TREA

System, method, and computer program product for preventing access to data with respect to a data access attempt associated with a remote data sharing session

Follow

Information

  • Patent Grant
  • 11645404
  • Patent Number
    11,645,404
  • Date Filed
    Thursday, January 4, 2018
    6 years ago
  • Date Issued
    Tuesday, May 9, 2023
    a year ago
Information
Abstract
A system, method, and computer program product are provided for preventing access to data associated with a data access attempt. In use, a data access attempt associated with a remote data sharing session is identified. Further, access to the data is prevented.
Description
RELATED APPLICATIONS

This patent arises from a continuation of U.S. Patent application Ser. No. 14/289,859, now U.S. Pat. No. 10,198,587, which was filed on May 29, 2014, and is a continuation of U.S. Patent Application No. 11/850,432, which was filed on Sep. 5, 2007. U.S. Patent application Ser. No. 14/289,859 and U.S. Patent application Ser. No. 11/850,432 are hereby incorporated herein by reference in their entirety. Priority to U.S. Patent application Ser. No. 14/289,859 and U.S. Patent application No. 11/850,432 is hereby claimed.


TECHNICAL FIELD

The present invention relates to data loss prevention, and more particularly to preventing data loss by preventing access data.


BACKGROUND ART

In the past, security systems have been developed for preventing data loss. For example, such data loss has generally included the unauthorized or otherwise unwanted disclosure of data (e.g. confidential data, etc.). However, security systems have exhibited various limitations in preventing data loss. For example, security systems have conventionally been deficient in preventing data loss due to remote data sharing.


There is thus a need for addressing these and/or other issues associated with the prior art.


SUMMARY

A system, method, and computer program product are provided for preventing access to data associated with a data access attempt. In use, a data access attempt associated with a remote data sharing session is identified. Further, access to the data is prevented.





BRIEF DESCRIPTION OF DRAWINGS


FIG. 1 illustrates a network architecture, in accordance with one embodiment.



FIG. 2 shows a representative hardware environment that may be associated with the servers and/or clients of FIG. 1, in accordance with one embodiment.



FIG. 3 shows a method for preventing access to data associated with a data access attempt, in accordance with one embodiment.



FIG. 4 shows a method for preventing access to a uniform resource locator (URL) associated with remote desktop sharing, in accordance with another embodiment.



FIG. 5 shows a method for preventing access to data based on an application that initiated a data access request, in accordance with yet another embodiment.



FIG. 6 shows a method for preventing access to data based on a fingerprint of the data, in accordance with still yet another embodiment.





DESCRIPTION OF EMBODIMENTS


FIG. 1 illustrates a network architecture 100, in accordance with one embodiment. As shown, a plurality of networks 102 is provided. In the context of the present network architecture 100, the networks 102 may each take any form including, but not limited to a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, peer-to-peer network, etc.


Coupled to the networks 102 are servers 104 which are capable of communicating over the networks 102. Also coupled to the networks 102 and the servers 104 is a plurality of clients 106. Such servers 104 and/or clients 106 may each include a desktop computer, lap-top computer, hand-held computer, mobile phone, personal digital assistant (PDA), peripheral (e.g. printer, etc.), any component of a computer, and/or any other type of logic. In order to facilitate communication among the networks 102, at least one gateway 108 is optionally coupled therebetween.



FIG. 2 shows a representative hardware environment that may be associated with the servers 104 and/or clients 106 of FIG. 1, in accordance with one embodiment. Such figure illustrates a typical hardware configuration of a workstation in accordance with one embodiment having a central processing unit 210, such as a microprocessor, and a number of other units interconnected via a system bus 212.


The workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214, Read Only Memory (ROM) 216, an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212, a user interface adapter 222 for connecting a keyboard 224, a mouse 226, a speaker 228, a microphone 232, and/or other user interface devices such as a touch screen (not shown) to the bus 212, communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238.


The workstation may have resident thereon any desired operating system. It will be appreciated that an embodiment may also be implemented on platforms and operating systems other than those mentioned. One embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology. Object oriented programming (OOP) has become increasingly used to develop complex applications.


Of course, the various embodiments set forth herein may be implemented utilizing hardware, software, or any desired combination thereof. For that matter, any type of logic may be utilized which is capable of implementing the various functionality set forth herein.



FIG. 3 shows a method 300 for preventing access to data associated with a data access attempt, in accordance with one embodiment. As an option, the method 300 may be carried out in the context of the architecture and environment of FIGS. 1 and/or 2. Of course, however, the method 300 may be carried out in any desired environment.


As shown in operation 302, a data access attempt associated with a remote data sharing session is identified. In the context of the present description, the data may include information, code, and/or anything else capable of being associated with a remote data session. In various embodiments, the data may include any number of documents, electronic mail (email) messages, programs, uniform resource locators (URLs), etc. Additionally, the data may be stored on a client, a server, and/or any other device (e.g. such as any of the devices described above with respect to FIGS. 1 and/or 2, etc.).


To this end, the data access attempt may include any attempt associated with a remote data sharing session to access data. For example, the data access attempt may include a request to access the data. In other examples, the data access attempt may include an attempt to open the data, read the data, write to the data, copy the data, attach the data to other data (e.g. an email), display the data utilizing a liquid crystal display (LCD) projector, etc.


In the context of the present description, the remote data sharing session may include any session in which the data may be shared remotely, where the term remotely indicates the involvement of any device separate from the device on which the data is stored, etc. For example, the remote data sharing session may, in one embodiment, include a time period in which remote data sharing is enabled. As an option, the data may be shared remotely by viewing the data remotely, interacting with the data remotely, etc. In one embodiment, such remote data sharing may include any displaying, presenting, etc. of data located at a first location to a remote second location. Just by way of example, the remote data sharing may include sharing a desktop display with a remote computer, sharing the data with a projector (e.g. LCD projector, etc.) which projects the data, etc.


