An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors, vendors, or business associates. As the name implies, insiders have inside information concerning the organization's security practices, data and computer systems.
The insider threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. Because of their physical proximity to an organization's data, the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls. Rather, the insider is already inside the buildings and often have direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders since the insider already has legitimate access to the organization's information and assets.
Insider threat management is the process and practice of preventing, combating, detecting, and monitoring insiders in order to fortify an organization's data from theft, fraud and damage.
One aspect of the present disclosure relates to a system configured to facilitate capture of recently-arrived text chunk of real-time post-appending body of on-screen text. The system may include one or more hardware processors configured by machine-readable instructions. The processor(s) may be configured to monitor a real-time post-appending body of on-screen text, the on-screen text being produced by an application executing on a computing system. The processor(s) may be configured to obtain an end endpoint of the monitored body, which indicates a locus of the final character of the existing on-screen text of the monitored body. The processor(s) may be configured to remember the locus of the final character of existing on-screen text. The processor(s) may be configured to adjust the end endpoint to an interior locus in the existing on-screen text of the monitored body. The processor(s) may be configured to obtain a trigger that indicates that the monitored body may have been post-appended with new on-screen text. The processor(s) may be configured to, in response to the trigger, chunk new on-screen text of the post-appended body based on a difference between the remembered locus and a new endpoint of the new on-screen text of the post-appended body. [000$] Another aspect of the present disclosure relates to a method that facilitates capture of recently-arrived text chunk of real-time post-appending body of on-screen text. The method may include monitoring a real-time post-appending body of on-screen text, the on-screen text being produced by an application executing on a computing system. The method may include obtaining an end endpoint of the monitored body, which indicates a locus of the final character of the existing on-screen text of the monitored body. The method may include remembering the locus of the final character of the existing on-screen text. The method may include adjusting the end endpoint to an interior locus in the existing on-screen text of the monitored body. The method may include obtaining a trigger that indicates that the monitored body may have been post-appended with new on-screen text. The method may include, in response to the trigger, chunking new on-screen text of the post-appended body based on a difference between the remembered locus and a new endpoint of the new on-screen text of the post-appended body.
Yet another aspect of the present disclosure relates to a non-transient computer-readable storage medium having instructions embodied thereon, the instructions being executable by one or more processors to perform a method that facilitates capture of recently-arrived text chunk of the real-time post-appending body of on-screen text. The method may include monitoring a real-time post-appending body of on-screen text, the on-screen text being produced by an application executing on a computing system. The method may include obtaining an end endpoint of the monitored body, which indicates a locus of the final character of the existing on-screen text of the monitored body. The method may include remembering the locus of the final character of the existing on-screen text. The method may include adjusting the end endpoint to an interior locus in the existing on-screen text of the monitored body. The method may include obtaining a trigger that indicates that the monitored body may have been post-appended with new on-screen text. The method may include, in response to the trigger, chunking new on-screen text of the post-appended body based on a difference between the remembered locus and a new endpoint of the new on-screen text of the post-appended body.
These and other features, and characteristics of the present technology, as well as the methods of operation and functions of the related elements of structure and the combination of parts and economies of manufacture, will become more apparent upon consideration of the following description and the appended claims with reference to the accompanying drawings, all of which form a part of this specification, wherein like reference numerals designate corresponding parts in the various figures. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of the invention. As used in the specification and in the claims, the singular form of ‘a’, ‘an’, and ‘the’ include plural referents unless the context clearly dictates otherwise.
The Detailed Description references the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the drawings to reference like features and components.
Described herein is a technology that facilitates capture of recently-arrived text chunk of real-time post-appending body of on-screen text as disclosed. Exemplary implementations may: monitor a real-time post-appending body of on-screen text; obtain an end endpoint of the monitored body, which indicates a locus of the final character of existing on-screen text of the monitored body; remember the locus of the final character of existing on-screen text; adjust the end endpoint to an interior locus in the existing on-screen text of the monitored body; obtain a trigger that indicates that the monitored body may have been post-appended with new on-screen text; and in response to the trigger, chunk new on-screen text of the post-appended body based on a difference between the remembered locus and a new endpoint of the new on-screen text of the post-appended body.
