This Application is related to U.S. patent application Ser. No. 13/247,423 entitled “METHOD AND APPARATUS FOR FRIENDLY MAN-IN-THE-MIDDLE DATA STREAM INSPECTION”, Ser. No. 13/247,549 entitled “METHOD AND APPARATUS FOR PRIVACY-RESPECTING NOTIFICATION OF SECURITY THREATS”, and Ser. No. 13/247,623 entitled “METHOD AND APPARATUS FOR ENCRYPTION WITH VIEWER IDENTITY- AND CONTENT ADDRESS-BASED IDENTITY PROTECTION”, filed on Sep. 28, 2011, the teachings of which are hereby incorporated by reference in their entirety.
A portion of the disclosure of this patent document may contain command formats and other computer language listings, all of which are subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
This application relates to data privacy.
Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. Private information is frequently made public or semi-public via emails, blogs and postings to social networking services, such as Facebook, Twitter, LinkedIn and FourSquare, often without foresight as to the consequences of such a divulgence. It has been reported that information publicly posted to social networking services has been used in firing individuals from their employment and has been used by criminals to find targets for burglaries.
Additionally, intentionally divulged information that is intended to be maintained as private is routinely sold to advertisers and information brokers. Moreover, with the proliferation of app usage in mobile devices, additional information is available on the “information market,” including users' location, age, gender, income, ethnicity, sexual orientation and political views. As recently reported by the Wall Street Journal, of 101 popular smartphone apps, 56 transmitted the device ID without the user's consent, 47 sent location information, and 5 sent age, gender and other personally identifiable information is outsiders.
Example embodiments of the present invention provide a method, an apparatus and a computer program product for cookie anonymization and rejection. The method includes receiving a cookie included in a data stream transmitted from a source intended for a destination. A lexical analysis of the cookie included in the data stream is then performed to determine state information associated with the cookie. The state information associated with the cookie then may be forwarded to the destination according to the lexical analysis.
The above and further advantages of the present invention may be better under stood by referring to the following description taken into conjunction with the accompanying drawings in which:
As the number of Internet-connected devices in the home and the enterprise continues to rise, the concept of privacy is increasingly caught in the midst of two divergent forces: that individual, group or institution's likely desire to maintain information as private, and the increasing vulnerability of such information to a privacy breach or unintended disclosure. Internet-connected devices in the household/enterprise may include personal computers, laptop computer, televisions, audiovisual receiver, music players, radio, appliances and gaming systems. While many of these devices have a method to block Internet access wholesale, they lack finer-grain controls for limiting Internet access.
For example, current methods for controlling the disclosure of private information include centralized devices that block wholesale access to a particular resource by using source/destination routing filters, regardless of content that is being sent to or received from that resource. Further, while there are some endpoint-based protections that examine content, they are one-off per client, require an administrator to set up and manage each device manually, and do not protect all device types (i.e., are only available on certain platforms). Moreover, while many of these devices provide logging capabilities, the rapidly increasing number of such devices and the amount of information they log removes from the realm of possibility an administrator's ability to police those logs to determine, albeit after the fact, private information that was disclosed.
Part of the content flowing over the network is cookies/beacons. Cookies provide an unknown leakage of private information from internal systems to external networks. One example of a cookie is a key-click cookie, which enables marketing for every click that a user is making and is often associated with free applications. That cookie may contain sensitive information like name, age, sex, location, account numbers, etc. Malware can hijack cookies and accelerate the leakage of information by continually uploading sensitive information at a very high rate. Web beacons leak user activity between websites out to external sources.
As understood in the art, these objects are buffers that may be filtered and examined. However, traditional packet inspectors typically only look at fingerprint, source, and destination information, but do not inspect at the content level. Therefore, content-aware drill-down analysis of cookies/beacons may enable an administrator to decipher cookie content and establish one or more policies to either block or anonymize cookies/beacons. Further, the pace and frequency of cookies can also be viewed.
Therefore, a centralized point of control is desirable that performs a lexical analysis of cookies/beacons in a data stream. Within the household, for example, a broadband router is generally a common access point for most home-based Internet-connected devices. In other words, example embodiments of the present invention provide an intelligent layer implemented, for example, in the router (or as a standalone device) that can inspect the payload of a cookie/beacon in a data stream for keywords and employ a blocking or masking mechanism to protect unauthorized or potentially harmful data from escaping the household (i.e., intentional or accidental), irrespective of source-type (i.e., agentless) and in a manner transparent to the destination.
Example embodiments of the present invention specifically targets cookies and beacons that flow through a system, and historically track cookie and beacon traffic in order to perform drill-down inspection on the contents. This inspection allows for detection of sensitive information such as credit cards, location, and any other personal info, as well as the potential presence of malware which is performing unusual behavior within the private system.
