperatively operable with the sensor, the processor being a hardware processor, and configured to;

receive the read data from the sensor;

originate map profiles of files and file data, both from the read data from the sensor, as the packets are in motion on the network, wherein the map profile is a topographical map of locations of the files on the network, and wherein the map profile further designates users who have accessed the files and at least one of;

hosts which contain the files;

destinations to where the files were transferred; and

file directories of the files on the hosts; and

the destinations;

infer a user role for a user based on the file and the file data being used by the user and how the user is transferring or accessing the file and the file data; and

detect when the user is performing an inappropriate usage from the user role and the read data from the sensor to control access to particular files.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor. The processor is configured to receive the read data from the sensor; and originate map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network. The processor is also configured to infer a user role for a user who is using the file and the file data and how the user is transferring or accessing the file and the file data. Inappropriate usage being performed by the user can then be detected from the user role and the read data to control access to particular files.

7 Citations

View as Search Results

26 Claims

1. A system comprising:
- a sensor configured to;
  
  passively read data in packets as the packets are in motion on a network; and
  
  a processor cooperatively operable with the sensor, the processor being a hardware processor, and configured to;
  
  receive the read data from the sensor;
  
  originate map profiles of files and file data, both from the read data from the sensor, as the packets are in motion on the network, wherein the map profile is a topographical map of locations of the files on the network, and wherein the map profile further designates users who have accessed the files and at least one of;
  
  hosts which contain the files;
  
  destinations to where the files were transferred; and
  
  file directories of the files on the hosts; and
  
  the destinations;
  
  infer a user role for a user based on the file and the file data being used by the user and how the user is transferring or accessing the file and the file data; and
  
  detect when the user is performing an inappropriate usage from the user role and the read data from the sensor to control access to particular files.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the processor is further configured to:
    - catalog attributes of the files and the file data, all from the read data in the packets in motion on the network.
  - 3. The system of claim 2, wherein the attributes which are cataloged include at least some of:
    - file name, file size, time stamp, file hash, block hashes, server identifier (ID) that contained the file, host ID which contains the file, user ID of the user that sent the file, user ID for the user receiving the file, destination a file is transferred to, content of the file, where the file data is, who has access to the file data or the file, what device has the file data, how the file was transferred, and how the file was transformed.
  - 4. The system of claim 3, wherein the content of the file which is cataloged comprises:
    - keywords, hashes, and file content changes.
  - 5. The system of claim 3, wherein the content of the file is determined by analyzing the file and the file data for keywords or hashes in the files in the data.
  - 6. The system of claim 3, wherein the processor is further configured to:
    - create a user access map associating user identity with the files, file hashes, and databases the user has actually touched.
  - 7. The system of claim 1, wherein the sensor is further configured to:
    - embed a honeytoken into voids inside the file contained in the passively read packets when the file has a file format predetermined to have dead data that can be overwritten, and to use the honeytoken to aid tracking of the file'"'"'s movement around and outside the network.
  - 8. The system of claim 7, wherein the honeytoken that is embedded in the file is one of a main hash of the entire file, and a block hash of an individual block within the file.
  - 9. The system of claim 1, wherein the processor is further configured to:
    - examine the read data from the sensor for the files and the file data, when the read data is a conversation between users, a page being downloaded, an e-mail attachment, a file download, a file repository access, and a file transfer via the network.
  - 10. The system of claim 9, wherein the file repository access is a download, a File Transfer Protocol (FTP) transfer, a file share access, or an Network File System (NFS) access.
  - 11. The system of claim 1, wherein the processor is further configured to:
    - extract metadata from the read data in the passively read packets to generate passively discovered metadata, as the packets are in motion on the network, the read data including at least some of;
      
      a main hash of an entire file, a block hash of individual blocks within the file, a directory listing of files with file names, dates, time stamps, size, and file owners, the hash being a cryptographic hash unique to the file.
  - 12. The system of claim 11, wherein the processor is further configured to:
    - store the passively discovered metadata, attributes of the file, and the file data, in a relational database.
  - 13. The system of claim 12, wherein the relational database is based around the file itself and indicates where the file has been transferred and who transferred the file.
  - 14. The system of claim 12, wherein the relational database is implemented as a postprocessor to the sensor.
  - 15. The system of claim 1, wherein the processor is further configured to:
    - report on how a content of the file has changed, including changes of location reflected in the file data, changes in ownership reflected in the file data, changes in the file data itself, and changes in the file itself.