Computing platform(s) may be configured to communicate with one or more computing platforms (such as remote platform(s) 104) according to a client/server architecture and/or other architectures. Computing platform(s) may be configured to communicate with other computing platforms according to a peer-to-peer architecture and/or other architectures. Users, like user 130, may access system 100 via client computing platform(s) 102.
Computing platform(s) 102 may be configured by machine-readable instructions 106. Machine-readable instructions 106 may include one or more instruction modules. The instruction modules may include computer program modules. The instruction modules may include one or more of body monitoring module 108, text-range obtaining module 110, locus remembrance module 112, end endpoint adjusting module 114, trigger obtaining module 116, text chunking module 118, screen reader 150, and/or other instruction modules.
As depicted, the user 130 is interacting with the computer platform(s) 102 using a screen 134 of a display device 132 of the computer platform(s). On that screen are displayed two windows (136 and 138) that each represent an executing application operating on that computing platform(s) 102. Indeed, window 136 is active and is labeled “Chat Box,” which is the name of a fictitious chat application.
While a chat application is discussed herein for this example implementation, other applications may be involved with other implementations. For example, other implementations of the technology described herein may interact with applications with an active on-screen window in which a user types and receives a response, such as a command prompt.
A chat application (i.e., “app”) executes on a computer system (such as the computing platform(s) 102). So-called “chat” refers to the process of communicating, interacting and/or exchanging messages via a network or communication medium (i.e., the Internet). It involves a dialogue between two or more individuals that communicate through a chat-enabled service or application.
Window 136 includes a body 140 of on-screen text. The text inside window 136 (depicted in
Since the text of the body 140 appears on the screen, it is called on-screen text herein. That body 140 of on-screen text represents a snapshot of the exchange of messages between the user 130 and one or more other individuals. The body 140 of the Chat Box window 136 is an example of a real-time post-appending body of on-screen text.
The text of a real-time post-appending body of on-screen text appears on the screen 134 as a series of text chunks that are appended to the end of the prior body of on-screen text. Since the newly entered or arrived text is attached after the final character of the prior body, it is called post-appending herein.
The appending process occurs as the chunks are entered or arrive. Thus, it is called “real-time” herein to describe the process in which the text chunks are appended.
The initial set of text 210 is the entirety of the text that is displayed on-screen in this window. As such, the initial set of text 210 is the present real-time post-appending body of on-screen text. In response to a request (e.g., to the operating system of the computing platform(s) 102) for the range of the text on-screen, a response may give start endpoint 212 and an end endpoint 214, which indicates the on-screen locations of the first and last characters, respectively, in the body of on-screen text.
A request like this is often answered by some form of assistive technology (AT). In particular, a so-called screen reader may respond to this type of request. Screen readers are applications or part of the operating system. Screen readers attempt to convey what people with normal eyesight see on a display to their users via non-visual means, for example, text-to-speech, sound icons, or a Braille device. Screen readers do this by applying a wide variety of techniques that include for example interacting with dedicated accessibility application programming interfaces (APIs), using various operating system features and employing hooking techniques. The MICROSOFT™ WINDOWS™ operating system offers a set of APIs called UI AUTOMATION to expose on-screen textual content.
With insider threat management, it is desirable to track the activities of users on the computing platforms. In this case of a chat application, it is difficult to track both insider user and the incoming exchanges. For example, a simple keystroke monitor will fail to capture the incoming messages.
Using assistive technologies (AT), insider threat management may be able to capture both the user's and incoming messages because both kinds appear on the screen. Thus, insider threat management using AT can capture the entire exchange a chunk at a time. Each chunk is a set of text representing an exchange between the user and others.
In response to a request (e.g., to AT) for the range of the text on-screen, a response may give start endpoint 222 and an end endpoint 224, which indicate the on-screen locations of the first and last characters, respectively, in the body of on-screen text (which is a combination of set 210 and block 220). Unfortunately, this response fails to retain any historical information that allows us to parse the block 220 from the entirety of the existing body.