Likewise, the FMITM 200 may include additional hardware, such as a picocell, from a cellular telephony carrier to permit the FMITM 200 to intercept wireless communications (i.e., voice and data) from cellular telephones, tablet computers and the like connected to the cellular telephony carrier (e.g., over 3G or 4G connections). The FMITM 200 then forwards the cookie 108 out of the network 290 to the intended destination device 230 as a transformed data stream 218 according to the lexical analysis. In other embodiments, the FMITM 200 may include hardware to act as a repeater for the cellular telephony carrier so that it may intercept wireless communications and forward them back to the cellular telephony carrier's network (e.g., 3G or 4G network).
As illustrated in
In certain embodiments, as illustrated in
For example, the FMITM may analyze state information (i.e., attributes) of the cookie regarding the context of the cookie, such as frequency that the cookie was sent, rate that the cookie was sent, existence of the cookie, size of the cookie, source or destination Internet Protocol (IP) address of the cookie, identity of the source of the cookie, identity of the originating site of the cookie, identity of the site requesting the cookie, identity of the destination of the cookie, time of day the cookie was sent, and a number of destination sites for the cookie, including the identity of the source, the identity of the site where the cookie originated, the identity of the requesting site, the identity of the destination, a time of day the cookie was sent, frequency that the cookie was sent, the number of destination sites, the data fields of the requested cookie, and the size of the cookie. Such attributes can be leading indicators that the data is being harvested. The FMITM 300 also may inspect the content of the cookie, including name, age, gender, address, telephone number, email address, username, Internet Protocol (IP) address, salary, credit card number, banking account number, location, and online shopping history. The policies may be the results of the analysis of the cookies. For example, if a cookie collected data that an administrator did not want to share, a policy may be enabled to block that content from being sent to the requestor (or block the cookie in its entirety). Alternatively, the administrator could allow most of the content of the cookie but mask certain fields.
If the analysis module 312 determines that the context and the content of the cookie 308 do not require transformation of the state information associated with the content of the cookie 308 according to a policy (422), a transfer module 317 of the dispatcher 315 may forward the cookie 308 to the destination (e.g., destination device 130 of
When a user is utilizing the network, the user typically is unaware of cookies. Some users may be okay with cookies that allow them to take provide them some benefit, such as playing a game in exchange for the cookie collecting some information about the users. However, cookies also may be hijacked wherein information in the cookie is replaced so information collected by the cookie is sent to both the intended recipient and the hijacker. Other exploits include cookies that install an application (e.g., malware) on the user's system that collects additional information.
As illustrated in
The found cookies then may be sent, for example, to an unwelcome location, such as a malicious site (542), thereby giving the malicious site access to the content of the session cookie 544, including its associated online location, the user's name, and the user's authentication token for accessing the online location. It should be understood that, with respect to
As illustrated in
At other times, when the user visits another site and the rogue script sends the found cookies 544 to an unwelcome location, the FMITM 300 may receive (i.e., intercept) the cookie and determine whether the online location (i.e., site) requesting the cookie is approved according to a policy to receive cookies (546A). If the online location is not approved according to the policy to receive cookies (i.e., it is a rogue or malicious site stealing the cookie) (548A), the FMITM 300 may reject or remove the cookie from the data stream (518A). However, if the online location is approved according to the policy to receive cookies (550A), the FMITM 300 may perform a lexical analysis of the cookie to determine state information associated with the cookie and make a cookie fingerprint (558A). The FMITM 300 then may determine whether the cookie fingerprint matches the target allowance according to the policy (560A). If the fingerprint does not match the target allowance according to the policy (i.e., the rogue or malicious script is executing on a valid site according to the policy to harvest additional information) (562A), the FMITM 300 may reject or remove the cookie from the data stream (518A). The condition in which the fingerprint does match the target allowance (564A) is a false condition and is prevented by the FMITM 300 (i.e., a condition in which the site is approved for cookies (550A) and the fingerprint matches the target allowance (564A) would not be as a result of a rogue script on a malicious site but rather would only occur in online transaction with the online location itself).
As illustrated in
When the session cookie 510 is sent from the source device to its destination, the FMITM 300 may receive (i.e., intercept) the cookie and determine whether the online location (i.e., site) requesting the cookie is approved according to a policy to receive cookies (512B). If the online location is not approved according to the policy to receive cookies (514B), the FMITM 300 may reject or remove the cookie from the data stream (518B). However, if the online location is approved according to the policy to receive cookies (516B), the FMITM 300 may determine whether the requested cookie is allowed cross site access according to the policy (520B). If the cookie is not allowed cross site access (522B), the FMITM 300 may reject or remove the cookie from the data stream (518B). However, if the cookie is allowed cross site access (524B), the FMITM 300 may perform a lexical analysis of the cookie to determine state information associated with the cookie and make a cookie fingerprint (526B). The FMITM 300 then may determine whether the cookie fingerprint matches the target allowance according to the policy (528B). If the fingerprint does not match the target allowance according to the policy (530B), the FMITM 300 may reject or remove the cookie from the data stream (518B). However, if the fingerprint does match the target allowance according to the policy (532B), the cookie is allowed to continue in the data stream to its destination (e.g., safeplace.com) (534B).