16. A method comprising:
- in a sensor, passively reading data in packets as the packets are in motion on a network;
  
  in a processor, the processor being a hardware processor;
  
  receiving the read data from the sensor;
  
  originating map profiles of files and file data both from the read data from the sensor, as the packets are in motion on the network, wherein the map profile is a topographical map of locations of the files on the network, and wherein the map profile further designates users who have accessed the files and at least one of;
  
  hosts which contain the files;
  
  destinations to where the files were transferred; and
  
  file directories of the files on the hosts and the destinations;
  
  inferring a user role for a user from who is using the file and the file data and how the user is transferring or accessing the file and the file data; and
  
  detecting when the user is performing an inappropriate usage from the user role and the read data from the sensor to control access to particular files.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - cataloging attributes of the files and the file data, all from the read data in the packets in motion on the network.
  - 18. The method of claim 16, further comprising:
    - creating a user access map associating user identity with the files, file hashes, and databases the user has actually touched.
  - 19. The method of claim 16, further comprising:
    - embedding a honeytoken into voids inside the file contained in the packets when the file has a file format predetermined to have dead data that can be overwritten, and using the honeytoken to aid tracking of the file movement around and outside the network.
  - 20. The method of claim 19, wherein the honeytoken that is embedded in the file is one of a main hash of the entire file, and a block hash of an individual block within the file.

21. A non-transitory computer-readable storage medium comprising computer-executable instructions for performing the steps of:
- passively reading, from a sensor, data in packets as the packets are in motion on a network;
  
  receiving, in a processor, the read data from the sensor;
  
  originating map profiles of files and file data, both from the read data from the sensor, as the packets are in motion on the network, wherein the map profile is a topographical map of locations of the files on the network, and wherein the map profile further designates users who have accessed the files and at least one of;
  
  hosts which contain the files;
  
  destinations to where the files were transferred; and
  
  file directories of the files on the hosts and the destinations;
  
  inferring a user role for a user from who is using the file and the file data and how the user is transferring or accessing the file and the file data; and
  
  detecting when the user is performing an inappropriate usage from the user role and the read data from the sensor to control access to particular files.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The non-transitory computer-readable storage medium of claim 21, further comprising instructions operable for:
    - cataloging attributes of the files and the file data, all from the read data in the packets in motion on the network.
  - 23. The non-transitory computer-readable storage medium of claim 21, further comprising instructions operable for:
    - creating a user access map associating user identity with the files, file hashes, and databases the user has actually touched.
  - 24. The non-transitory computer-readable storage medium of claim 21, further comprising instructions operable for:
    - extracting metadata from the read data in the packets to generate passively discovered metadata, as the packets are in motion on the network, the read data including at least some of;
      
      a main hash of the entire file, a block hash of individual blocks within the file, a directory listing of files with file names, dates, time stamps, size, and file owners, the hash being a cryptographic hash unique to the file.
  - 25. The non-transitory computer-readable storage medium of claim 21, further comprising instructions operable for:
    - embedding a honeytoken into voids inside the file contained in the packets when the file has a file format predetermined to have dead data that can be overwritten, and using the honeytoken to aid tracking of the file'"'"'s movement around and outside the network.
  - 26. The non-transitory computer-readable storage medium of claim 25, wherein the honeytoken that is embedded in the file is one of a main hash of the entire file, and a block hash of an individual block within the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Roesch, Martin Frederick

Granted Patent

US 9,584,535 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

System and Method for Real Time Data Awareness

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Real Time Data Awareness

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links