Returning again to the depiction of system 100 of
The real-time post-appending body of on-screen text may be produced by a messaging application (such as a chat application), he on-screen text being produced by an application executing on a computing system. The computing platform(s) 102 is an example of a computing system.
Text-range obtaining module 110 may be configured to obtain the range of the body of on-screen text monitored by the body monitoring module 108 (i.e., the “monitored body”). That is, the text-range obtaining module 110 obtains the screen location of the start of the body and the screen location of the end of the body. These are called the start endpoint and end endpoint, respectively. In some implementations, the module may only obtain the end endpoint. This text-range obtaining function may be facilitated, in part, by assistive technologies, as discussed above.
The end endpoint of the monitored body indicates an on-screen locus of the final character of the existing on-screen text of the monitored body. The monitored body may have a start endpoint and an end endpoint indicating the locus of a first and a final character, respectively, of the initial on-screen text of the monitored body. Arriving on-screen text appends after the final character of the initial on-screen text of the monitored body. The end endpoint may be updated to indicate the locus of a final character of the appended on-screen text.
Locus remembrance module 112 may be configured to remember the locus of the final character of existing on-screen text. That is, the locus remembrance module 112 stores a pointer to the location of the final character of the existing on-screen text.
As depicted in
As depicted in
End endpoint adjusting module 114 may be configured to adjust the end endpoint to an interior locus in the existing on-screen text of the monitored body. Interior locus is an on-screen location within the monitored body. That is, the interior locus is a spot on the screen between the start endpoint and the end endpoint returned by the text-range obtaining module 110.
As depicted in
Characters “t.” inside dashed oval 312 are the two characters between the remembered locus 316 and the adjusted end endpoint 314. Two characters are used for this example to be near the original end endpoint but to avoid lost characters at the end of an exchange or line. However, other implementations may use some other location inside the existing monitored body.
Since the adjusted end endpoint 314 is no longer at the end of the previous body, when the value of the end endpoint is automatically incremented and advanced to the end of the new chunk 320, the adjusted end endpoint 314 stays the same value and points to location as indicated in
The actual end endpoint of all the on-screen text shown in chat box window 136 of
When the new chuck 320 is appended to the previous body, the computing platform(s) 102 may issue a computer event (e.g., interrupt, notification). The computer event may issue in response to, for example, particular keystrokes (e.g., entry key press) or when particular conditions arise. These may act as a trigger.
Trigger obtaining module 116 may be configured to obtain a trigger that indicates that the monitored body may have been post-appended with new on-screen text. The trigger may be a computer event. By way of non-limiting example, the trigger may be selected from a group consisting of a computer event, a keystroke event, and a timer.
A computer event may involve a polling mechanism that just checks periodically (e.g., every 2 seconds) to see if the endpoint has changed. If there is a difference, then trigger module 116. Another way is to utilize the events mechanism that an operating system provides. In that scenario, any time the text changes, an event is sent. The trigger obtaining module 116 may watch for particular events, and when they come in, that is a trigger.
In response to the trigger, the text-chunking module 118 may request a range of the present body of on-screen text. As depicted in
Start endpoint 318 points to the location of the start endpoint of the present body. End endpoint 330 points to the location of the end endpoint of the present body. For this discussion, the end endpoint 330 may be called the “new” end endpoint since it is new relative to the previous body as shown in
Indeed, as depicted in
Text chunking module 118 may be configured to, in response to the trigger, chunk new on-screen text of the post-appended body based on a difference between the remembered locus and a new endpoint of the new on-screen text of the post-appended body. Thus, the text-chunking module 118 produces an extracted text chunk 340 (as shown in
The chunking may include obtaining a new end endpoint (e.g., end endpoint 330) of the monitored body, which indicates the locus of the new final character of the post-appended on-screen text of the monitored body. The chunking may include extracting the text between the remembered locus and the new endpoint of the monitored body. The chunking may include providing the extracted text as a chunk of the monitored real-time post-appending body of on-screen text.
In some implementations, the textual display system (which may include display 132) may include the screen reader 150. The screen reader 150 may be its own module or part of another module of the computing platform(s) 102, part of the operating system, an application, and/or a service communicating with the computing platform(s) 102.
