AU2012216758A1 - System and method for adding context to prevent data leakage over a computer network - Google Patents

System and method for adding context to prevent data leakage over a computer network Download PDF

Info

Publication number
AU2012216758A1
AU2012216758A1 AU2012216758A AU2012216758A AU2012216758A1 AU 2012216758 A1 AU2012216758 A1 AU 2012216758A1 AU 2012216758 A AU2012216758 A AU 2012216758A AU 2012216758 A AU2012216758 A AU 2012216758A AU 2012216758 A1 AU2012216758 A1 AU 2012216758A1
Authority
AU
Australia
Prior art keywords
data
contextual information
destination
network
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
AU2012216758A
Inventor
Daniel Lyle Hubbard
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Websense LLC
Original Assignee
Websense LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2008214131A external-priority patent/AU2008214131B2/en
Application filed by Websense LLC filed Critical Websense LLC
Priority to AU2012216758A priority Critical patent/AU2012216758A1/en
Publication of AU2012216758A1 publication Critical patent/AU2012216758A1/en
Abandoned legal-status Critical Current

Links

Abstract

Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Date is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information. Iu CLASSIFICATION *WHOHERE POLICY/ 5 ~~INFORMATIONREOTN ADMIN -. ENFORCEMENT DESTINATION

Description

AUSTRALIA Patents Act 1990 WEBSENSE, INC. COMPLETE SPECIFICATION STANDARD PATENT Invention Title: System and method for adding context to prevent data leakage over a computer network The following statement is a full description of this invention including the best method of performing it known to us:- SYSTEM AND METHOD FOR ADDING CONTEXT TO PREVENT DATA LEAKAGE OVER A COMPUTER NETWORK CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This application claims the benefit of U.S. Provisional Patent Application No. 60/887,908, filed on February 2, 2007, which is incorporated by reference herein in its entirety. BACKGROUND OF THE INVENTION Field of the Invention [0002] This application relates to computer network security. Description of the Related Technology [0003] Computer networks are used to transmit data between computers in a seamless manner. A user can send a file or an email with an attachment to another user connected to the network. In many instances, this data transfer occurs over the Internet. Often, the content may contain sensitive information (i.e., business plans, financial data, product drawings, trade secrets, etc...) that should not be sent to the wrong recipient. [0004] The owners of the data have an interest in preventing the leakage of sensitive data over computer networks. Currently, there are methods for analyzing and classifying data being sent over the network. These methods determine the type of data and prevent the dissemination of data classified as being protected. In this regard, these methods classify the data and apply a protection/transmission policy depending on the type of data. For example, a policy might forbid the transmission of any business information containing social security numbers. [0005] However, a policy just based on the type of data may not provide the level of leakage prevention that is needed. For example, sometimes a company might want to limit the transmission of data to certain users or destinations. The analysis of the data itself cannot provide this level of classification and a reliable policy cannot be developed. -1- SUMMARY OF THE CERTAIN INVENTIVE ASPECTS [0006] In one inventive aspect, a system for preventing the unauthorized transmission of data over a computer network is disclosed. The system has a data source having data in communication with the network. A network (Internet) gateway is in communication with the network and a destination. The network gateway is configured to determine a transmission policy in response to the type of data and contextual information of the data. [00071 The contextual information can be sender contextual information and/or destination contextual information. For example, the sender contextual information may be an IP address of the data source, a user name or a group of users. The destination contextual information may be an IP address of the destination, a network of the destination or a category of the destination. The transmission policy may block transmission of the data, permit transmission of the data and/or report attempted transmission of the data. [0008] Typically, the data source is an electronic device such as a PDA, computer, cell phone, etc.... and the devices communicate over the Internet. [0009] The network gateway can include a classification module for determining the type of data, a context information module for determining the contextual information, a policy/reporting module for generating the transmission policy and an enforcement module for either transmitting the data, blocking the data and/or reporting the transmission of the data. [0010] In another inventive aspect, a method of preventing an unauthorized transmission of data over a computer network is disclosed. The method comprises classifying the data and determining contextual information of the data. Next, a transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information. BRIEF DESCRIPTION OF THE DRAWINGS 10011] FIGURE 1 is a representation of a computer network whereby data leakage prevention using classification and contextual information can occur. [0012] FIGURE 2 is a block diagram illustrating some of the components to prevent data leakage over the computer network shown in FIGURE 1. -2- [0013] FIGURE 3 is a flowchart illustrating the process of preventing data leakage using classification and contextual information. [0014] FIGURE 4 is a table illustrating how transmission policies are applied to different scenarios. DETAILED DESCRIPTION OF CERTAIN INVENTIVE EMBODIMENTS [0015] The following detailed description is directed to certain specific embodiments of the invention. However, the invention can be embodied in a multitude of different systems