Moreover, the remote data sharing session may be associated with (e.g. facilitated by, etc.) a remote data sharing application. For example, the remote data sharing application may include a remote desktop application (e.g. Microsoft® Office Live Meeting, Citrix® GoToAssist®, etc.). Thus, the remote data sharing application may optionally be capable of sharing data remotely from a first device with a second device. As an option, the data access attempt may be associated with the remote data sharing session by being initiated via the remote data sharing session (e.g. via a command executed during the remote data sharing session). As another option, the data access attempt may include an attempt to access the remote data sharing session, the remote data sharing application associated with such session and/or any other aspect associated with the remote data sharing session.


To this end, the data access attempt may be initiated manually (e.g. by a user), in one embodiment. In another embodiment, the data access attempt may be initiated automatically (e.g. via an application, etc.). As described above, the data access attempt may also be initiated via the remote data sharing session.


Further, the data access attempt may be identified in any desired manner. In one embodiment, the data access attempt may be identified utilizing a client (e.g. on which the data is stored, etc.). In this way, the client may identify data access attempts initiated at the client. For example, the data access attempt may be identified utilizing an agent installed on the client, which monitors data access attempts.


As another example, the data access attempt may be identified utilizing a plug-in, add-in, etc. to an application (e.g. web browser, word processing application, data sharing application, etc.) associated with, installed on, etc. the client. As an option, such application may be the source of the data access attempt, an application utilized in accessing the data, an application utilized for sharing the data remotely, etc. Thus, each of a plurality of applications associated with the client may be associated with a separate plug-in, etc. As another option, the plug-in, etc. may be continuously active when the application is running (e.g. being executed).


In another embodiment, the data access attempt may be identified utilizing a gateway. For example, the gateway may identify the data access attempt based on network traffic received over a network (e.g. such as any of the networks described above with respect to FIG. 1). As an option, such gateway may similarly utilize an agent, plug-in, etc. for identifying the data access attempt.


As also shown, access to the data is prevented. Note operation 304. In the context of the present description, the access of operation 304 may include any access associated with (e.g. requested in conjunction with, etc.) the data access attempt. In various embodiments, the access may be prevented by blocking the access, disallowing the access, denying a request associated with the data access attempt, disallowing network traffic associated with the data access attempt, etc. Of course, however, the access to the data may be prevented in any desired manner.


In one embodiment, the access may be prevented, if it is determined that the data matches predetermined data. Such predetermined data may include known confidential data (e.g. data predetermined to be confidential, etc.). In another embodiment, the access may be prevented, if it is determined that a fingerprint (e.g. hash, etc.) of the data matches a predetermined fingerprint, such as a fingerprint of known confidential data, for example.


In yet another embodiment, the access may be prevented, if it is determined that a remote data sharing application associated with the remote data sharing session is predetermined to be disallowed from accessing the data. For example, a user may configure (e.g. predefine, etc.) remote data sharing applications allowed to and/or disallowed from accessing data. As an option, such remote data sharing applications may be predetermined with respect to each of a plurality of instances of different data, with respect to locations of data capable of being accessed, with respect to categories of data capable of being accessed (e.g. file types, etc.), and/or with respect to any data capable of being accessed.


In still yet another embodiment, the access may be prevented based on a determination of whether the remote data sharing session is enabled. For example, if the remote data sharing session is enabled, access to the data may be prevented. Of course, however, preventing access to the data may be based on any desired criteria.


To this end, such access to data may be prevented in any desired manner. In one embodiment, such access prevention may eliminate unwanted loss, disclosure, etc. of the data via the remote data sharing session. For example, preventing access to the data may prevent the data from being presented, displayed, etc. to a remote device utilizing remote data sharing techniques associated with the remote data sharing session. Accordingly, in addition to optionally educating users on potential data leakage via remote data sharing sessions, such data leakage may also be limited by preventing access to data when a data access attempt is associated with a remote data sharing session.


More illustrative information will now be set forth regarding various optional architectures and features with which the foregoing technique may or may not be implemented, per the desires of the user. It should be strongly noted that the following information is set forth for illustrative purposes and should not be construed as limiting in any manner. Any of the following features may be optionally incorporated with or without the exclusion of other features described.



FIG. 4 shows method 400 for preventing access to a uniform resource locator (URL) associated with remote desktop sharing, in accordance with another embodiment. As an option, the method 400 may be carried out in the context of the architecture and environment of FIGS. 1-3. Of course, however, the method 400 may be carried out in any desired environment. It should also be noted that the aforementioned definitions may apply during the present description.


As shown in operation 402, it is determined whether a URL access request has been issued. In the context of the present embodiment, the URL access request may include a request to access content (e.g. web content, etc.) associated with a URL. In one embodiment, the URL access request may be issued via a web browser. For example, the URL access request may be issued based on a user selection of a web link on a web page displayed via the web browser, a user entry of the URL into the web browser, etc.


Further, the URL access request may be identified utilizing an agent installed on a client via which the URL access request is issued. In another embodiment, the URL access request may be identified utilizing a plug-in, add-in, etc. associated with the web browser via which the URL access request is issued. In yet another embodiment, the URL access request may be identified utilizing a plug-in, add-in, etc. associated with an application enabled for remotely sharing data. In still yet another embodiment, the URL access request may be identified utilizing an agent, plug-in, etc. installed on a gateway (e.g. via which the URL access request is communicated over a network, etc.).


In response to a determination that the URL access request has been issued, the URL is compared to known URLs associated with remote desktop sharing. Note operation 404. Such known URLs may include any URLs predetermined to be associated with remote desktop sharing. For example, the known URLs may include a location on a network of a remote desktop sharing application capable of being utilized for remotely sharing a desktop. Optionally, such known URLs may be predetermined based on a user configuration, based on an automatic configuration (e.g. web crawler, etc.).


In one embodiment, the known URLs may be stored in a library of known URLs. In another embodiment, the known URLs may be stored on the client via which the URL access request is initiated. In yet another embodiment, the known URLs may be stored at a central location (e.g. central server, etc.) capable of being accessed by the client and/or gateway. Optionally, the URL may be compared to the known URLs by comparing any portion or an entirety of the URL with any respective portion or entirety of the known URLs.


