Method and system for protecting confidential information

US 8,141,159 B2
Filed: 12/31/2003
Issued: 03/20/2012
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for computer workstation based information protection, the method comprising:

a) monitoring a user'"'"'s actions on said computer workstation;

b) detecting whether content in use at said workstation in association with said actions being monitored comprises confidential information, said detecting comprising said workstation performing a statistical analysis of said content in use by said user using identifiers from a content identifier database, said statistical analysis using said identifiers to associate said content with respective confidential information, said confidential information being associated with respective predefined policies;

c) analyzing said monitored action with respect to a respective pre-defined policy associated with any confidential information identified by said analysis as being associated with said content in use at said workstation, to determine whether said actions prejudice said confidential information; and

d) executing said policy in accordance with the results of said determination to control said actions;

wherein said information protection comprises protecting information held within a software data processing application able to process said information, wherein said software data processing application authenticates itself to a server before at least some of the sessions wherein said authentication depends on a classification level assigned to said protected information, wherein connection to at least two servers are required in order to determine said policy and wherein said software data processing application is entangled with said server'"'"'s software, such that a functioning stand-alone copy of said software data processing application does not exist.

View all claims

20 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for computer workstation based information protection is presented, the method comprises: a) monitoring user'"'"'s actions on the computer workstation, b) analysis of the actions in respect to a pre-defined policy to determine whether the actions prejudice information to which the policy applies, and c) executing the policy in accordance with the results of the analysis to prevent or modify or restrict or monitor or log the actions.

67 Citations

View as Search Results

102 Claims

1. A method for computer workstation based information protection, the method comprising:
- a) monitoring a user'"'"'s actions on said computer workstation;
  
  b) detecting whether content in use at said workstation in association with said actions being monitored comprises confidential information, said detecting comprising said workstation performing a statistical analysis of said content in use by said user using identifiers from a content identifier database, said statistical analysis using said identifiers to associate said content with respective confidential information, said confidential information being associated with respective predefined policies;
  
  c) analyzing said monitored action with respect to a respective pre-defined policy associated with any confidential information identified by said analysis as being associated with said content in use at said workstation, to determine whether said actions prejudice said confidential information; and
  
  d) executing said policy in accordance with the results of said determination to control said actions;
  
  wherein said information protection comprises protecting information held within a software data processing application able to process said information, wherein said software data processing application authenticates itself to a server before at least some of the sessions wherein said authentication depends on a classification level assigned to said protected information, wherein connection to at least two servers are required in order to determine said policy and wherein said software data processing application is entangled with said server'"'"'s software, such that a functioning stand-alone copy of said software data processing application does not exist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 2. A method according to claim 1, wherein said policy comprises restrictions on at least one of the following actions:
    - print, save, copy, autosave, fax.
  - 3. A method according to claim 1, wherein said monitoring said user'"'"'s actions on said workstation comprises detection of indications of attempts at tampering.
  - 4. A method according to claim 3, wherein said detection of indications of attempts at tampering comprises obtaining logical indications or statistical indications.
  - 5. A method according to claim 3, wherein said detection of indications of attempts of tampering comprises detection of at least one un-certified add-in.
  - 6. A method according to claim 5, wherein said detection includes noting that said un-certified add-in is hooked to events of a local operating system.
  - 7. A method according to claim 3, wherein said detection of indications of attempts at tampering comprises detection of at least one debugging technique.
  - 8. A method according to claim 7, wherein said debugging technique comprises use of any of:
    - a debugger, a virtual machine, a software emulator, a software trap, and a remote administration tool.
  - 9. A method according to claim 3, wherein said policy comprises restrictions of actions made available to said user upon said detection of indications of attempts of tampering.
  - 10. A method according to claim 9, wherein said restrictions of user'"'"'s actions upon said detection of indications of attempts of tampering comprise applying restrictions on actions within a software application operable to process said information.
  - 11. A method according to claim 3, wherein said execution of said policy comprises performing at least one action upon detection of indications of attempts of tampering.
  - 12. A method according to claim 11, wherein said actions comprise at least one of the following:
    - encrypting at least one buffer, and encrypting at least one shared memory.
  - 13. A method according to claim 11, wherein said actions comprise preventing the decryption of encrypted digital content.
  - 14. A method according to claim 1, wherein said pre-defined policy is defined with respect to a software application on said user'"'"'s workstation.
  - 15. A method according to claim 1, wherein said policy comprises reporting about attempts to perform actions that do not comply with an organizational policy or about attempts to perform actions that are suspected to not comply with the organizational policy.
  - 16. A method according to claim 1, wherein said policy comprises performing logging of attempts to perform actions that that do not comply or are suspected to not comply with the organizational policy.
  - 17. A method according to claim 1, wherein said information protection comprises protecting information held within a software data processing application able to process said information.
  - 18. A method according to claim 17, wherein said software data processing application operates in conjunction with a software client.
  - 19. A method according to claim 17, wherein said software client is a tamper-resistant software client.
  - 20. A method according to claim 17, wherein said software client is operable to monitor said user'"'"'s actions and to execute said policy.
  - 21. A method according to claim 17, wherein said software client is operable to detect information based on statistical identifiers residing in a specialized database.
  - 22. A method according to claim 17, wherein said software client is further operable to detect events of said software application.
  - 23. A method according to claim 22, wherein said events comprise events required for any of:
    - printing said information;
      