and methods. In this description, reference is made to the drawings wherein like parts are designated with like numerals throughout. [00161 Referring to FIGURE 1, a system for preventing the unauthorized transmission of data over a computer network is shown. A user can use a digital device as a source of data 10 (i.e., PDA 10a, laptop computer 10b, cell phone 10c, computer 10d, or other type of digital device) to transmit data over a computer network 12 and Internet 18 to a destination device 14 such as another electronic device. It will be recognized that any type of device 10 can be used as the source of data (i.e., fax machine, scanner, network disk drive, USB memory device, etc.. ). The devices 10 are connected to an internal network 12 either through a wired or wireless connection. Each of the devices 10 contain data that may be transmitted. The network 10 can be a local area network (LAN) with a connection to Internet 18. It will be recognized that multiple LAN's can be connected together to from a wide area network (WAN) that could connect to the Internet 18. The network 10 can be an Ethernet I ObaseT topology, or based on any networking protocol, including wireless networks, token ring network, and the like. [0017] The network 10 communicates with a network/Internet gateway 16 in order to provide the sources 10 a connection to the Internet 18. The Internet gateway 16 may be a server or combination of servers for translating TCP/IP protocols into proper protocols for communication across the local area network 12. The gateway 16 is well known in the art and normally communicates through routers or other data switching technology. Furthermore, the gateway 16 illustrated in FIGURE 1 may include content filtering that prevents users from accessing prohibited websites, as well as a data leakage prevention to -3prevent prohibited content from traveling outside the network 12 as will be further explained below. [0018] The Internet gateway 16 communicates with the Internet 18 and hence the destination 14 through commonly known techniques. Accordingly, other gateways, routers, switches and/or other devices may be in the path of communication between the Internet 18, the Internet gateway 16, the destination 14, the network 12 and the sources 10. The Internet gateway analyzes TCP/IP traffic passing there through. The destination 14 may be and electronic device, an IP address, email address, network address or other type of recipient. [0019] Referring to FIGURE 2, a block diagram showing the components of FIGURE 1 is illustrated. The source 10 includes data 20 to be transmitted to the destination 14. The data 20 may be any type of data such as numerical, textual, graphical, etc.... The data 10 may be transmitted as an email attachment, instant message, FTP, or anything that can be converted into TCP/IP traffic. The data 20 is transmitted to Internet gateway 16 which contains software (i.e., modules) that prevents the unauthorized dissemination of confidential information. The term "module", as used herein may be, but is not limited to, a software or hardware component, such as a FPGA or ASIC, which performs certain tasks. A module may be configured to reside on an addressable storage medium and configured to execute on one or more processors. Accordingly, a module may include components such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. The functionality provided for in the components and modules may be combined into fewer components and modules or further separated into additional components and modules. The tasks to be performed by the modules may be programmed using ordinary techniques as is commonly known. [0020] The Internet gateway 16 includes a classification module 22, a policy/reporting module 24, a who/where context information module 26 and an enforcement module 28. In addition, an administration module 30 may be in communication with the Internet gateway 16 and/or may be incorporated therein. -4- [0021] The classification module 22 analyzes the data 20 to determine whether the data 20 contains prohibited content by identifying a fingerprint and/or signature of the data 20. The fingerprint or signature of the data 20 is compared to a database of signatures in order to identify the content. As such, the classification module 22 determines the content of the data. The who/where context information module 26 determines who sent the data and the destination of the data. For example, the context information module 26 determines who sent the data by identifying the sender using directory services over the network 12. For example, senders can be identified by using a list of users complied in a company's database or using an LDAP service. Typically, the users are also mapped to IP addresses in order to obtain their location. The sender's identification is then used as contextual information that can be applied to the data. For instance, the sender's contextual information may be an IP address of the sender, the user's identity, group identity, or any other type of information that adds further context to the sender of the data 20. [00221 The context information module 26 also determines contextual information regarding the destination of the data 20. For example, by comparing the IP address of the destination to a database of IP addresses sorted by categories, it is possible to categorize the destination. The database of IP addresses includes known IP addresses that are sorted based on contextual information. The IP addresses are grouped into categories depending on the type of destination and content contained. Some non-limiting examples of categories may be "malicious addresses", "competitors", "public sites", etc... The IP addresses are grouped by categories as is commonly known in the web filtering industry and generated by analyzing the destination. In addition to categorizing the destination, it is also possible to add other contextual information such as the network of the destination or just the address of the destination. Therefore, the destination contextual information may be any additional information that further defines the data 20. For example, the destination contextual information may be the reputation of the destination, the name and/or type of entity, the location of the destination, known malicious recipients, etc.... [00231 The policy/reporting module 24 is used to determine the policy applied to the data 20. Specifically, based on the classification of the data 20 determined by the classification module 22 and the contextual information determined by the context information -5module 26, it is possible to generate a policy for the data 20. The policy determines whether the data 20 is to be transmitted, blocked and/or reported, as will be further explained in FIGURE 3. 