It is further determined whether the URL matches any of the known URLs, as shown in decision 406. To this end, such determination may be based on the comparison of the URL with the known URLs. If it is determined that the URL does not match any of the known URLs, access to the URL is allowed. Note operation 412. Such access may include the access requested by the URL access request. In one embodiment, content associated with the URL, such as a web page, may be allowed to be presented. In another embodiment, the URL access request may be allowed to be sent to a destination (e.g. web server, etc.) associated with the request.


If, however, it is determined that the URL matches one of the known URLs, access to the URL is prevented. Note operation 408. In one embodiment, content associated with the URL may be prevented from being presented. In another embodiment, the URL access request, such as network traffic associated with such URL access request, may be prevented from being communicated to the destination associated with the request. As an option, access to the URL may be prevented utilizing the agent, plug-in, etc. used for identifying the URL access request (as described above in operation 402).


Moreover, it is determined whether access to the URL is manually allowed, as shown in operation 410. In one embodiment, manually allowing access to the URL may include a user selecting (e.g. via a user interface) to allow the access. The user may include any user authorized to manually allow such access. For example, in response to preventing access to the URL (operation 408), a notification may be communicated to the user. Additionally, such notification may include an option capable of being selected by the user for manually allowing access to the URL.


In another embodiment, access to the URL may be manually allowed based on a predefined list of URLs to which access is allowed. For example, a user may configure a list of URLs associated with remote desktop sharing to which access is allowed. Thus, if the URL matches a URL in the predefined list of URLs to which access is allowed, access to the URL may be manually allowed.


In response to a determination that access to the URL is manually allowed, access to the URL is allowed, as shown in operation 412. To this end, access to a URL may be allowed automatically if the URL does not match known URLs associated with remote desktop sharing or manually as desired by a user. Still yet, it may be continuously determined whether access to the URL is manually allowed (e.g. for a predefined time period, etc.). In this way, access to the URL may optionally be allowed at any time after access to the URL is prevented.



FIG. 5 shows a method 500 for preventing access to data based on an application that initiated a data access request, in accordance with yet another embodiment. As an option, the method 500 may be carried out in the context of the architecture and environment of FIGS. 1-4. Of course, however, the method 500 may be carried out in any desired environment. Again, it should also be noted that the aforementioned definitions may apply during the present description.


In decision 502, it is determined whether a data access request has been issued. In one embodiment, the data access request may include a request to access a document. Just by way of example, the data access request may include a request to open the document. As another example, the data access request may include a request to attach the data to an email, a document, etc.


In another embodiment, the data access request may be issued via an application program interface (API). In yet another embodiment, the data access request may be issued manually by a user, for example, by selecting to open the data. In still yet another embodiment, the data access request may be issued automatically (e.g. via an application requesting to access the data, etc.).


Further, the data access request may be identified utilizing an agent installed on a client via which the data access request is issued. In another embodiment, the data access request may be identified utilizing an agent installed on a gateway (e.g. via which the data access request is communicated over a network, etc.). Of course, however, the data access request may be identified in any manner.


In response to a determination that the data access request has been issued, it is determined whether the data is fingerprinted. Note decision 504. For example, a plurality of predetermined fingerprints may be stored in a database. Further, the database may store additional information with respect to the predetermined fingerprints. For example, the database may store identifiers of applications allowed to be utilized for accessing data associated with each of the predetermined fingerprints, disallowed for use in accessing such data, etc. As an option, the predetermined fingerprints and associated allowed/disallowed applications may be configured by a user.


Table 1 illustrates one example of a database capable of being utilized for storing predetermined fingerprints of data and identifiers of associated applications allowed to be utilized for accessing such data. In this way, the database may be utilized for associating each fingerprint with an application. It should be noted that the database is set forth for illustrative purposes only, and thus should not be construed as limiting in any manner.












TABLE 1








ALLOWED




APPLICATION



DATA FINGERPRINT
IDENTIFIER









FINGERPRINT_01
APPLICATION_01,




APPLICATION_02



FINGERPRINT_02
APPLICATION_02



FINGERPRINT_03
APPLICATION_01










In the context of the present embodiment, such predetermined fingerprints may include fingerprints of various data that have been predefined. As an option, the predetermined fingerprints may indicate data which is at least potentially confidential (e.g. for which unauthorized disclosure is unwanted, etc.). Thus, a fingerprint of the data may be compared with the predetermined fingerprints in the database, such that a match may indicate that the data is fingerprinted.


In response to a determination that the data is fingerprinted, an application that initiated the data access request is identified, as shown in operation 506. Optionally, the application may include an application to be utilized for accessing the data. For example, the application may include an application capable of being utilized for displaying the data. As another option, identifying the application may include identifying a version of the application, identifying a name of the application, identifying a provider of the application, etc.


In one embodiment, the application may be identified based on the data access request. For example, the data access request may include an identifier of the application that issued the request (e.g. a source of the request, etc.). Of course, however, the application may be identified in any manner.


It is further determined whether the identified application is allowed to access the data, as shown in decision 508. In one embodiment, the predetermined fingerprint matching the fingerprint of the data may be identified in the database. Furthermore, application identifiers stored in the database in association with such identified predetermined fingerprint may be identified. Accordingly, the application that issued the data access request may be compared with the identified application identifiers, such that it may be determined whether any such identified application identifiers match the application that issued the data access request.


As an option, the application identifiers in the database associated with a fingerprint may indicate applications predetermined to be allowed to access data associated with the fingerprint. To this end, a match may indicate that the data is allowed to be accessed utilizing the identified application that issued the data access request. As another option, the application identifiers in the database associated with a fingerprint may indicate applications predetermined to be disallowed from accessing data associated with the fingerprint. Thus, a match may indicate that the data is not allowed to be accessed utilizing the identified application that issued the data access request.


In another embodiment, predetermined applications may be determined to be dedicated applications allowed to access any data. For example, such dedicated applications may be predetermined based on a user configuration. As an option, the dedicated applications may include the only applications allowed to access fingerprinted data.


In yet another embodiment, predetermined applications may be disallowed from being utilized during a remote data sharing session. For example, if it is determined that one of the predetermined applications is running, a remote data sharing session may be prevented from being enabled. As another example, if it is determined that a remote data sharing session is enabled, one of the predetermined applications may be prevented from being initiated.