      copying said information;
      
      storing said information, and displaying said information.
  - 24. A method according to claim 17, wherein said software client comprises components that can be automatically replaced.
  - 25. A method according to claim 17, wherein in accordance with said policy said protected information is encrypted utilizing the encryption capabilities of said software application.
  - 26. A method according to claim 25, wherein said software application operable to process said information is any of:
    - a word processing application;
      
      Microsoft “
      
      word”
      
      ;
      
      Open office “
      
      word”
      
      , and Star office “
      
      word”
      
      .
  - 27. A method according to claim 17, wherein said software application comprises a control flag imparting a status of either read only or lock to a corresponding file, and wherein file modification within said software application which is operable to process said information is disabled via said flag.
  - 28. A method according to claim 27, wherein said disabling of said file modification is controlled by said policy.
  - 29. A method according to claim 17, wherein said software client replaces the clipboard functionality of said software application thereby to process said protected information with a secure clipboard functionality.
  - 30. A method according to claim 29, wherein said protected information copied into said secure clipboard is stored in an internal data structure inaccessible to other applications.
  - 31. A method according to claim 17, wherein said software client is installed automatically from a remote server.
  - 32. A method according to claim 31, wherein said installation of said software client utilizes anti-virus installation infrastructure.
  - 33. A method according to claim 17, wherein updates of said software client utilize anti-virus update infrastructure.
  - 34. A method according to claim 17, wherein at least part of the software code of said software client resides in an encrypted form.
  - 35. A method according to claim 17, wherein at least part of the software code of said software client is attached to hardware of said computer workstation.
  - 36. A method according to claim 17, wherein said software client is operable to automatically add information to said protected information in accordance with said policy.
  - 37. A method according to claim 36, wherein said added information comprises any of:
    - a document header;
      
      a document footer; and
      
      a textual disclaimer.
  - 38. A method according to claim 17, wherein said client software is operable to open file that comprises said protected information only while connected to at least one server.
  - 39. A method according to claim 38, wherein said servers enforce a policy with respect to said protected information.
  - 40. A method according to claim 39, wherein said policy implies a set of restrictions regarding the usage of the said protected information.
  - 41. A method according to claim 38, wherein at least two servers are operable to define said policy.
  - 42. A method according to claim 32, wherein said server authenticates the integrity of said client by requiring a cryptographic hash of at least part of said client'"'"'s software.
  - 43. A method according to claim 42, wherein said cryptographic hash is with respect to a random address in said clients software.
  - 44. A method according to claim 38, wherein said method comprises at least two levels of protection, and wherein said levels of protection are operable to be configured as a function of the secrecy of said protected information.
  - 45. A method according to claim 44, wherein in the most secure of said levels of protection, said protected information can only be accessed while connected to said server.
  - 46. A method according to claim 44, wherein in at least one of said levels of protection, said information can be accessed for a limited time after the connection with said server was terminated.
  - 47. A method according to claim 44, wherein in at least one of said levels of protection, said information can be accessed until the end of a current login session.
  - 48. A method according to claim 44, wherein in at least one of said levels of protection, said information can be unlimitedly accessed after the server approves said information.
  - 49. A method according to claim 17, wherein said client software is operable to check that it is connected to a predetermined server before decrypting a file that comprise said protected information.
  - 50. A method according to claim 49, wherein said servers enforce a policy with respect to said protected information, and wherein said policy comprises a set of restrictions regarding the usage of the said protected information.
  - 51. A method according to claim 1, wherein said policy further comprising managing usage rights.
  - 52. A method according to claim 51, wherein said usage rights are determined according to any of:
    - the classification of the document;
      