10024] The enforcement module 28 applies the policy to the data 20 and either blocks or transmits the data 20 to the Internet 18. The administration module 30 allows an administrator to change policies and/or allow data 20 to be transmitted after further review. [0025] Referring to FIGURE 3, a flowchart for adding contextual information to data leakage prevention is shown. In block 300, data 20 is received or sent by the Internet gateway 16. Next, the data is inspected/analyzed in block 302 and classified in step 304 by classification module 22. As previously mentioned, the data 20 is fingerprinted and a signature is identified in order to determine if the data 20 is information that should be blocked or transmitted. [0026] Next, in block 305, contextual information about the data 20 is determined by who/where context information module 26. Specifically, the "who" of the sender may be one or all of a specific P address, an individual user or a member of a specified group. The "where" of the destination 14 may be one or all of a category of the destination, the network of the destination or the IP address of the destination. [0027] In block 306 the policy for the data 20 is determined by policy/reporting module 24. The policy is determined using the classification determined from block 304 and the contextual information determined from block 305. [0028] Referring to FIGURE 4, a table showing some exemplary policies is illustrated. The classification of data/content derived from block 304 of FIGURE 3 is shown in column 402. The sender's contextual information is listed in column 404, while the destination contextual information is listed in column 406. As previously described, the sender contextual information and the destination contextual information is generated in block 305 of FIGURE 3. Column 408 of FIGURE 4 lists the policy applied to the data/content for each respective row of the table. For example, in row 410, the data/content is business data, while the sender contextual information indicates that user A sent the information and the destination contextual information indicates that data is to be sent to network A. In this instance, the policy to be applied is to report that user A is attempting to send the data to -6network A. Rows 412 and 414 show similar scenarios except that the destination contextual information is different. Specifically, in row 412 the data/content is allowed to be transmitted while in row 414 the data/content is blocked because the data/content is being sent to IP address 3 which may be associated with a malicious site. Accordingly, rows 410, 412 and 414 illustrate examples whereby the data/content is the same and the sender is the same, but the policy is different based upon the destination contextual information. Similarly, rows 416, 418 and 420 illustrate an example whereby the data/content is the same and the destination contextual information is the same, but the policy changes based upon the sender contextual information. It will be recognized by those of ordinary skill in the art that many different policies can be configured in order to provide the desired type of security. By both classifying the type of data and using the contextual information it is possible to generate more granular policies. Furthermore, reporting, incident handling, alias usage and priority handling are facilitated by using both classification and contextual information. [0029] Referring back to FIGURE 3, in decision block 308, the policy/reporting module 24 determines whether the data should be blocked. If the data 20 should not be blocked then the data is transmitted in block 318 by enforcement module 28. However, if the policy for the data/content is to block the data 20 or report the data 20, then the process proceeds to block 310 whereby it is determined whether the attempt to transmit the data 20 should be reported. If the transmission is not to be reported, then the process proceeds to step 316 where the transmission of the data 20 is blocked by enforcement module 28. However, if the transmission is to be reported, then the process proceeds to step 312 whereby an administrator or other supervisor can review the data, sender and recipient information and determine whether to send the data 20. If the data 20 is to be sent, the process proceeds to block 318 whereby the data 20 is sent. However, the process proceeds to block 316 and the data is not transmitted if the supervisor or administrator believes it is not appropriate to send the data. It will be recognized that it is possible to omit the review manually step 312 and report and block the transmission of the data 20. [0030] While block 308 has been described as blocking data 20, it will be recognized that other types of actions may occur after the policy has been determined in block -7- 306. Specifically, block 308 may initiate a workflow based upon the policy determined in block 306 whereby the data 20 is further analyzed, classified, inspected, etc.... [0031] While the above description has shown, described, and pointed out novel features of the invention as applied to various embodiments, it will be understood that various omissions, substitutions, and changes in the form and details of the device or process illustrated may be made by those skilled in the art without departing from the spirit and scope of the invention. -8-

