Data leakage prevention system, method, and computer program product for preventing a predefined type of operation on predetermined data

- McAfee, Inc.

A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system.

Skip to: Description  ·  Claims  ·  References Cited  · Patent History  ·  Patent History
Description
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No. 12/166,151, filed on Jul. 1, 2008, the contents of which are hereby incorporated by reference for all purposes.

FIELD OF THE INVENTION

The present invention relates to data leakage prevention, and more particularly to controlling operations performed on data for preventing data leakage.

BACKGROUND

Traditionally, data leakage prevention-systems have been utilized for preventing loss of data, such as unwanted disclosure of confidential data, for example. However, techniques employed by such traditional data leakage prevention systems have exhibited various limitations which allow circumvention of such data leakage prevention systems. Just by way of example, data leakage prevention systems have conventionally prevented data loss by blocking the transfer of data when such data matches a signature of data for which data loss is determined to be undesired. Unfortunately, use of signatures has allowed circumvention of data leakage prevention systems by allowing the transformation of data that would otherwise match a signature to another form incapable of being matched to such signature.

There is thus a need for addressing these and/or other issues associated with the prior art.

SUMMARY

A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a network architecture, in accordance with one embodiment.

FIG. 2 shows a representative hardware environment that may be associated with the servers and/or clients of FIG. 1, in accordance with one embodiment.

FIG. 3 shows a data leakage prevention method for preventing a predefined type of operation 011 predetermined data, in accordance with one embodiment.

FIG. 4 shows a system for preventing a predefined type of operation on predetermined data, in accordance with another embodiment.

FIG. 5 shows a method for conditionally blocking access to data predetermined to be protected based on a type of the access, in accordance with yet another embodiment.

 DETAILED DESCRIPTION

FIG. 1 illustrates a network architecture 100, in accordance with one embodiment. As shown, a plurality of networks 102 is provided. In the context of the present network architecture 100, the networks 102 may each take any form including, but not limited to a local area. network (LAN), a wireless network, a wide area network (WAN) such as the Internet, peer-to-peer network, etc.

Coupled to the networks 102 are servers 104 which are capable of communicating over the networks 102. Also coupled to the networks 102 and the servers 104 is a plurality of clients 106. Such servers 104 and/or clients 106 may each include a desktop computer, lap-top computer, hand-held computer, mobile phone, personal digital assistant (PDA), peripheral (e.g. printer, etc.), any component of a computer, and/or any other type of logic. In order to facilitate communication among the networks 102, at least one gateway 108 is optionally coupled there between.

FIG. 2 shows a representative hardware environment that may be associated with the servers 104 and/or clients 106 of FIG. 1, in accordance with one embodiment. Such figure illustrates a typical hardware configuration of a workstation in accordance with one embodiment having a central processing unit 210, such as a microprocessor, and a number of other units interconnected via a system bus 212.

The workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214, Read Only Memory (ROM) 216, an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212, a user interface adapter 222 for connecting a keyboard 224, a mouse 226, a speaker 228, a microphone 232, and/or other user interface devices such as a touch screen (not shown to the bus 212, communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238,

The workstation may have resident thereon any desired operating system. It will be appreciated that an embodiment may also be implemented on platforms and operating systems other than those mentioned. One embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology. Object oriented programming (OOP) has become increasingly used to develop complex applications.

Of course, the various embodiments set forth herein may be implemented utilizing hardware, software, or any desired combination thereof. For that matter, any type of logic may be utilized which is capable of implementing the various functionality set forth herein.

FIG. 3 shows a data leakage prevention method 300 for preventing a predefined type of operation on predetermined data, in accordance with one embodiment. As an option, the data leakage prevention method 300 may be carried out in the context of the architecture and environment of FIGS. 1 and/or 2. Of course, however, the data leakage prevention method 300 may be carried out in any desired environment.

As shown in operation 302, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. With respect to the present description, the data leakage prevention system may include any system (e.g. application, module, etc.) utilized for protecting the predetermined data by preventing data leakage associated therewith. For example, the data leakage prevention system may block unwanted access to, communication of, etc. data for preventing loss of such data.

Additionally, the predetermined data that is protected using the data leakage prevention system may include data predetermined for being protected using the data leakage prevention system. For example, the predetermined data that is protected using the data leakage prevention system may include data predetermined to include confidential data. Such confidential data may include data internal to an organization, personally identifying data (e.g. social security number, etc.), etc.