If it is determined that the application that issued the data access request is allowed to access the data, access to the data is allowed. Note operation 510. Such access may include the access requested by the data access request. In one embodiment, the data may be allowed to be presented, displayed, attached, etc. In another embodiment, the data access request may be allowed to be sent to a destination (e.g. server, etc.) associated with the request.


If, however, it is determined that the application that issued the data access request is not allowed to access the data, access to the data may be prevented. Note operation 512. In one embodiment, the data may be prevented from being presented. In another embodiment, the data access request, such as network traffic associated with such data access request, may be prevented from being communicated to the destination associated with the request. As an option, access to the data may be prevented utilizing the agent used for identifying the data access request (as described above in operation 502). Just by way of example, in one embodiment, the data access request may include a request to display the data utilizing a projector, such that data loss may be prevented with respect to a public sharing session associated with an LCD projector, etc.


In this way, for each of a plurality of different fingerprints of various data, applications may be indicated as being allowed to access the data and/or disallowed from accessing the data. Thus, particular data may only be accessible via predefined applications, as desired. In one embodiment, such predefined applications may allow a single agent installed on a client, gateway, etc. to determine whether any of a plurality of different applications may be utilized for accessing data associated with a data access request.



FIG. 6 shows a method 600 for preventing access to data based on a fingerprint of the data, in accordance with still yet another embodiment. As an option, the method 600 may be carried out in the context of the architecture and environment of FIGS. 1-4. Of course, however, the method 600 may be carried out in any desired environment. Again, it should also be noted that the aforementioned definitions may apply during the present description.


As shown in decision 602, it is determined whether remote data sharing is enabled. In one embodiment, it may be determined whether the remote data sharing is enabled based on a determination of whether a remote data sharing application, or any associated processes, are executing. For example, an agent installed on a client may determine whether a remote data sharing application is executing on the client.


In response to a determination that the remote data sharing is enabled, it is determined whether a data access request has been issued, as shown in decision 604. In one embodiment, the data access request may be identified utilizing an agent installed on the client via which the data access request is issued. In another embodiment, the data access request may be identified utilizing a plug-in, add-in, etc. associated with an application via which the data access request is issued. In yet another embodiment, the data access request may be identified utilizing a plug-in, add-in, etc. associated with a remote data sharing application.


If a data access request has been issued, a fingerprint of the data is identified, as shown in operation 606. The fingerprint of the data may be identified by hashing the data, in one embodiment. In another embodiment, the fingerprint of the data may be identified by calculating a value of the data utilizing a predetermined algorithm.


Furthermore, as shown in decision 608, it is determined whether the identified fingerprint matches a known fingerprint. In the context of the present embodiment, the known fingerprint may include any predetermined fingerprint of data. For example, a database may store a plurality of predetermined fingerprints of data. Optionally, such database may be stored locally (e.g. on a client on which the data access request was issued), but of course may also be stored remotely (e.g. at a location central to a plurality of clients on a network). Moreover, the predetermined fingerprints may be of known confidential data.


To this end, determining whether the identified fingerprint matches a known fingerprint may include comparing the identified fingerprint to a plurality of known fingerprints. If it is determined that the fingerprint of the data does not match a known fingerprint (e.g. based on the comparison, etc.), access to the data may be allowed. Note operation 610. For example, the access may include the access requested by the issued data access request (in operation 604). If, however, it is determined that the fingerprint of the data matches a known fingerprint (e.g. based on the comparison, etc.), access to the data may be prevented. Note operation 612.


To this end, data may be prevented from being accessed based on a fingerprint of the data when a remote data sharing session is enabled. In another optional embodiment, if it is determined that the data is already opened prior to enablement of a remote data sharing session, such data may be closed in response to a request to initiate the remote data sharing session. Thus, data loss may be prevented based on various access requests, including, for example, a public sharing session where the data is displayed on an LCD projector, etc.