      the classification level of the user, and the authentication level of the user.
  - 53. A method according to claim 51, wherein said usage rights comprise any of:
    - viewing at least part of said information;
      
      modifying at least part of said information;
      
      sending at least part of said information to a recipient;
      
      storing at least part of said information;
      
      storing at least part of said information by an application;
      
      storing at least part of said information by a file system;
      
      storing at least part of said information in a portable device;
      
      storing at least part of said information in a removable media;
      
      storing at least part of said information portable storage device that is connected to said workstation using a USB port;
      
      pasting at least part of said information into a document;
      
      printing at least part of said information;
      
      printing at least part of said information to file;
      
      printing at least part of said information to a fax, and printing a screen view document.
  - 54. A method according to claim 51 wherein said policy further comprises definitions of actions to be performed.
  - 55. A method according to claim 54, wherein said actions comprise any of:
    - enabling usage of at least part of said information;
      
      disabling usage of at least part of said information;
      
      restricting the usage of at least part of said information, according to a pre-determined set of restrictions;
      
      reporting about the usage of at least part of said information, and monitoring the usage of at least part of said information.
  - 56. A method according to claim 55, wherein said restriction of usage imposes requiring encryption of at least part of said protected information.
  - 57. A method according to claim 56, wherein said required encryption is such that corresponding encrypted information can be decrypted only by a secure client.
  - 58. A method according to claim 56, wherein said encryption of protected information further comprising encryption of a file comprising at least part of said protected information wherein said file is at least one of the following:
    - temporary file and auto-recovery file.
  - 59. A method according to claim 55, wherein said restriction of usage requires said protected information to reside on a secure server.
  - 60. A method according to claim 59, comprising arranging a connection between said secure server and said workstation such that the transport between said secure server and said workstation is protected.
  - 61. A method according to claim 60, wherein said protected transport comprises an encrypted transport.
  - 62. A method according to claim 59, wherein said protected information further comprises a file comprising at least part of said protected information, wherein said file comprises any of temporary file and auto-recover file.
  - 63. A method according to claim 1, wherein said authentication comprises any of:
    - password based authentication; and
      
      network address based authentication.
  - 64. A method according to claim 59, wherein said secure server employs cryptographic encryption of at least one file containing said protected information.
  - 65. A method according to claim 59, wherein communication with said server is substantially transparent to said user.
  - 66. A method according to claim 1, wherein said policy comprises adding forensic information to said protected information.
  - 67. A method according to claim 1, wherein in the event of two or more conflicting policies being found, a policy comprising the union of restrictions of said policies is used.
  - 68. A method according to claim 1, wherein controlling a user'"'"'s action comprises at least one of:
    - preventing said action, modifying said action, restricting, said action, monitoring said action, or logging said action.

69. A method for information protection, said information comprising information items, said information being for usage on a computer workstation, comprising:
- a) defining an information protection policy with respect to an information item, said defining comprising determining at least one measure, required to be enforced by said workstation, in said policy to protect said information item;
  
  b) using identifiers obtained from a content identifier database, said workstation performing a statistical analysis of content in use on said computer workstation to identify said information item as comprising confidential information to a given level of confidence, andc) allowing said usage on a computer workstation of content comprising said information item only while said required measures in said policy are being applied by said workstation in view of said level of confidence;
  
  wherein said information protection comprises protecting information held within a software data processing application able to process said information, wherein said software data processing application authenticates itself to a server before at least some of the sessions wherein said authentication depends on a classification level assigned to said protected information, wherein connection to at least two servers are required in order to determine said policy and wherein said software data processing application is entangled with said server'"'"'s software, such that a functioning stand-alone copy of said software data processing application does not exist.
- View Dependent Claims (70, 71, 72, 73, 74, 75, 76)
- - 70. A method according to claim 69, wherein said information protection measures comprises protecting information within a client software application.
  - 71. A method according to claim 70, wherein said protecting information within a client software application comprises disabling at least one of the controls of said application.
  - 72. A method according to claim 69, wherein said information protection measures comprises encryption of the memory of a graphic card or a video card.
  - 73. A method according to claim 69, wherein said information protection measures comprises forcing a video card or a graphic card to a mode that causes no meaningful information to be stored in said video card'"'"'s memory.
  - 74. A method according to claim 69, wherein said information protection measures comprises scanning at least one storage device and identifying the existence of pre-defined information objects.
  - 75. A method according to claim 74, wherein said pre-defined information objects comprise confidential information objects.
  - 76. A method according to claim 69, wherein said information protection policy comprises at least one rule regarding at least one event of at least one software application operable to handle said information.

