Behavioral engine for identifying patterns of confidential data use
First Claim
Patent Images
1. A computer-implemented method comprising:
- monitoring, by a computing device, operations by a client application;
determining, by the computing device, that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and
in response to determining that the data contains the confidential information, determining whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising;
analyzing, by the computing device, behavior of the client application with respect to the confidential information;
identifying a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user;
performing a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application; and
assigning a risk rating indicative of the security risk to the client application;
performing an action to mitigate risk of data loss if the risk rating exceeds a threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
A client device hosts a behavioral engine. Using the behavioral engine, the client device analyzes behavior of a client application with respect to confidential information. The client device assigns a rating indicative of risk to the client application based on the behavior of the client application. The client device performs an action to mitigate risk of data loss if the rating exceeds a threshold.
18 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
monitoring, by a computing device, operations by a client application; determining, by the computing device, that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and in response to determining that the data contains the confidential information, determining whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising; analyzing, by the computing device, behavior of the client application with respect to the confidential information; identifying a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user; performing a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application; and assigning a risk rating indicative of the security risk to the client application; performing an action to mitigate risk of data loss if the risk rating exceeds a threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium including instructions that, when executed by a computing device, cause the computing device to perform operations comprising:
-
monitoring, by the computing device, operations by a client application; determining, by the computing device, that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and in response to determining that the data contains the confidential information, determining whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising; analyzing, by the computing device, behavior of the client application with respect to the confidential information; identifying a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user; performing a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application; and assigning a rating indicative of the security risk to the client application; performing an action to mitigate risk of data loss if the rating exceeds a threshold. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing apparatus comprising:
-
a memory to store instructions for a behavioral engine; and a processor, connected with the memory, to execute the instructions, wherein the instructions cause the processor to; monitor operations by a client application by a data loss prevention (DLP) agent; determine by the DLP agent that data of one of the operations contain confidential information protected by a data loss prevention (DLP) policy; and in response to determining that the data contains the confidential information, notify a behavior engine to determine whether the client application is using the confidential information for a legitimate purpose or an illegitimate purpose, comprising; analyze, by the behavior engine, behavior of a client application with respect to confidential information; identify, by the behavior engine, a pattern of how the client application uses the confidential information based at least in part on the behavior of the client application, wherein the identified pattern is not associated with a user; perform, by the behavior engine, a comparison of the identified pattern to at least one of a model of legitimate use of the confidential information or a model of illegitimate use of the confidential information to determine a security risk of the client application; assign, by the behavior engine, a rating indicative of the security risk to the client application; and perform, by the DLP agent, an action to mitigate risk of data loss if the rating exceeds a threshold. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification