Behavioral engine for identifying patterns of confidential data use

US 8,752,180 B2
Filed: 05/26/2009
Issued: 06/10/2014
Est. Priority Date: 05/26/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

monitoring, by a computing device, operations by a client application;

determining, by the computing device, that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and

in response to determining that the data contains the confidential information, determining whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising;

analyzing, by the computing device, behavior of the client application with respect to the confidential information;

identifying a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user;

performing a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application; and

assigning a risk rating indicative of the security risk to the client application;

performing an action to mitigate risk of data loss if the risk rating exceeds a threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client device hosts a behavioral engine. Using the behavioral engine, the client device analyzes behavior of a client application with respect to confidential information. The client device assigns a rating indicative of risk to the client application based on the behavior of the client application. The client device performs an action to mitigate risk of data loss if the rating exceeds a threshold.

18 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- monitoring, by a computing device, operations by a client application;
  
  determining, by the computing device, that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and
  
  in response to determining that the data contains the confidential information, determining whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising;
  
  analyzing, by the computing device, behavior of the client application with respect to the confidential information;
  
  identifying a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user;
  
  performing a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application; and
  
  assigning a risk rating indicative of the security risk to the client application;
  
  performing an action to mitigate risk of data loss if the risk rating exceeds a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprisingassigning the risk rating to the client application based on at least one of the detected operation and one or more previous operations of the client application on additional data that includes the confidential information.
  - 3. The computer-implemented method of claim 2, wherein a first risk rating that exceeds the threshold is assigned to the client application upon detecting the operation on the data that includes the confidential information, the method further comprising:
    - modifying the first risk rating assigned to the client application if no additional operations of the client application on data that includes the confidential information are detected within a specified time frame.
  - 4. The method of claim 2, wherein the detected operation comprises at least one of an operation to store the data, an operation to transform the data or an operation to transmit the data to a destination outside of an enterprise network within which the computing device operates.
  - 5. The computer-implemented method of claim 1, further comprising assigning the risk rating only if the client application is not a trusted client application.
  - 6. The computer-implemented method of claim 1, wherein performing the action comprises:
    - at least one of quarantining the client application, blocking access to the client application or terminating the client application if a first risk rating is assigned to the client application; and
      
      at least one of notifying a system administrator of the client application or requesting a detailed scan of the client application if a second risk rating is assigned to the client application.
  - 7. The computer-implemented method of claim 1, further comprising:
    - profiling activities of one or more legitimate applications to develop the model of legitimate use of the confidential information; and
      
      profiling activities of one or more illegitimate applications to develop the model of illegitimate use of the confidential information.

8. A non-transitory computer-readable storage medium including instructions that, when executed by a computing device, cause the computing device to perform operations comprising:
- monitoring, by the computing device, operations by a client application;
  
  determining, by the computing device, that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and
  
  in response to determining that the data contains the confidential information, determining whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising;
  
  analyzing, by the computing device, behavior of the client application with respect to the confidential information;
  
  identifying a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user;
  
  performing a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application; and
  
  assigning a rating indicative of the security risk to the client application;
  
  performing an action to mitigate risk of data loss if the rating exceeds a threshold.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, the operations further compriseassigning the rating to the client application based on at least one of the detected operation and one or more previous operations of the client application on additional data that includes the confidential information.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein a first rating that exceeds the threshold is assigned to the client application upon detecting the operation on the data that includes the confidential information, the operations further comprisereducing the first rating assigned to the client application if no additional operations of the client application on data that includes the confidential information are detected within a specified time frame.
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein the detected operation comprises at least one of an operation to store the data, an operation to transform the data or an operation to transmit the data to a destination outside of an enterprise network within which the computing device operates.
  - 12. The non-transitory computer-readable storage medium of claim 8, the operations further compriseassigning the rating only if the client application is not a trusted client application.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein performing the action comprises:
    - at least one of quarantining the client application, blocking access to the client application or terminating the client application if a first rating is assigned to the client application; and
      
      at least one of notifying a system administrator of the client application or requesting a detailed scan of the client application if a second rating is assigned to the client application.
  - 14. The non-transitory computer-readable storage medium of claim 8, the operations further comprise:
    - profiling activities of one or more legitimate applications to develop the model of legitimate use of the confidential information; and
      
      profiling activities of one or more illegitimate applications to develop the model of illegitimate use of the confidential information.

15. A computing apparatus comprising:
- a memory to store instructions for a behavioral engine; and
  
  a processor, connected with the memory, to execute the instructions, wherein the instructions cause the processor to;
  
  monitor operations by a client application by a data loss prevention (DLP) agent;
  
  determine by the DLP agent that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and
  
  in response to determining that the data contains the confidential information, notify a behavior engine to determine whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising;
  
  analyze, by the behavior engine, behavior of a client application with respect to confidential information;
  
  identify, by the behavior engine, a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user;
  
  perform, by the behavior engine, a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application;
  
  assign, by the behavior engine, a rating indicative of the security risk to the client application; and
  
  perform, by the DLP agent, an action to mitigate risk of data loss if the rating exceeds a threshold.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing apparatus of claim 15, wherein the instructions further cause the processor toassign the rating to the client application based on at least one of the detected operation and one or more previous operations of the client application on additional data that includes the confidential information.
  - 17. The computing apparatus of claim 16, wherein a first rating that exceeds the threshold is assigned to the client application upon detecting the operation on the data that includes confidential information, the instructions further to cause the processor toreduce the first rating assigned to the client application if no additional operations of the client application on data that includes the confidential information are detected within a specified time frame.
  - 18. The computing apparatus of claim 16, wherein the detected operation comprises at least one of an operation to store the data, an operation to transform the data or an operation to transmit the data to a destination outside of an enterprise network within which the computing apparatus operates.
  - 19. The computing apparatus of claim 15, wherein the instructions further cause the processor toassign the rating only if the client application is not a trusted client application.
  - 20. The computing apparatus of claim 15, wherein the instructions further cause the processor to:
    - profile activities of one or more legitimate applications to develop the model of legitimate use of the confidential information; and
      
      profile activities of one or more illegitimate applications to develop the model of illegitimate use of the confidential information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Barile, Ian, Espinoza, Mario
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US12/472,339
Publication Number

US 20100306850A1
Time in Patent Office

1,841 Days
Field of Search

726/11, 726 25- 26, 713/152, 713/165
US Class Current

726/25
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

G06F 21/577 Assessing vulnerabilities a...

Behavioral engine for identifying patterns of confidential data use

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Behavioral engine for identifying patterns of confidential data use

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links