While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims
  • 1. An article of manufacture comprising instructions that, when executed, cause a machine to at least: detect a request to access data;hash the data to determine a first fingerprint of the data;compare the first fingerprint of the data to a second fingerprint from a plurality of fingerprints stored in a database in association with ones of a plurality of applications, the database to indicate that at least a first application of the plurality of the applications is authorized to access the data when the first fingerprint of the data matches the second fingerprint, the second fingerprint stored in association with the at least the first application; anddetermine whether to allow the request based on a comparison of: (a) a second application identifier of a second application that initiated the request and (b) a first application identifier of the at least the first application associated with the second fingerprint.
  • 2. The article of manufacture of claim 1, wherein the request includes the second identifier of the second application that initiated the request.
  • 3. The article of manufacture of claim 1, wherein the instructions are to cause the machine to determine whether the first fingerprint of the data matches the second fingerprint by: comparing the first fingerprint of the data with the plurality of the fingerprints.
  • 4. The article of manufacture of claim 1, wherein the database stores ones of the plurality of the fingerprints matching the first fingerprint in association with the first application and some of the ones of the plurality of the applications to indicate that the first application and the some of the ones of the plurality of the applications are allowed to access the data.
  • 5. The article of manufacture of claim 1, wherein the database stores ones of the plurality of the fingerprints in association with the first application and some of the ones of the plurality of the applications to indicate that the first application and the some of the ones of the plurality of the applications are not allowed to access the data.
  • 6. The article of manufacture of claim 1, wherein the database includes an identification of a dedicated application that is allowed to access any data.
  • 7. The article of manufacture of claim 1, wherein the instructions are to cause the machine to determine whether to allow the request by: determining whether a remote desktop sharing session is in operation; andpreventing initiation of the second application responsive to the determination.
  • 8. An article of manufacture comprising instructions that, when executed, cause a machine to at least: determine whether remote data sharing is enabled;determine a first fingerprint of data to which access is requested, the determining of the first fingerprint of the data responsive to a determination that the remote data sharing is enabled, and the first fingerprint of the data determined by hashing the data; anddetermine whether to allow access to the data responsive to: (a) a first match of the first fingerprint with a second fingerprint and (b) a second match of a first application identifier with a second application identifier, the first application identifier corresponding to a first application that initiated the request, and the second application identifier stored in association with the second fingerprint.
  • 9. The article of manufacture of claim 8, wherein the instructions are to cause the machine to determine whether the remote data sharing is currently enabled by determining whether a remote data sharing application is executing.
  • 10. The article of manufacture of claim 8, wherein the instructions are to cause the machine to identify the first fingerprint of the data to which the access is requested by calculating a value of the data utilizing a predetermined algorithm.
  • 11. The article of manufacture of claim 8, wherein the instructions are to cause the machine to determine whether to allow access to the data by accessing the second fingerprint of the data in a database of fingerprints of data.
  • 12. The article of manufacture of claim 11, wherein the database is stored remotely to the machine.
  • 13. The article of manufacture of claim 8, wherein the instructions are further to cause the machine to close the data already opened prior to enablement of a remote desktop sharing session.
  • 14. A method for preventing data loss by determining whether to allow a request to access data, comprising: detecting, by a computer system, a request to access data;hashing the data to determine a first fingerprint of the data;comparing, by the computer system, the first fingerprint of the data to a second fingerprint from a plurality of fingerprints stored in a database in association with ones of a plurality of applications, the database to indicate that at least a first application of the plurality of the applications is authorized to access the data when the first fingerprint of the data matches the second fingerprint, the second fingerprint stored in association with the at least the first application; anddetermining, by the computer system, whether to allow the request based on a comparison of: (a) a second application identifier of a second application that initiated the request and (b) a first application identifier of the at least the first application associated with the second fingerprint.
  • 15. The method of claim 14, wherein the determining, by the computer system, of whether the first fingerprint of the data matches the second fingerprint includes: comparing the first fingerprint of the data with the plurality of the fingerprints.
  • 16. The method of claim 14, wherein the determining, by the computer system, of whether to allow the request includes: determining whether the request to access to the data is by a dedicated application allowed to access any data.
