On-demand content classification using an out-of-band communications channel for facilitating file activity monitoring and control

US 9,128,941 B2
Filed: 03/06/2013
Issued: 09/08/2015
Est. Priority Date: 03/06/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for on-demand classification of content using an out-of-band communications channel comprising:

monitoring communications to a server over an in-band communications channel;

identifying, based on the communications, a request to access a particular file stored by the server;

identifying one or more rules based on the request to access the particular file;

determining that the one or more rules specify that classification information for contents of the particular file should be evaluated;

determining that the classification information for the contents of the particular file is not available;

obtaining classification information for the particular file from a classifying entity via an out-of-band communications channel different from the in-band communications channel; and

performing processing based on the classification information for the contents of the particular file and the identified one or more rules, the processing comprising evaluating the classification information to determine whether the contents of the particular file include one or more sensitive types of data.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Communications to a server over an in-band communications channel are monitored for requests to access a file. Based on the communications, a request to access a particular file stored by the server is identified. Security and/or audit rules are identified based on the request. A determination is thereafter made that the security and/or audit rules require evaluation of classification information for contents of the requested file. Thus, a determination is made as to whether classification information for the contents of the particular file is available, such as determining whether the classification information is stored in a local classification cache. Responsive to a determination that the classification information is not available, classification information is obtained for the contents of the particular file using an out-of-band communications channel. Thereafter, processing with respect to the request to access the particular file is performed based on the obtained classification information and the one or more security and/or audit rules.

225 Citations

18 Claims

1. A computer-implemented method for on-demand classification of content using an out-of-band communications channel comprising:
- monitoring communications to a server over an in-band communications channel;
  
  identifying, based on the communications, a request to access a particular file stored by the server;
  
  identifying one or more rules based on the request to access the particular file;
  
  determining that the one or more rules specify that classification information for contents of the particular file should be evaluated;
  
  determining that the classification information for the contents of the particular file is not available;
  
  obtaining classification information for the particular file from a classifying entity via an out-of-band communications channel different from the in-band communications channel; and
  
  performing processing based on the classification information for the contents of the particular file and the identified one or more rules, the processing comprising evaluating the classification information to determine whether the contents of the particular file include one or more sensitive types of data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, further comprising storing the obtained classification information for the contents of the particular file in an associated classification cache.
  - 3. The computer-implemented method of claim 1, wherein performing processing based on the classification information for the contents of the particular file and the identified one or more rules further comprises:
    - determining, based on the one or more rules, that access to a file having contents that include the one or more sensitive types of data is restricted; and
      
      restricting access to the particular file based on the determination that access to a file having contents including the one or more sensitive types of data is restricted.
  - 4. The computer-implemented method of claim 1, wherein performing processing based on the classification information for the contents of the particular file and the identified one or more rules comprises:
    - determining, based on the one or more rules, that access to a file having contents that include the one or more sensitive types of data is to be recorded; and
      
      recording information describing the request to access the particular file in an audit log associated with the server.
  - 5. The computer-implemented method of claim 1, wherein the one or more sensitive types of data include at least one of:
    - financial records, health records, credit card data, personal information, or user access information.
  - 6. The computer-implemented method of claim 1, wherein the out-of-band communications channel is established over a different network than a network over which the in-band communications channel is established.
  - 7. The computer-implemented method of claim 1, wherein obtaining the classification information comprises:
    - transmitting a request for the particular file to the server via the out-of-band communications channel;
      
      responsively receiving the particular file from the server via the out-of-band communications channel; and
      
      generating classification information for the contents of the particular file based on an analysis of the contents of the file received from the server.
  - 8. The computer-implemented method of claim 7, wherein generating the classification information for the contents of the particular file comprises:
    - determining whether an existing classification job associated with the particular file is in a classification queue;
      
      responsive to determining that an existing classification job associated with the particular file is in the classification queue, associating the existing classification job with the received request to access the particular file stored by the server; and
      
      responsive to determining that an existing classification job associated with the particular file is not in the classification queue, adding a new classification job to the classification queue, wherein the new classification job is associated with the received request to access the particular file stored by the server.
  - 9. The computer-implemented method of claim 1, wherein obtaining the classification information comprises:
    - transmitting a request for classification information to the classifying entity via the out-of-band communications channel different from the in-band communications channel;
      