Claims (33)

1. A system for preventing the unauthorized transmission of data over a computer network, the system comprising: a data source having data and in communication with the network; a network gateway in communication with the network; and a destination in communication with the network; wherein the network gateway is configured to determine a transmission policy in response to the type of data and contextual information of the data.
2. The system of claim I wherein the contextual information comprises sender contextual information of the data source.
3. The system of claim I wherein the contextual information comprises destination contextual information of the destination.
4. The system of claim I wherein the contextual information comprises sender contextual information of the data source and destination contextual information of the destination.
5. The system of claim 4 wherein the sender contextual information is an IP address of the data source, a user name or a group of users.
6. The system of claim 4 wherein the destination contextual information is an IP address of the destination, a network of the destination or a category of the destination.
7. The system of claim 4 wherein the transmission policy transmits the data or blocks transmission of the data. -9-
8. The system of claim 7 wherein the transmission policy further comprises reporting that the data source is attempting to transmit data.
9. The system of claim I wherein the data source is an electronic device.
10. The system of claim 9 wherein the electronic device is selected from the group consisting of: a PDA; a computer; and a cell phone.
I1. The system of claim I wherein the computer network is the Internet.
12. The system of claim I wherein the network gateway comprises a classification module for determining the type of data.
13. The system of claim I wherein the network gateway comprises a context information module for determining the contextual information.
14. The system of claims wherein the network gateway comprises a policy/reporting module for generating the transmission policy.
15. The system of claim I wherein the network gateway comprises an enforcement module for transmitting or blocking transmission of the data in response to the transmission policy.
16. The system of claim 1 wherein the network gateway comprises: a classification module for determining the type of data; a context information module for determining the contextual information; a policy/reporting module for generating the transmission policy; and -10- an enforcement module for transmitting or blocking transmission of the data in response to the transmission policy.
17. A method of preventing an unauthorized transmission of data over a computer network, the method comprising the steps of: classifying the data; determining contextual information of the data; and determining a transmission policy for the data in response to the classification of the data and contextual information of the data.
18. The method of claim 17 further comprising the step of transmitting the data or blocking the data in response to the transmission policy.
19. The method of claim 18 wherein the step of transmitting the data or blocking the data is performed by an enforcement module.
20. The method of claim 17 wherein the step of classifying the data comprises determining the type of data.
21. The method of claim 17 wherein the step of determining the contextual information of the data comprises determining sender contextual information.
22. The method of claim 21 wherein the sender contextual information comprises an IP address of the sender, a user name of the sender or a group name of the user.
23. The method of claim 17 wherein the step of determining the contextual information of the data comprises determining destination contextual information. -11-
24. The method of claim 23 wherein the destination contextual information comprises an IP address of the destination, a network of the destination or a category of the destination.
25. The method of claim 17 wherein the step of determining the contextual information of the data comprises determining destination contextual information and sender contextual information.
26. The method of claim 17 further comprising the step of reporting that the data is to be transmitted.
27. The method of claim 17 wherein the step of classifying the data is performed by a classification module.
28. The method of claim 17 wherein the step of determining the contextual information of the data is performed by a context information module.
29. The method of claim 17 wherein the step of determining a transmission policy for the data is performed by a policy/reporting module.
30. The method of claim 17 further comprising the step of sending the data to a network gateway prior to classifying the data.
31. The method of claim 30 wherein the step of sending the data is performed with an electronic device connected to a network.
32. The method of claim 31 wherein the electronic device is selected from the group consisting of: a PDA; a computer; and -12- a cell phone.
33. The method of claim 31 wherein the network is the Internet. -13-
AU2012216758A 2007-02-02 2012-09-11 System and method for adding context to prevent data leakage over a computer network Abandoned AU2012216758A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2012216758A AU2012216758A1 (en) 2007-02-02 2012-09-11 System and method for adding context to prevent data leakage over a computer network