  • 17. A method for preventing data loss by determining whether to allow access to data, comprising: determining, by a computer system, whether remote data sharing is enabled;determining, by the computer system, a first fingerprint of data to which access is requested, the determining of the first fingerprint of the data responsive to a determination that the remote data sharing is enabled, and the first fingerprint of the data determined by hashing the data; anddetermining, by the computer system, whether to allow access to the data responsive to: (a) a first match of the first fingerprint with a second fingerprint and (b) a second match of a first application identifier with a second application identifier, the first application identifier corresponding to a first application that initiated the request, and the second application identifier stored in association with the second fingerprint.
  • 18. The method of claim 17, wherein the determining, by the computer system, of whether to allow the access to the data includes looking up the first fingerprint of the data in a database of fingerprints of data stored remotely to the computer system.
  • 19. The method of claim 17, further including: determining, by the computer system, that the data was opened prior to enablement of the remote data sharing session; andclosing, by the computer system, the data in response to a request to initiate the remote data sharing session.
US Referenced Citations (215)
Number Name Date Kind
4797447 Gergen et al. Jan 1989 A
5195086 Baumgartner et al. Mar 1993 A
5280527 Gullman et al. Jan 1994 A
5485068 Vaught Jan 1996 A
5572694 Uchino Nov 1996 A
5796948 Cohen Aug 1998 A
5845068 Winiger Dec 1998 A
5941915 Federle et al. Aug 1999 A
5987610 Franczek et al. Nov 1999 A
6073142 Geiger et al. Jun 2000 A
6081265 Nakayama et al. Jun 2000 A
6177932 Galdes et al. Jan 2001 B1
6240417 Eastwick et al. May 2001 B1
6367019 Ansell et al. Apr 2002 B1
6460050 Pace et al. Oct 2002 B1
6658566 Hazard Dec 2003 B1
6718367 Ayyadurai Apr 2004 B1
6741851 Lee et al. May 2004 B1
6820204 Desai et al. Nov 2004 B1
6934857 Bartleson et al. Aug 2005 B1
6957330 Hughes Oct 2005 B1
6961765 Terry Nov 2005 B2
7023816 Couillard Apr 2006 B2
7100123 Todd et al. Aug 2006 B1
7124197 Ocepek et al. Oct 2006 B2
7149778 Patel et al. Dec 2006 B1
7194623 Proudler et al. Mar 2007 B1
7194728 Sirota et al. Mar 2007 B1
7222305 Teplov et al. May 2007 B2
7257707 England et al. Aug 2007 B2
7278016 Detrick et al. Oct 2007 B1
7313615 Fitzpatrick et al. Dec 2007 B2
7346778 Guiter et al. Mar 2008 B1
7350074 Gupta et al. Mar 2008 B2
7350084 Abiko et al. Mar 2008 B2
7383433 Yeager et al. Jun 2008 B2
7424543 Rice, III Sep 2008 B2
7434543 Raukola et al. Oct 2008 B2
7437752 Heard et al. Oct 2008 B2
7441000 Boehringer et al. Oct 2008 B2
7461249 Pearson et al. Dec 2008 B1
7475420 Hernacki Jan 2009 B1
7484247 Rozman et al. Jan 2009 B2
7490355 Wong Feb 2009 B2
7497447 Musselman Mar 2009 B2
7506155 Stewart et al. Mar 2009 B1
7519984 Bhogal et al. Apr 2009 B2
7523484 Lum et al. Apr 2009 B2
7526654 Charbonneau Apr 2009 B2
7539857 Bartlett et al. May 2009 B2
7559080 Bhargavan et al. Jul 2009 B2
7581004 Jakobson Aug 2009 B2
7630986 Herz et al. Dec 2009 B1
7653811 Yagiura Jan 2010 B2
7660845 Fusari Feb 2010 B2
7661124 Ramanathan et al. Feb 2010 B2
7689563 Jacobson Mar 2010 B1
7730040 Reasor et al. Jun 2010 B2
7742406 Muppala Jun 2010 B1
7783767 Collazo Aug 2010 B2
7847694 Lee et al. Dec 2010 B2
7877616 Abiko et al. Jan 2011 B2
7890587 Chebiyyam Feb 2011 B1
7940756 Duffy et al. May 2011 B1
8103727 Lin Jan 2012 B2
8111413 Nuggehalli et al. Feb 2012 B2
8151363 Smithson Apr 2012 B2
8181036 Nachenberg May 2012 B1
8199965 Basavapatna et al. Jun 2012 B1
8272058 Brennan Sep 2012 B2
8353053 Chebiyyam Jan 2013 B1
8424077 Adams Apr 2013 B2
8446607 Zucker et al. May 2013 B2
8590002 Chebiyyam et al. Nov 2013 B1
8621008 Chebiyyam Dec 2013 B2
8713468 Chebiyyam Apr 2014 B2
8943158 Chebiyyam Jan 2015 B2
9077684 Chebiyyam Jul 2015 B1
9215197 Basavapatna et al. Dec 2015 B2
9531656 Chebiyyam Dec 2016 B2
9843564 Zucker et al. Dec 2017 B2
10198587 Chebiyyam et al. Feb 2019 B2
10489606 Basavapatna et al. Nov 2019 B2
20010046069 Jones Nov 2001 A1
20020046275 Crosbie et al. Apr 2002 A1
20020046575 Hayes et al. Apr 2002 A1
20020083003 Halliday et al. Jun 2002 A1
20020099944 Bowlin Jul 2002 A1
20020157089 Patel et al. Oct 2002 A1
20030043036 Merrem et al. Mar 2003 A1
20030043039 Salemi et al. Mar 2003 A1
20030046679 Singleton Mar 2003 A1
20030065937 Watanabe et al. Apr 2003 A1
20030097583 Lacan et al. May 2003 A1
20030105979 Itoh et al. Jun 2003 A1
20030133443 Klinker et al. Jul 2003 A1
20030135744 Almeida Jul 2003 A1
20030177394 Dozortsev Sep 2003 A1
20030182435 Redlich et al. Sep 2003 A1
20030192033 Gartside et al. Oct 2003 A1
20030233421 Shibata et al. Dec 2003 A1
20040003255 Apvrille et al. Jan 2004 A1
20040006715 Skrepetos Jan 2004 A1
20040010686 Goh et al. Jan 2004 A1
20040027601 Ito et al. Feb 2004 A1
20040034794 Mayer et al. Feb 2004 A1
20040054928 Hall Mar 2004 A1
20040064732 Hall Apr 2004 A1
20040088433 Kaler et al. May 2004 A1
20040111482 Bourges-Waldegg et al. Jun 2004 A1
20040117802 Green Jun 2004 A1
20040146006 Jackson Jul 2004 A1
20040172557 Nakae et al. Sep 2004 A1
20040199555 Krachman Oct 2004 A1
20040199566 Carlson et al. Oct 2004 A1
20040199596 Nutkis Oct 2004 A1
20040230572 Omoigui Nov 2004 A1
20040255138 Nakae Dec 2004 A1
20050004359 Rai et al. Jan 2005 A1
20050033810 Malcolm Feb 2005 A1
20050038853 Blanc et al. Feb 2005 A1
20050044359 Eriksson et al. Feb 2005 A1
20050058285 Stein et al. Mar 2005 A1
20050060643 Glass et al. Mar 2005 A1
20050116749 Pentakota et al. Jun 2005 A1
20050131990 Jewell Jun 2005 A1