In one embodiment, the predetermined data may be manually predetermined for being protected using the data leakage prevention system. As an option, a creator of the data may manually indicate that the data is to be protected using the data leakage prevention system. The indication that the data is to be protected in such manner may be provided by labeling the data, flagging the data, generating a fingerprint of the data. used by the data. leakage prevention system (e.g. to prevent data leakage for data with such fingerprint), etc.

In another embodiment, the predetermined data may be automatically predetermined for being protected using the data leakage prevention system. For example, the predetermined data may be analyzed for determining whether content of such predetermined data is of a type predetermined to be protected using the data leakage prevention system. Such type predetermined to be protected may include confidential content. Thus, if it is determined that the content is of a type predetermined to be protected using the data leakage prevention system, the data including such content may be predetermined for being protected using the data leakage prevention system.

In yet another embodiment, the predetermined data may include data predetermined by a policy (e.g. a security policy utilized by the data leakage prevention system). Such policy may be manually generated, automatically generated, etc. to include an indication (e.g. signature, identifier, etc.) of data that is predetermined. Of course, it should be noted that the data may be predetermined in any desired manner.

Moreover, the operation attempted to be performed on the predetermined data may include any type of operation (e.g. function, etc.) capable of being performed on the data. Just by way of example, the operation may include accessing the predetermined data. In various embodiments, such access may include opening the predetermined data., deleting the predetermining data, reading the predetermined data, writing to the predetermined data, transforming a format of the predetermined data (e.g. by encoding, encrypting, packing, archiving, etc. the predetermined data), etc.

Claims

1. A method comprising the acts of:

identifying a first data from among second data for the purpose of applying data leakage protection to the first data;
monitoring, by a computing device, operations requested to be performed upon the first data, before said operations are performed upon the first data;
detecting a first operation requested to be performed upon the first data by a potentially malicious software;
determining whether said first operation transforms data or a portion thereof for the purpose of obfuscating the identity of the data changing a signature of the data;
preventing the first operation on said first data if the act of determining results in a determination that the first operation is a type that transforms data for the purpose of obfuscating the identity of the data changing the signature of the data.

2. The method of claim 1 wherein the type of operation comprises an encryption type operation.

3. The method of claim 1 wherein the type of operation comprises an encoding type operation.

4. The method of claim 1 wherein the type of operation comprises a compression type of operation.

5. A method comprising the acts of:

determining, by a computing device, that a first data is a type of data that is sensitive to an organization;
recognizing operations requested to be performed upon the first data, before said operations are performed upon the first data;
identifying a first operation requested to be performed upon first data by a potentially malicious software;
determining whether said first operation is a type of operation that has been predetermined to create a risk of obfuscating the identity of said first data by transforming the said first data changing the signature of said first data, such predetermination regarding the type of operation having occurred prior to any act of this method;
based upon whether the first operation's type has been predetermined, conditionally preventing the first operation on said first data upon the detection of said first operation.

6. The method of claim 5 wherein one predetermined type of operation is an operation that encrypts data.

7. The method of claim 5 wherein the predetermined type of operation that encodes data.

8. The method of claim 5 wherein one predetermined type of operation is chosen from the group of an encryption type operation, an encoding type operation, and a compression type operation.

9. The method of claim 5 wherein the type of data sensitive to an organization comprises data internal to the organization.

10. A method comprising the acts of:

determining, by a computing device, that a first data is a type of data that is sensitive;
recognizing operations requested to be performed upon the first data, before said operations are performed upon the first data;
identifying a first operation requested to be performed upon the first data by a potentially malicious software;
determining whether said first operation is a type of operation that has been predetermined to create a risk of obfuscating the nature or identity of the first data by transforming said first data changing a signature of said first data;
based upon whether the first operation's type has been predetermined, conditionally preventing the first operation on said first data upon the detection of the first operation.

11. The method of claim 10 wherein one predetermined type of operation is an encryption type operation.

12. The method of claim 10 wherein the predetermined type of encodes data.

13. The method of claim 10 wherein one predetermined type of operation is chosen from the group of an encryption type operation, an encoding type operation, and a compression type operation.

14. The method of claim 10 wherein the type of data that is sensitive comprises data internal to the organization.

Referenced Cited
U.S. Patent Documents
20040111389 June 10, 2004 Pudipeddi et al.
Patent History
Patent number: 8689006
Type: Grant
Filed: Apr 13, 2012
Date of Patent: Apr 1, 2014
Assignee: McAfee, Inc. (Santa Clara, CA)
Inventors: Manabendra Paul (Karimganj), Abhilash Chandran (Kollam)
Primary Examiner: Longbit Chai
Application Number: 13/446,716