Method and apparatus for autonomic discovery of sensitive content

US 9,569,449 B2
Filed: 11/18/2010
Issued: 02/14/2017
Est. Priority Date: 11/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method, operative at or in association with an endpoint in a data loss prevention (DLP) system, the DLP system executing at least in part on hardware and operative to perform scans of resources in a file system associated with the endpoint to search for sensitive content, the scans including an ordered set of scans that include a last scan followed by a next scan, comprising:

following the last scan;

obtaining information identifying an identity of a resource being accessed; and

updating a statistical model of resource access and usage based on the obtained information, the statistical model including, with respect to a resource, a count of resource accesses since the last scan; and

prior to initiating the next scan, prioritizing resources for further scanning for sensitive content based at least in part on resource access counts in the statistical model and one or more content sensitivity classifications associated with one or more resources.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data loss prevention (DLP) system provides a policy-based mechanism for managing how data is discovered and classified on an endpoint workstation, file server or other device within an enterprise. The technique described herein works in an automated manner by analyzing file system activity as one or more endpoint applications interact with a file system to build a statistical model of which areas of the file system are (or will be deemed to be) active or highly active. Using this information, scanning to those areas by the DLP software is then prioritized appropriately to focus compute resources on scanning and classifying preferably only those files and folders that are necessary to be scanned, i.e., the file system portions in which the user is applying the majority of his or her activity. As a result, the technique limits scanning to only those areas that have meaningful activity (thereby conserving compute resources with respect to files or folders that have not changed), improving scanning efficiency.

20 Citations

View as Search Results

24 Claims

1. A method, operative at or in association with an endpoint in a data loss prevention (DLP) system, the DLP system executing at least in part on hardware and operative to perform scans of resources in a file system associated with the endpoint to search for sensitive content, the scans including an ordered set of scans that include a last scan followed by a next scan, comprising:
- following the last scan;
  
  obtaining information identifying an identity of a resource being accessed; and
  
  updating a statistical model of resource access and usage based on the obtained information, the statistical model including, with respect to a resource, a count of resource accesses since the last scan; and
  
  prior to initiating the next scan, prioritizing resources for further scanning for sensitive content based at least in part on resource access counts in the statistical model and one or more content sensitivity classifications associated with one or more resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as described in claim 1 wherein prioritizing is based on a scoring algorithm.
  - 3. The method as described in claim 2 wherein the scoring algorithm applies at least one weight to a resource access count.
  - 4. The method as described in claim 3, wherein the particular resource access count includes a read count, and a write count.
  - 5. The method as described in claim 4, wherein the scoring algorithm applies one or more weights against one of:
    - the read count, and the write count.
  - 6. The method as described in claim 5, wherein, with respect to given resource, the scoring algorithm applies separate weightings to the read count and the write count.
  - 7. The method as described in claim 1 wherein the resource being accessed is a file or folder of a file system.
  - 8. The method as described in claim 1 further including conducting the next scan of the resources, in order of access activity as indicated in the statistical model, until a completion milestone is reached.
  - 9. The method as described in claim 8 wherein the completion milestone is one of:
    - scanning of all resources represented in the statistical model, completion of an allocated time period, completion of a scan of a predetermined number of resources, and completion of a scan of resources having an access count that exceeds a threshold.
  - 10. The method as described in claim 1 wherein the information is obtained by intercepting a system application programming interface (API) call.

11. An apparatus, operative at or in association with an endpoint in a data loss prevention (DLP) system, the DLP system operative to perform scans of resources in a file system associated with the endpoint to search for sensitive content, the scans including an ordered set of scans that include a last scan followed by a next scan, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor and operative;
  
  following the last scan;
  
  to obtain information identifying an identity of a resource being accessed; and
  
  to update a statistical model of resource access and usage based on the obtained information, the statistical model including, with respect to a resource, a count of resource accesses since the last scan; and
  
  prior to initiating the next scan, to prioritize resources for further scanning for sensitive content based at least in part on resource access counts in the statistical model and one or more content sensitivity classifications associated with one or more resources.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The apparatus as described in claim 11 wherein prioritizing is based on a scoring algorithm.
  - 13. The apparatus as described in claim 12 wherein the scoring algorithm applies at least one weight to a resource access count.
  - 14. The apparatus as described in claim 11 wherein the resource being accessed is a file or folder of a file system.
  - 15. The apparatus as described in claim 11 wherein the computer program instructions are further operative to conduct the next scan of the resources, in order of access activity as indicated in the statistical model, until a completion milestone is reached.
  - 16. The apparatus as described in claim 15 wherein the completion milestone is one of:
    - scanning of all resources represented in the statistical model, completion of an allocated time period, completion of a scan of a predetermined number of resources, and completion of a scan of resources having an access count that exceeds a threshold.
  - 17. The apparatus as described in claim 11 wherein the information is obtained by intercepting a system application programming interface (API) call.

18. A non-transitory computer readable storage medium comprising a computer program product for use in a data processing system operative at or in association with an endpoint in a data loss prevention (DLP) system, the DLP system operative to perform scans of resources in a file system associated with the endpoint to search for sensitive content, the scans including an ordered set of scans that include a last scan followed by a next scan, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
- following the last scan;
  
  obtaining information identifying an identity of a resource being accessed; and
  
  updating a statistical model of resource access and usage based on the obtained information, the statistical model including, with respect to a resource, a count of resource accesses since the last scan; and
  
  prior to initiating the next scan, prioritizing resources for further scanning for sensitive content based at least in part on resource access counts in the statistical model and one or more content sensitivity classifications associated with one or more resources.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The non-transitory computer readable storage medium as described in claim 18 wherein prioritizing is based on a scoring algorithm.
  - 20. The non-transitory computer readable storage medium as described in claim 19 wherein the scoring algorithm applies at least one weight to a resource access count.
  - 21. The non-transitory computer readable storage medium as described in claim 18 wherein the resource being accessed is a file or folder of a file system.
  - 22. The non-transitory computer readable storage medium as described in claim 18 wherein the method further includes conducting the next scan of the resources, in order of access activity as indicated in the statistical model, until a completion milestone is reached.
  - 23. The non-transitory computer readable storage medium as described in claim 22 wherein the completion milestone is one of:
    - scanning of all resources represented in the statistical model, completion of an allocated time period, completion of a scan of a predetermined number of resources, and completion of a scan of resources having an access count that exceeds a threshold.
  - 24. The non-transitory computer readable storage medium as described in claim 18 wherein the information is obtained by intercepting a system application programming interface (API) call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SailPoint Technologies Holdings, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Taylor, Daniel McKenzie, Cogill, Peter Terence
Primary Examiner(s)
PYO, MONICA M

Application Number

US12/948,802
Publication Number

US 20120131012A1
Time in Patent Office

2,280 Days
Field of Search

707/748, 707999002-999005, 726/22, 726/26
US Class Current

1/1
CPC Class Codes

G06F 16/14   Details of searching files ...

G06F 16/21   Design, administration or m...

G06Q 10/00   Administration; Management

Method and apparatus for autonomic discovery of sensitive content

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for autonomic discovery of sensitive content

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links