In some implementations, computer platform(s) 102, remote computing platform(s) 104, and/or external resources 120 may be operatively linked via one or more electronic communication links. For example, such electronic communication links may be established, at least in part, via a network such as the Internet and/or other networks. It will be appreciated that this is not intended to be limiting, and that the scope of this disclosure includes implementations in which computing platform(s) 102, remote computing platform(s) 104, and/or external resources 120 may be operatively linked via some other communication media.
A given remote computing platform 104 may include one or more processors configured to execute computer program modules. The computer program modules may be configured to enable an expert or user associated with the given remote computing platform 104 to interface with system 100 and/or external resources 120, and/or provide other functionality attributed herein to remote computing platform(s) 104. By way of non-limiting example, the given remote computing platform 104 may include one or more of a desktop computer, a laptop computer, a handheld computer, a tablet computing platform, a NetBook, a Smartphone, a gaming console, and/or other computing platforms.
External resources 120 may include sources of information outside of system 100, external entities participating with system 100, and/or other resources. In some implementations, some or all of the functionality attributed herein to external resources 120 may be provided by resources included in system 100.
Computing platform(s) 102 may include electronic storage 122, one or more processors 124, and/or other components. Computing platform(s) 102 may include communication lines, or ports to enable the exchange of information with a network and/or other computing platforms. Illustration of Computing platform(s) 102 in
Electronic storage 122 may comprise non-transitory storage media that electronically stores information. The electronic storage media of electronic storage 122 may include one or both of system storage that is provided integrally (i.e., substantially non-removable) with Computing platform(s) 102 and/or removable storage that is removably connectable to Computing platform(s) 102 via, for example, a port (e.g., a USB port, a firewire port, etc.) or a drive (e.g., a disk drive, etc.). Electronic storage 122 may include one or more of optically readable storage media (e.g., optical disks, etc.), magnetically readable storage media (e.g., magnetic tape, magnetic hard drive, floppy drive, etc.), electrical charge-based storage media (e.g., EEPROM, RAM, etc.), solid-state storage media (e.g., flash drive, etc.), and/or other electronically readable storage media. Electronic storage 122 may include one or more virtual storage resources (e.g., cloud storage, a virtual private network, and/or other virtual storage resources). Electronic storage 122 may store software algorithms, information determined by processor(s) 124, information received from server(s) 102, information received from client computing platform(s) 104, and/or other information that enables computing platform(s) 102 to function as described herein.
Processor(s) 124 may be configured to provide information processing capabilities in server(s) 102. As such, processor(s) 124 may include one or more of a digital processor, an analog processor, a digital circuit designed to process information, an analog circuit designed to process information, a state machine, and/or other mechanisms for electronically processing information. Although processor(s) 124 is shown in
It should be appreciated that although modules 108, 110, 112, 114, 116, and/or 118 are illustrated in
In some implementations, method 400 may be implemented in one or more processing devices (e.g., a digital processor, an analog processor, a digital circuit designed to process information, an analog circuit designed to process information, a state machine, and/or other mechanisms for electronically processing information). The one or more processing devices may include one or more devices executing some or all of the operations of method 400 in response to instructions stored electronically on an electronic storage medium. The one or more processing devices may include one or more devices configured through hardware, firmware, and/or software to be specifically designed for execution of one or more of the operations of method 400.
An operation 402 may include monitoring a real-time post-appending body of on-screen text, the on-screen text being produced by an application executing on a computing system. Operation 402 may be performed by one or more hardware processors configured by machine-readable instructions including a module that is the same as or similar to body monitoring module 108, in accordance with one or more implementations.
An operation 404 may include obtaining an end endpoint of the monitored body, which indicates a locus of the final character of the existing on-screen text of the monitored body. Operation 404 may be performed by one or more hardware processors configured by machine-readable instructions including a module that is the same as or similar to text-range obtaining module 110, in accordance with one or more implementations.
An operation 406 may include remembering the locus of the final character of existing on-screen text. Operation 406 may be performed by one or more hardware processors configured by machine-readable instructions including a module that is the same as or similar to locus remembrance module 112, in accordance with one or more implementations.