      responsively receiving classification information for the contents of the particular file from the classifying entity via the out-of-band communications channel; and
      
      storing the received classification information for the contents of the particular file in an associated classification cache.
  - 10. The computer-implemented method of claim 9, wherein transmitting the request for classification information to a classifying entity comprises:
    - determining a load level associated with each of a plurality of classifying entities;
      
      selecting the classifying entity from the plurality of classifying entities based at least in part on the determined load levels; and
      
      transmitting the request for classification information to the classifying entity.
  - 11. The computer-implemented method of claim 1, further comprising:
    - storing a set of classification information in local cache for a plurality of files;
      
      wherein the determining that the classification information is not available comprises determining that the classification information is not available in the local cache.

12. A non-transitory computer-readable medium storing executable computer instructions for on-demand classification of content using an out-of-band communications channel, the computer instructions comprising instructions for:
- monitoring communications to a server over an in-band communications channel;
  
  identifying, based on the communications, a request to access a particular file stored by the server;
  
  identifying one or more rules based on the request to access the particular file;
  
  determining that the one or more rules specify that classification information for contents of the particular file should be evaluated;
  
  determining that the classification information for the contents of the particular file is not available;
  
  obtaining classification information for the particular file from a classifying entity via an out-of-band communications channel different from the in-band communications channel; and
  
  performing processing based on the classification information for the contents of the particular file and the identified one or more rules, the processing comprising evaluating the classification information to determine whether the contents of the particular file include one or more sensitive types of data.
- View Dependent Claims (13, 14, 15)
- - 13. The non-transitory computer-readable medium of claim 12, further comprising instructions for storing the obtained classification information for the contents of the particular file in an associated classification cache.
  - 14. The non-transitory computer-readable medium of claim 12, wherein the instructions for obtaining the classification information comprise instructions for:
    - transmitting a request for classification information to the classifying entity via the out-of-band communications channel different from the in-band communications channel;
      
      responsively receiving classification information for the contents of the particular file from the classifying entity via the out-of-band communications channel; and
      
      storing the received classification information for the contents of the particular file in an associated classification cache.
  - 15. The non-transitory computer-readable medium of claim 12, wherein the out-of-band communications channel is established over a different network than a network over which the in-band communications channel is established.

16. A system for on-demand classification of content using an out-of-band communications channel, the system comprising:
- a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for;
  
  monitoring communications to a server over an in-band communications channel;
  
  identifying, based on the communications, a request to access a particular file stored by the server;
  
  identifying one or more rules based on the request to access the particular file;
  
  determining that the one or more rules specify that classification information for contents of the particular file should be evaluated;
  
  determining that the classification information for the contents of the particular file is not available;
  
  obtaining classification information for the particular file from a classifying entity via an out-of-band communications channel different from the in-band communications channel; and
  
  performing processing based on the classification information for the contents of the particular file and the identified one or more rules, the processing comprising evaluating the classification information to determine whether the contents of the particular file include one or more sensitive types of data; and
  
  a processor for executing the computer program instructions.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, further comprising instructions for storing the obtained classification information for the contents of the particular file in an associated classification cache.
  - 18. The system of claim 16, wherein the instructions for obtaining the classification information comprise instructions for:
    - transmitting a request for classification information to the classifying entity via the out-of-band communications channel different from the in-band communications channel;
      
      responsively receiving classification information for the contents of the particular file from the classifying entity via the out-of-band communications channel; and
      
      storing the received classification information for the contents of the particular file in an associated classification cache.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Naar, Rotem, Einhorn, Moshe
Primary Examiner(s)
Morrison, Jay
Assistant Examiner(s)
GORTAYO, DANGELINO N

Application Number

US13/787,536
Publication Number

US 20140258294A1
Time in Patent Office

916 Days
Field of Search

707/693, 707/737, 707/754, 707/769, 707/802
US Class Current

1/1
CPC Class Codes

G06F 16/122   using management policies b...

G06F 40/30   Semantic analysis

H04L 47/2441   relying on flow classificat...

On-demand content classification using an out-of-band communications channel for facilitating file activity monitoring and control

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

225 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

On-demand content classification using an out-of-band communications channel for facilitating file activity monitoring and control

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

225 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links