77. A method for computer workstation based information protection, the method comprising:
- a) detecting an event occurring at said workstation, said event being associated with content;
  
  b) said workstation performing a statistical analysis of said content associated with said event to identify confidential information within said content, said statistical analysis utilizing an identifier extracted from a content identifier database, said statistical analysis providing said identification; and
  
  c) employing information protection based on an assessment of an importance of said event to protection of said confidential information, said assessment identifying at least one policy, wherein said information protection comprises protecting information held within a software data processing application able to process said information, wherein said software data processing application authenticates itself to a server before at least some of the sessions wherein said authentication depends on a classification level assigned to said protected information, wherein connection to at least two servers are required in order to determine said policy and wherein said software data processing application is entangled with said server'"'"'s software, such that a functioning stand-alone copy of said software data processing application does not exist.
- View Dependent Claims (78, 79)
- - 78. A method according to claim 77, further comprising:
    - handling an event, said event being designated as directing information protection, and employing a said information protection technique in reaction to said event.
  - 79. A method according to claim 78, wherein said event comprise any of:
    - loading a local operating system;
      
      loading an application;
      
      user action;
      
      presenting a specific information into the system;
      
      an event generated by another system;
      
      suspicious activity;
      
      operating system time event; and
      
      a network time event.

80. A system for computer workstation based information protection, the system comprising:
- A computer workstation comprising;
  
  i) a monitor configured for monitoring a user'"'"'s actions on said computer workstation, said actions being associated with content;
  
  ii) an analyzer associated with a content identifier database, said analyzer configured for;
  
  performing a statistical analysis of said associated content in use by said user using content identifiers from said database to identify confidential information in said content, said identifying being provided with a level of confidence; and
  
  analyzing said actions with respect to a pre-defined policy associated with said identified confidential information to determine whether said actions prejudice said information; and
  
  iii) a policy execution module configured for executing said policy in accordance with the results of said analysis, including said level of confidence, to control said actions in accordance with said policy;
  
  wherein said information protection comprises protecting information held within a software data processing application able to process said information, wherein said software data processing application is configured for authentication to a server before at least some of the sessions, wherein said authentication depends on a classification level assigned to said protected information, wherein connection to at least two servers are required in order to determine said policy and wherein said software data processing application is entangled with said server'"'"'s software, such that a functioning stand-alone copy of said software data processing application does not exist.
- View Dependent Claims (81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100)
- - 81. A system according to claim 80, wherein said policy comprises restrictions on at least one of the following actions:
    - print, save, copy, autosave, fax.
  - 82. A system according to claim 80, wherein said monitoring said user'"'"'s actions on said workstation comprises detection of indications of attempts at tampering.
  - 83. A system according to claim 82, wherein said detection of indications of attempts of tampering comprises detection of at least one un-certified add-in.
  - 84. A system according to claim 83, wherein said detection of indications of attempts at tampering comprises detection of at least one debugging technique.
  - 85. A system according to claim 82, wherein said policy comprises restrictions of actions made available to said user upon said detection of indications of attempts of tampering.
  - 86. A system according to claim 85, wherein said restrictions of user'"'"'s actions upon said detection of indications of attempts of tampering comprise applying restrictions on actions within a software application operable to process said information.
  - 87. A system according to claim 86, wherein said software data processing application operates in conjunction with a tamper-resistant software client.
  - 88. A system according to claim 87, wherein said software client is operable to monitor said user'"'"'s actions and to execute said policy.
  - 89. A system according to claim 87, wherein said software client is operable to detect information based on statistical identifiers residing in a specialized database.
  - 90. A system according to claim 87, wherein said software client is further operable to detect events of said software application.
  - 91. A system according to claim 87, wherein said client software is operable to check that it is connected to a predetermined server before decrypting a file that comprise said protected information only while connected to at least one server.
  - 92. A system according to claim 91, wherein said servers enforce a policy with respect to said protected information, and wherein said policy comprises a set of restrictions regarding the usage of the said protected information.
  - 93. A system according to claim 87, wherein said software client replaces the clipboard functionality of said software application thereby to process said protected information with a secure clipboard functionality.
  - 94. A system according to claim 87, wherein said software client is installed or updated automatically from a remote server.
  - 95. A system according to claim 94, wherein said installation or updates of said software client utilize anti-virus installation infrastructure.
  - 96. A system according to claim 94, wherein said software client is operable to automatically add information to said protected information in accordance with said policy.
  - 97. A system according to claim 86, wherein said software application operable to process said information is any of:
    - a word processing application;
      
      Microsoft “
      
      word”
      
      , Open office “
      
      word”
      
      , and Star office “
      
      word”
      
      .
  - 98. A system according to claim 80, wherein said policy further comprising managing usage rights.
  - 99. A system according to claim 98, wherein said usage rights comprise any of:
    - viewing at least part of said information;
      
      modifying at least part of said information;
      
      sending at least part of said information to a recipient;
      
      storing at least part of said information;
      
      storing at least part of said information by an application;
      
      storing at least part of said information by a file system;
      
      storing at least part of said information in a portable device;
      
      storing at least part of said information in a removable media;
      
      storing at least part of said information portable storage device that is connected to said workstation using a USB port;
      
      pasting at least part of said information into a document;
      
      printing at least part of said information;
      
      printing at least part of said information to file;
      
      printing at least part of said information to a fax, and printing a screen view document.
  - 100. A system according to claim 80, wherein to control an action comprises at least one of:
    - preventing said action, modifying said action, restricting, said action, monitoring said action, or logging said action.

101. A system for information protection, said information comprising information items, said information being for usage on a computer workstation, the system comprising:
- A computer workstation comprising;
  
  a) a policy reference monitor configured for identifying particular information items as requiring protection, defining respective information protection policies with respect to said identified information items, said defining comprising determining measures required to protect said information, said policy reference monitor further configured to place in a content identifier database an identifier for any such information for which a policy has been defined; and
  
  wherein, in the event of two or more conflicting policies being defined, a strictest one of the policies is identified and used;
  
  b) a policy execution module configured for using said identifiers in a statistical analysis of content being used at said workstation to identify information items for which a policy has been defined, said identifying comprising providing a level of confidence, and for allowing said usage on a computer workstation of information comprising said items for which an information protection policy is defined only while said required measures are being applied in view of said level of confidence, wherein said information protection comprises protecting information held within a software data processing application able to process said information, wherein said software data processing application is configured for authentication to a server before at least some of the sessions, wherein said authentication depends on a classification level assigned to said protected information, wherein connection to at least two servers are required in order to determine said policy and wherein said software data processing application is entangled with said server'"'"'s software, such that a functioning stand-alone copy of said software data processing application does not exist.

102. A method for computer workstation based information protection, the method comprising:
- a) monitoring a user'"'"'s actions on said computer workstation;
  
  b) detecting whether content in use at said workstation in association with said actions being monitored comprises confidential information, said detecting comprising said workstation performing a statistical analysis of said content in use by said user using identifiers from a content identifier database, said statistical analysis using said identifiers to associate said content with respective confidential information, said confidential information being associated with respective predefined policies;
  
  c) analyzing said monitored action with respect to a respective pre-defined policy associated with any confidential information identified by said analysis as being associated with said content in use at said workstation, to determine whether said actions prejudice said confidential information; and
  
  d) executing said policy in accordance with the results of said determination to control said actions;
  
  wherein in the event of two or more conflicting policies being found, a policy comprising the union of restrictions of said policies is used, wherein said information protection comprises protecting information held within a software data processing application able to process said information, wherein said software data processing application authenticates itself to a server before at least some of the sessions wherein said authentication depends on a classification level assigned to said protected information, wherein connection to at least two servers are required in order to determine said policy and wherein said software data processing application is entangled with said server'"'"'s software, such that a functioning stand-alone copy of said software data processing application does not exist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
PortAuthority Technologies, Inc. (Forcepoint LLC)
Inventors
Peled, Ariel, Troyansky, Lidror, Carny, Ofir
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US10/748,178
Publication Number

US 20050066165A1
Time in Patent Office

3,002 Days
Field of Search

726/1, 726/26, 726/27, 709223-225
US Class Current

726/26
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2113   Multi-level security, e.g. ...

Method and system for protecting confidential information

First Claim

20 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

102 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protecting confidential information

First Claim

20 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

102 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links