At other times, when the user visits another site and the rogue script sends the found cookies 544 to an unwelcome location, the FMITM 300 may receive (i.e., intercept) the cookie and determine whether the online location (i.e., site) requesting the cookie is approved according to a policy to receive cookies (546B). If the online location is not approved according to the policy to receive cookies (i.e., it is a rogue or malicious site stealing the cookie) (548B), the FMITM 300 may reject or remove the cookie from the data stream (518B). However, if the online location is approved according to the policy to receive cookies (550B), the FMITM 300 may determine whether the requested cookie is allowed cross site access according to the policy (552B). If the cookie is not allowed cross site access (554B), the FMITM 300 may reject or remove the cookie from the data stream (518B). However, if the cookie is allowed cross site access (556B), the FMITM 300 may perform a lexical analysis of the cookie to determine state information associated with the cookie and make a cookie fingerprint (558B). The FMITM 300 then may determine whether the cookie fingerprint matches the target allowance according to the policy (560B). If the fingerprint does not match the target allowance according to the policy (i.e., the rogue or malicious script is executing on a valid site according to the policy to harvest additional information) (562B), the FMITM 300 may reject or remove the cookie from the data stream (518B). The condition in which the fingerprint does match the target allowance (564B) is a false condition and is prevented by the FMITM 300 (i.e., a condition in which the site is approved for cookies (550B), the cookie is allowed cross site access (556B), and the fingerprint matches the target allowance (564B) would not be as a result of a rogue script on a malicious site but rather would only occur in online transaction with the online location itself).
As illustrated in
At other times, when the user visits another site and the rogue script sends the found cookies 544 to an unwelcome location, the FMITM 300 may receive (i.e., intercept) the cookie and determine whether the requestor requesting the cookie is approved according to a policy to receive cookies (546C). If the requestor is not approved according to the policy to receive cookies (i.e., it is a rogue or malicious site stealing the cookie) (548C), the FMITM 300 may reject or remove the cookie from the data stream (518C). However, if the requestor is approved according to the policy to receive cookies (550C), the FMITM 300 may determine whether the requested cookie is allowed cross site access according to the policy (552C). If the cookie is not allowed cross site access (554C), the FMITM 300 may reject or remove the cookie from the data stream (518C). However, if the cookie is allowed cross site access (556C), the FMITM 300 may perform a lexical analysis of the cookie to determine state information associated with the cookie and make a cookie fingerprint (558C). The FMITM 300 then may determine whether the cookie fingerprint matches the target allowance according to the policy (560C). If the fingerprint does not match the target allowance according to the policy (i.e., the rogue or malicious script is executing on a valid site according to the policy to harvest additional information) (562C), the FMITM 300 may reject or remove the cookie from the data stream (518C). The condition in which the fingerprint does match the target allowance (564C) is a false condition and is prevented by the FMITM 300 (i.e., a condition in which the site is approved for cookies (550C), the cookie is allowed cross site access (556C), and the fingerprint matches the target allowance (564C) would not be as a result of a rogue script on a malicious site but rather would only occur in online transaction with the online location itself).
As illustrated in
At other times, when the user visits another site and the rogue script sends the found cookies 544 to an unwelcome location, the FMITM 300 may receive (i.e., intercept) the cookie and determine whether the site requesting the cookie is approved according to a policy to receive cookies (546D). If the site is not approved according to the policy to receive cookies (i.e., it is a rogue or malicious site stealing the cookie) (548D), the FMITM 300 may reject or remove the cookie from the data stream (518D). However, if the site is approved according to the policy to receive cookies (550D), the FMITM 300 may determine whether the requested cookie previously has been deleted (552D). If the cookie previously has been deleted (554D), the FMITM 300 may delete the cookie (517D) and then may reject or remove the cookie from the data stream (518D). However, if the cookie previously has not been deleted (556D), the FMITM 300 may perform a lexical analysis of the cookie to determine state information associated with the cookie and make a cookie fingerprint (558D). The FMITM 300 then may determine whether the cookie fingerprint matches the target allowance according to the policy (560D). If the fingerprint does not match the target allowance according to the policy (i.e., the rogue or malicious script is executing on a valid site according to the policy to harvest additional information) (562D), the FMITM 300 may reject or remove the cookie from the data stream (518D). The condition in which the fingerprint does match the target allowance (564D) is a false condition and is prevented by the FMITM 300 (i.e., a condition in which the site is approved for cookies (550D), the cookie previously has not been deleted (556D), and the fingerprint matches the target allowance (564D) would not be as a result of a rogue script on a malicious site but rather would only occur in online transaction with the online location itself).