20050132184 Palliyil et al. Jun 2005 A1
20050149364 Ombrellaro Jul 2005 A1
20050154885 Viscomi et al. Jul 2005 A1
20050166066 Ahuja et al. Jul 2005 A1
20050172140 Ide Aug 2005 A1
20050198285 Petit Sep 2005 A1
20050204009 Hazarika et al. Sep 2005 A1
20050216749 Brent Sep 2005 A1
20050228989 Rabin Oct 2005 A1
20050257266 Cook Nov 2005 A1
20050262208 Haviv et al. Nov 2005 A1
20050272861 Qiao et al. Dec 2005 A1
20050275861 Ferlitsch Dec 2005 A1
20050289181 Deninger et al. Dec 2005 A1
20060005244 Garbow et al. Jan 2006 A1
20060010209 Hodgson Jan 2006 A1
20060010217 Sood Jan 2006 A1
20060021043 Kaneko et al. Jan 2006 A1
20060026593 Canning et al. Feb 2006 A1
20060031359 Clegg et al. Feb 2006 A1
20060039554 Fry Feb 2006 A1
20060041930 Hafeman et al. Feb 2006 A1
20060050879 Iizuka Mar 2006 A1
20060059548 Hildre et al. Mar 2006 A1
20060070089 Shoaib et al. Mar 2006 A1
20060075040 Chmaytelli Apr 2006 A1
20060075502 Edwards Apr 2006 A1
20060112166 Pettigrew et al. May 2006 A1
20060120526 Boucher et al. Jun 2006 A1
20060123413 Collet et al. Jun 2006 A1
20060123479 Kumar et al. Jun 2006 A1
20060132824 Aritomi Jun 2006 A1
20060168026 Keohane et al. Jul 2006 A1
20060190986 Mont et al. Aug 2006 A1
20060224589 Rowney et al. Oct 2006 A1
20060248252 Kharwa Nov 2006 A1
20060253578 Dixon et al. Nov 2006 A1
20070022285 Groth et al. Jan 2007 A1
20070028112 Mackelden et al. Feb 2007 A1
20070029744 Musselman Feb 2007 A1
20070064883 Rosenthal et al. Mar 2007 A1
20070074292 Mimatsu Mar 2007 A1
20070094394 Singh et al. Apr 2007 A1
20070101419 Dawson May 2007 A1
20070110089 Essafi et al. May 2007 A1
20070118904 Goodman et al. May 2007 A1
20070136593 Plavcan et al. Jun 2007 A1
20070143472 Clark et al. Jun 2007 A1
20070143837 Azeez et al. Jun 2007 A1
20070143851 Nicodemus et al. Jun 2007 A1
20070174909 Burchett et al. Jul 2007 A1
20070198656 Mazzaferri et al. Aug 2007 A1
20070214220 Alsop et al. Sep 2007 A1
20070220319 Desai et al. Sep 2007 A1
20070245148 Buer Oct 2007 A1
20070256142 Hartung et al. Nov 2007 A1
20070279668 Czyszczewski et al. Dec 2007 A1
20070280112 Zheng et al. Dec 2007 A1
20080034224 Ferren et al. Feb 2008 A1
20080040358 Deng Feb 2008 A1
20080056249 Ocko Mar 2008 A1
20080065882 Goodman et al. Mar 2008 A1
20080065903 Goodman et al. Mar 2008 A1
20080079730 Zhang et al. Apr 2008 A1
20080083037 Kruse et al. Apr 2008 A1
20080120689 Morris et al. May 2008 A1
20080170785 Simmons et al. Jul 2008 A1
20080208988 Khouri et al. Aug 2008 A1
20080229428 Camiel Sep 2008 A1
20080262991 Kapoor et al. Oct 2008 A1
20080279381 Narendra et al. Nov 2008 A1
20080309967 Ferlitsch et al. Dec 2008 A1
20090055536 Jo Feb 2009 A1
20090086252 Zucker et al. Apr 2009 A1
20090172786 Backa Jul 2009 A1
20090182931 Gill et al. Jul 2009 A1
20090232300 Zucker et al. Sep 2009 A1
20090327743 Finlayson et al. Dec 2009 A1
20100174784 Levey et al. Jul 2010 A1
20100250547 Grefenstette et al. Sep 2010 A1
20110167265 Ahuja et al. Jul 2011 A1
20110273554 Su et al. Nov 2011 A1
20120011189 Werner et al. Jan 2012 A1
20120183174 Basavapatna et al. Jul 2012 A1
20120191792 Chebiyyam Jul 2012 A1
20130246534 Chebiyyam Sep 2013 A1
20130276061 Chebiyyam et al. Oct 2013 A1
20140115086 Chebiyyam Apr 2014 A1
20140283145 Chebiyyam et al. Sep 2014 A1
Foreign Referenced Citations (5)
Number Date Country
2411330 Aug 2005 GB
2002093410 Nov 2002 WO
2003076536 Sep 2003 WO
2006076536 Jul 2006 WO
2006076536 Nov 2007 WO
Non-Patent Literature Citations (85)
Entry
Notice of Allowance received for U.S. Appl. No. 12/102,526, dated Sep. 21, 2012, 8 pages.
Office Action received for U.S. Appl. No. 12/102,526, dated Feb. 6, 2012, 16 pages.
Office Action received for U.S. Appl. No. 12/102,526, dated May 25, 2011, 18 pages.
Office Action received for U.S. Appl. No. 12/102,526, dated Nov. 24, 2010, 17 pages.
Notice of Allowance received for U.S. Appl. No. 12/102,625 dated Mar. 6, 2012, 16 pages.
U.S. Appl. No. 12/123,370, filed May 19, 2008.
Office Action received for U.S. Appl. No. 12/187,207, dated Mar. 25, 2011, 9 pages.
Notice of Allowance received for U.S. Appl. No. 12/187,207, dated Aug. 24, 2011, 5 pages.
Notice of Allowance received for U.S. Appl. No. 12/187,207, dated Sep. 11, 2012, 6 pages.
Supplemental Notice of Allowability received for U.S. Appl. No. 12/187,207, dated Oct. 16, 2012, 2 pages.
Office Action received for U.S. Appl. No. 13/429,363, dated Sep. 23, 2013, 13 pages.
Office Action received for U.S. Appl. No. 13/429,363, dated Mar. 21, 2014, 12 pages.
Office Action received for U.S. Appl. No. 13/429,363 dated Jul. 30, 2014, 12 pages.
Notice of Allowance received for U.S. Appl. No. 13/434,777, dated Dec. 17, 2013, 7 pages.
Office Action received for U.S. Appl. No. 13/434,777, dated Aug. 20, 2012, 12 pages.
Notice of Allowance received for U.S. Appl. No. 13/434,777, dated Jan. 27, 2014, 2 pages.
Office Action received for U.S. Appl. No. 13/434,777, dated Feb. 12, 2013, 7 pages.
Office Action received for U.S. Appl. No. 13/434,777, dated May 23, 2013, 7 pages.
Office Action received for U.S. Appl. No. 14/144,136 dated Jun. 2, 2014, 10 pages.
Fumera et al., “Spam Filtering Based on the Analysis of Text Information Embedded into Images” Journal of D Machine Learning Research, Dec. 2006, 22 pages.
Office Action received for U.S. Appl. No. 12/076,163 dated Apr. 28, 2011, 19 pages.
Office Action received for U.S. Appl. No. 12/076,163 dated Oct. 19, 2011, 23 pages.
Office Action received for U.S. Appl. No. 12/076,163 dated Sep. 4, 2012, 21 pages.
Office Action received for U.S. Appl. No. 12/076,163 dated Mar. 25, 2013, 20 pages.
Office Action received for U.S. Appl. No. 12/076,163 dated Sep. 10, 2013, 18 pages.
Notice of Allowance received for U.S. Appl. No. 12/076,163 dated Mar. 18, 2014, 19 pages.
Notice of Allowance received for U.S. Appl. No. 12/076,163 dated Jul. 18, 2014, 8 pages.