An operation 408 may include adjusting the end endpoint to an interior locus in the existing on-screen text of the monitored body. Operation 408 may be performed by one or more hardware processors configured by machine-readable instructions including a module that is the same as or similar to end endpoint adjusting module 114, in accordance with one or more implementations.
An operation 410 may include obtaining a trigger that indicates that the monitored body may have been post-appended with new on-screen text. Operation 410 may be performed by one or more hardware processors configured by machine-readable instructions including a module that is the same as or similar to trigger obtaining module 116, in accordance with one or more implementations.
An operation 412 may include in response to the trigger, chunking new on-screen text of the post-appended body based on a difference between the remembered locus and a new endpoint of the new on-screen text of the post-appended body. Operation 412 may be performed by one or more hardware processors configured by machine-readable instructions including a module that is the same as or similar to text chunking module 118, in accordance with one or more implementations.
Example Information Handling System
The information handling system 500 likewise includes system memory 512, which is interconnected to the foregoing via one or more buses 514. System memory 512 further includes an operating system (OS) 516 and in various embodiments may also include a web browser 518, network filter 520, and a messaging application 522. In one embodiment, the information handling system 500 is able to download the web browser 518, the network filter 520, and/or the messaging application 522 from the service provider server 542. In another embodiment, the web browser 518, the network filter 520, and/or the messaging application 522 are provided as a service from the service provider server 542.
In various embodiments, in combination, alone, or with cooperation with the service provider 542 and/or the network 540, the web browser 518, the network filter 520, and/or the messaging application 522 perform the operations of the technology described herein. As will be appreciated, once the information handling system 500 is configured to perform the detection of potentially deceptive URI of a homograph attack, as described herein, the information handling system 500 becomes a specialized computing device specifically configured to perform such detection operations and is not a general purpose computing device. Moreover, the implementation of the web browser 518, the network filter 520, and/or the messaging application 522 on the information handling system 500 improves the functionality of the information handling system 500 and provides a useful and concrete result of detection of malicious attacks.
In the above description of example implementations, for purposes of explanation, specific numbers, materials configurations, and other details are set forth in order to better explain the present disclosure. However, it will be apparent to one skilled in the art that the subject matter of the claims may be practiced using different details than the example ones described herein. In other instances, well-known features are omitted or simplified to clarify the description of the example implementations.
The terms “techniques” or “technologies” may refer to one or more devices, apparatuses, systems, methods, articles of manufacture, and/or executable instructions as indicated by the context described herein.
As used in this application, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or.” That is, unless specified otherwise or clear from context, “X employs A or B” is intended to mean any of the natural inclusive permutations. That is, if X employs A; X employs B; or X employs both A and B, then “X employs A or B” is satisfied under any of the foregoing instances. In addition, the articles “a” and “an” as used in this application and the appended claims should generally be construed to mean “one or more,” unless specified otherwise or clear from context to be directed to a singular form.
These processes are illustrated as a collection of blocks in a logical flow graph, which represents a sequence of operations that may be implemented in mechanics alone, with hardware, and/or with hardware in combination with firmware or software. In the context of software/firmware, the blocks represent instructions stored on one or more non-transitory computer-readable storage media that, when executed by one or more processors or controllers, perform the recited operations.
Note that the order in which the processes are described is not intended to be construed as a limitation, and any number of the described process blocks can be combined in any order to implement the processes or an alternate process. Additionally, individual blocks may be deleted from the processes without departing from the spirit and scope of the subject matter described herein.
The term “computer-readable media” is non-transitory computer-storage media or non-transitory computer-readable storage media. For example, computer-storage media or computer-readable storage media may include, but are not limited to, magnetic storage devices (e.g., hard disk, floppy disk, and magnetic strips), optical disks (e.g., compact disk (CD) and digital versatile disk (DVD)), smart cards, flash memory devices (e.g., thumb drive, stick, key drive, and SD cards), and volatile and non-volatile memory (e.g., random access memory (RAM), read-only memory (ROM)).