The methods and apparatus of this invention may take the form, at least partially, of program code (i.e., instructions) embodied in tangible non-transitory media, such as floppy diskettes, CD-ROMs, hard drives, random access or read only-memory, or any other machine-readable storage medium. When the program code is loaded into and executed by a machine, such as the computer of
The logic for carrying out the method may be embodied as part of the aforementioned system, which is useful for carrying out a method described with reference to embodiments shown in, for example,
Although the foregoing invention has been described in some detail for purposes of clarity of understanding, it will be apparent that certain changes and modifications may be practiced within the scope of the appended claims. Accordingly, the present implementations are to be considered as illustrative and not restrictive, and the invention is not to be limited to the details given herein, but may be modified within the scope and equivalents of the appended claims.
In reading the above description, persons skilled in the art will realize that there are many apparent variations that can be applied to the methods and systems described. In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made to the specific exemplary embodiments without departing from the broader spirit and scope of the invention as set forth in the appended claims. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.
Number | Name | Date | Kind |
---|---|---|---|
6085224 | Wagner | Jul 2000 | A |
6959420 | Mitchell et al. | Oct 2005 | B1 |
7562387 | Nguyen et al. | Jul 2009 | B2 |
7571322 | Karoubi | Aug 2009 | B2 |
7603356 | Schran et al. | Oct 2009 | B2 |
7614002 | Goldfeder et al. | Nov 2009 | B2 |
7730532 | Yeo | Jun 2010 | B1 |
8073853 | Schran et al. | Dec 2011 | B2 |
8090877 | Agarwal et al. | Jan 2012 | B2 |
8166406 | Goldfeder et al. | Apr 2012 | B1 |
8176163 | Fikes et al. | May 2012 | B1 |
8392977 | He et al. | Mar 2013 | B2 |
8484287 | Gavini et al. | Jul 2013 | B2 |
8561155 | He et al. | Oct 2013 | B2 |
8856869 | Brinskelle | Oct 2014 | B1 |
8949462 | Djabarov et al. | Feb 2015 | B1 |
8997076 | Djabarov et al. | Mar 2015 | B1 |
20020051541 | Glick et al. | May 2002 | A1 |
20020078192 | Kopsell et al. | Jun 2002 | A1 |
20020143770 | Schran et al. | Oct 2002 | A1 |
20020143861 | Greene et al. | Oct 2002 | A1 |
20030051157 | Nguyen et al. | Mar 2003 | A1 |
20030158889 | Massarani et al. | Aug 2003 | A1 |
20040006602 | Bess et al. | Jan 2004 | A1 |
20050257250 | Mitchell et al. | Nov 2005 | A1 |
20060075122 | Lindskog et al. | Apr 2006 | A1 |
20070300285 | Fee et al. | Dec 2007 | A1 |
20080034198 | He et al. | Feb 2008 | A1 |
20080034413 | He et al. | Feb 2008 | A1 |
20080034417 | He et al. | Feb 2008 | A1 |
20080263627 | Berteau et al. | Oct 2008 | A1 |
20090106349 | Harris | Apr 2009 | A1 |
20090193129 | Agarwal et al. | Jul 2009 | A1 |
20090199285 | Agarwal et al. | Aug 2009 | A1 |
20100023999 | Schran et al. | Jan 2010 | A1 |
20100043065 | Bray et al. | Feb 2010 | A1 |
20110126290 | Krishnamurthy et al. | May 2011 | A1 |
20110138174 | Aciicmez et al. | Jun 2011 | A1 |
20110154488 | Rajan et al. | Jun 2011 | A1 |
20110161172 | Lee | Jun 2011 | A1 |
20110191664 | Sheleheda et al. | Aug 2011 | A1 |
20110208850 | Sheleheda et al. | Aug 2011 | A1 |
20110320616 | Wray | Dec 2011 | A1 |
20120036178 | Gavini et al. | Feb 2012 | A1 |
20120042009 | Schran et al. | Feb 2012 | A1 |
20120054680 | Moonka et al. | Mar 2012 | A1 |
20120084151 | Kozak et al. | Apr 2012 | A1 |
20120084348 | Lee et al. | Apr 2012 | A1 |
20120096068 | Canning et al. | Apr 2012 | A1 |
20120173870 | Reddy et al. | Jul 2012 | A1 |
20120240050 | Goldfeder et al. | Sep 2012 | A1 |
20130167195 | Etchegoyen | Jun 2013 | A1 |
20130173815 | Canning et al. | Jul 2013 | A1 |
20140075553 | Hansen | Mar 2014 | A1 |