Chebiyyam et al., U.S. Appl. No. 11/210,321, “System, Method, and Computer Program Product for Characterizing Messages Based on Tone”, filed Aug. 23, 2005, 26 pages.
Office Action received for U.S. Appl. No. 11/349,479, dated Mar. 22, 2010, 21 Pages.
Office Action received for U.S. Appl. No. 11/349,479, dated Dec. 8, 2008, 16 Pages.
Notice of Allowance received for U.S. Appl. No. 11/349,479, dated Oct. 7, 2010, 6 Pages.
Notice of Allowance received for U.S. Appl. No. 11/349,479, dated Nov. 8, 2010, 2 Pages.
Office Action received for U.S. Appl. No. 11/473,930, dated Jul. 16, 2010, 20 Pages.
Office Action received for U.S. Appl. No. 11/473,930, dated Aug. 8, 2012, 22 Pages.
Office Action received for U.S. Appl. No. 11/473,930, dated Sep. 14, 2011, 19 pages.
Office Action received for U.S. Appl. No. 11/473,930, dated Jan. 26, 2010, 14 pages.
Office Action received for U.S. Appl. No. 11/473,930 dated Mar. 1, 2012, 19 pages.
Office Action received for U.S. Appl. No. 11/473,930, dated Mar. 10, 2011, 19 pages.
Office Action received for U.S. Appl. No. 11/473,930, dated Aug. 17, 2009, 19 pages.
Office Action received for U.S. Appl. No. 11/473,930, dated Feb. 4, 2013, 23 pages.
Gopi K. Chebiyyam, U.S. Appl. No. 11/473,930, “System, Method and Computer Program Product for Reacting to a Change in an Aspect Associated With Software”, filed Jun. 23, 2006, 25 pages.
Notice of Allowance received for U.S. Appl. No. 11/564,745, dated Jul. 29, 2013, 15 pages.
Office Action received for U.S. Appl. No. 11/564,745, dated Jun. 4, 2012, 23 pages.
Office Action received for U.S. Appl. No. 11/564,745, dated Apr. 5, 2013, 21 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated Aug. 15, 2012, 17 Pages.
Office Action received for U.S. Appl. No. 11/740,844, dated Jan. 11, 2010, 16 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated Feb. 18, 2011, 16 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated Feb. 16, 2012, 15 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated May 14, 2009, 11 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated Jun. 24, 2010, 16 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated Jul. 20, 2011, 19 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated May 10, 2012, 15 pages.
Notice of Allowance received for U.S. Appl. No. 11/740,844, dated Sep. 5, 2013, 15 pages.
Office Action received for U.S. Appl. No. 11/740,844, dated May 3, 2013, 15 pages.
Office Action received for U.S. Appl. No. 11/840,831, dated Jul. 21, 2011, 10 pages.
Office Action received for U.S. Appl. No. 11/840,831, dated Oct. 12, 2010, 11 pages.
Notice of Allowance received for U.S. Appl. No. 11/840,831, dated Mar. 16, 2012, 10 pages.
Notice of Allowance received for U.S. Appl. No. 11/840,831, dated Apr. 3, 2012, 9 pages.
Notice of Allowance received for U.S. Appl. No. 11/840,831, dated May 9, 2012, 9 pages.
Office Action received for U.S. Appl. No. 11/840,831, dated May 5, 2011, 9 pages.
Office Action received for U.S. Appl. No. 11/840,831, dated Dec. 21, 2011, 10 pages.
Office Action received for U.S. Appl. No. 11/850,432, dated May 10, 2011, 14 pages.
Office Action received for U.S. Appl. No. 11/850,432, dated Jan. 31, 2014, 19 pages.
Office Action received for U.S. Appl. No. 11/850,432, dated Jul. 16, 2013, 17 pages.
Office Action received for U.S. Appl. No. 11/850,432, dated Oct. 7, 2010, 13 pages.
Office Action received for U.S. Appl. No. 11/905,420, dated Nov. 2, 2011, 21 pages.
Office Action received for U.S. Appl. No. 11/905,420, dated May 23, 2011, 15 pages.
Office Action received for U.S. Appl. No. 11/905,420, dated Jul. 23, 2012, 16 pages.
Notice of Allowance received for U.S. Appl. No. 11/905,420, dated Dec. 6, 2012, 12 pages.
Office Action received for U.S. Appl. No. 11/564,745, dated Jan. 19, 2012, 27 pages.
Office Action received for U.S. Appl. No. 11/564,745, dated Oct. 21, 2010, 29 pages.
Office Action received for U.S. Appl. No. 11/564,745, dated Apr. 21, 2010, 23 pages.
Office Action received for U.S. Appl. No. 11/564,745, dated Nov. 2, 2009, 19 pages.
Morejon, Mario, “Remote Desktop Support Out of the Box” May 21, 2007.
Faith M. Heikkila. “Encryption: Security Considerations for Portable Media Devices” IEEEComputer Society, IEEE Security & Privacy, Jul. and Aug. 2007, pp. 22-27.
Dabbish et al., “Understanding Email Use: Predicting Action on a Message”, Apr. 2-7, 2005, pp. 691-700.
ClearContext, “Internet Archive Wayback Machine”, Nov. 7, 2006, pp. 1-24. Also available at www.clearcontext.com/user_guide.
United States Patent and Trademark Office, “Notice of Allowance,” issued in connection with U.S. Appl. No. 14/289,859, dated Oct. 17, 2018, 8 pages.
United States Patent and Trademark Office, “Notice of Allowance,” issued in connection with U.S. Appl. No. 14/289,859, dated Jun. 14, 2018, 8 pages.
United States Patent and Trademark Office, “Non-Final Office Action,” dated Mar. 13, 2015 in connection with U.S. Appl. No. 14/289,859, 9 pages.
United States Patent and Trademark Office, “Final Office Action,” dated Sep. 10, 2015 in connection with U.S. Appl. No. 14/289,859, 13 pages.
United States Patent and Trademark Office, “Examiner's Answer,” dated Oct. 6, 2016 in connection with U.S. Appl. No. 14/289,859, 17 pages.
United States Patent and Trademark Office, “Decsion on Appeal,” dated Jul. 19, 2017 in connection with U.S. Appl. No. 14/289,859, 12 pages.
United States Patent and Trademark Office, “Decision on Request for Rehearing,” dated Nov. 15, 2017 in connection with U.S. Appl. No. 14/289,859, 8 pages.
United States Patent and Trademark Office, “Office Communiration,” dated Mar. 2, 2018 in connection with U.S. Appl. No. 14/289,859, 2 pages.
Related Publications (1)
Number Date Country
20180129818 A1 May 2018 US
Continuations (2)
Number Date Country
Parent 14289859 May 2014 US
Child 15862493 US
Parent 11850432 Sep 2007 US
Child 14289859 US