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US60/887,908 2007-02-02
AU2008214131A AU2008214131B2 (en) 2007-02-02 2008-01-30 System and method for adding context to prevent data leakage over a computer network
AU2012216758A AU2012216758A1 (en) 2007-02-02 2012-09-11 System and method for adding context to prevent data leakage over a computer network

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
AU2008214131A Division AU2008214131B2 (en) 2007-02-02 2008-01-30 System and method for adding context to prevent data leakage over a computer network

Publications (1)

Publication Number Publication Date
AU2012216758A1 true AU2012216758A1 (en) 2012-10-04

Family

ID=46940664

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2012216758A Abandoned AU2012216758A1 (en) 2007-02-02 2012-09-11 System and method for adding context to prevent data leakage over a computer network

Country Status (1)

Country Link
AU (1) AU2012216758A1 (en)

Similar Documents

Publication Publication Date Title
US9609001B2 (en) System and method for adding context to prevent data leakage over a computer network
US10505932B2 (en) Method and system for tracking machines on a network using fuzzy GUID technology
US10887330B2 (en) Data surveillance for privileged assets based on threat streams
US11411980B2 (en) Insider threat management
US11044267B2 (en) Using a measure of influence of sender in determining a security risk associated with an electronic message
JP4688420B2 (en) System and method for enhancing electronic security
US8806607B2 (en) Unauthorized data transfer detection and prevention
US20220014543A1 (en) Using a measure of influence of sender in determining a security risk associated with an electronic message
CN105721461A (en) System and method using dedicated computer security services
WO2018102308A2 (en) Detecting computer security risk based on previously observed communications
US20220394057A1 (en) Investigation of threats using queryable records of behavior
US20080127295A1 (en) Messaging security device
US20120137362A1 (en) Collaborative security system for residential users
AU2012216758A1 (en) System and method for adding context to prevent data leakage over a computer network
Rahalkar et al. SoK: Content Moderation Schemes in End-to-End Encrypted Systems
KR20240019725A (en) Email security system detecting unauthorized email server access attacks for preventing targeted email attacks and method thereof
Al Mazrouei Designing Anti-spam Detection by Using Locality Sensitive Hash (LSH)
CN115967578A (en) Data leakage prevention method and system
Olzak Just enough security
JP2006227842A (en) Automatic report generation method in security audit and program and unauthorized entry detecting device
Eronen STUDY ON THE RELEVANCE OF THREAT INTELLIGENCE ON THE PROTECTION OF CRITICAL INFRASTRUCTURE

Legal Events

Date Code Title Description
MK4 Application lapsed section 142(2)(d) - no continuation fee paid for the application