Patent Issued for Identifying Sensitive Data On Computer Networks (USPTO 10,440,050)

2019 OCT 17 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- United Services Automobile Association (San Antonio, Texas, United States) has been issued patent number 10,440,050, according to news reporting originating out of Alexandria, Virginia, by NewsRx editors.

The patent’s inventors are Neel, Robert Jason (Boerne, TX); Wright, Jordan Matthew (San Antonio, TX).

This patent was filed on January 27, 2017 and was published online on October 21, 2019.

From the background information supplied by the inventors, news correspondents obtained the following quote: “Enterprises generate and maintain sensitive data. As an example, enterprises generate and maintain data regarding its users’ personal information and/or accounts (e.g., personally identifiable information, contact information, login credentials, account information, and so forth). In some cases, unauthorized third-parties (e.g., hackers) infiltrate enterprise systems to access and steal user information. As this data can be used for malicious purposes by unauthorized third-parties, it is important to protect this data from theft. In some instances, such theft may occur despite security measures.

“In some cases, sensitive data can be shared by unauthorized third-parties over a publically accessible computer system (e.g., a publically accessible website). As an example, sensitive data is often shared on ‘paste’ sites (also called ‘pastebins’) or online forum sites that allow users to anonymously store and publish data on the Internet. When sensitive information is publically distributed in this manner, enterprises and/or users may be unaware of the publication of the sensitive information.”

Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “Implementations of the present disclosure are generally directed to determining when sensitive information has been published to a network (e.g., the Internet), and alerting any affected users.

“In general, in an aspect, a computer-implemented method can be performed to identify the publication of sensitive data and/or malware to a third-party site. According to the method, at least one processor retrieves data items stored on a computer system over a network, the computer system hosting a third-party site, to which the data items are published. The at least one processor stores the data items in local, computer-readable memory, and processes the data items stored in the local, computer-readable memory based on at least one search criteria. The at least one processor determines that at least one of the data items satisfies the at least one search criteria, and in response, provides an alert identifying the at least one data items.

“Implementations of this aspect can include one or more of the following features.

“In some implementations, the third-party site can be a paste site, and the data items can be paste items published on the paste site.

“In some implementations, one or more of the search criteria can correspond to personally identifiable information, contact information, login credentials, and/or account information associated with one or more users and/or enterprises.

“In some implementations, one or more of the search criteria can correspond to e-mail addresses, mailing addresses, telephone numbers, account numbers, and/or passwords associated with one or more users and/or enterprises.

“In some implementations, one or more of the search criteria can correspond to malicious software or computer code.

“In some implementations, the search criteria can include one or more regular expressions.

“In some implementations, the method can further include monitoring, by the at least one processor, the computing system for newly published data items. The method can further include determining, by the at least one processor, that a data item has been published by the computing system, and in response, retrieving the published data item.

“In some implementations, providing the alert identifying the at least one data items can include: identifying one or more users and/or enterprises associated with information contained within the at least one data items, and transmitting the alert to one or more devices associated with the one or more users and/or enterprises. Identifying one or more users and/or enterprises associated with information contained within the at least one data items can include: obtaining a database including information pertaining to the one or more users and/or enterprises, determining that the information contained within the at least one data item corresponds to information pertaining to a particular user or enterprise, and in response, transmitting the alert to a device associated with that user or enterprise.

“In general, in another aspect, a computer-implemented method can be performed to identify publication of malicious software or code. At least one processor retrieves data items stored on a computer system over a network, the computer system hosting a third-party site, to which the data items are published. The at least one processor determines that at least one of the data items includes encoded executable data, and in response, decodes the encoded executable data. The at least one processor analyzes the decoded executable data in a sandboxed software testing environment.

“Implementations of this aspect can include one or more of the following features.

“In some implementations, analyzing the decoded executable data in the sandboxed software testing environment can include executing the encoded executable data in the sandboxed software testing environment.

“In some implementations, analyzing the decoded executable data in the sandboxed software testing environment can further include identifying an effect of executing the encoded executable data. The effect can include deleting or revising particular data within the sandboxed software testing environment, and/or attempting to contact a particular third-party computer system.

“In some implementations, the method can further include providing an alert identifying the effect.

“In some implementations, the encoded executable data can be encoded in base64.

“In some implementations, the third-party site can be a paste site, and the data items can be paste items published on the paste site.

“In some implementations, the method can further include processing, by the at least one processor, data items stored in the local, computer-readable memory based on at least one search criteria. One or more of the search criteria can correspond to malicious software or computer code.

“In some implementations, the method can further include monitoring, by the at least one processor, the computing system for newly published data items. The method can further include determining, by the at least one processor, that a data item has been published by the computing system, and in response, retrieving the published data item.

“One or more of the implementations described herein can provide various benefits. For example, one or more implementations can allow users to identify sensitive information that has been publically distributed by a third-party computer system over a computer network (e.g., the Internet), and take an appropriate action in response. This is beneficial, for example, as it facilitates timely action to reduce the negative effects of the comprised data. Further, implementations allow a user to identify sensitive information in a manner that masks the user’s identity from the owners or operators of the third-party computer system. Thus, data can be analyzed in a manner that reduces the likelihood of adverse action by the owner or operator of the third-party computer system.

“The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features and advantages will be apparent from the description and drawings, and from the claims.”

The claims supplied by the inventors are:

“What is claimed is:

“1. A computer-implemented method for identifying publication of malicious software or code, the method comprising: retrieving, by at least one processor, data items stored on a computer system over a network, the computer system hosting a third-party site, to which the data items are published; determining, by the at least one processor, that at least one of the data items comprises executable binary data encoded in plain text, wherein determining that at least one of the data items comprises executable binary data encoded in plain text comprises identifying, in at least one of the data items, one or more patterns of text that are indicative of a header found in encoded executable binary files; in response to determining that at least one of the data items comprises executable binary data encoded in plain text, transforming the executable binary data encoded in plain text into an executable binary file; and analyzing the executable binary file in a sandboxed software testing environment.

“2. The method of claim 1, wherein analyzing the executable binary file in the sandboxed software testing environment comprises executing the executable binary file in the sandboxed software testing environment.

“3. The method of claim 1, wherein analyzing the executable binary file in the sandboxed software testing environment further comprises identifying an effect of executing the executable binary file.

“4. The method of claim 3, wherein the effect comprises deleting or revising particular data within the sandboxed software testing environment, and/or attempting to contact a particular third-party computer system.

“5. The method of claim 3, further comprising providing an alert identifying the effect.

“6. The method of claim 1, wherein the executable binary data is encoded in base64.

“7. The method of claim 1, wherein the third-party site is a paste site, and wherein the data items are paste items published on the paste site in plain text.

“8. The method claim 1, further comprising processing, by the at least one processor, the data items stored in the local, computer-readable memory based on at least one search criteria, wherein one or more of the search criteria corresponds to a string of plain text indicative of malicious software or computer code.

“9. The method of claim 1, further comprising monitoring, by the at least one processor, the computing system for newly published data items.

“10. The method of claim 9, further comprising determining, by the at least one processor, that a data item has been published by the computing system, and in response, retrieving the published data item.

“11. A non-transitory computer-readable medium including one or more sequences of instructions which, when executed by one or more processors, causes: retrieving, by the one or more processors, data items stored on a computer system over a network, the computer system hosting a third-party site, to which the data items are published; determining, by the one or more processors, that at least one of the data items comprises executable binary data encoded in plain text, wherein determining that at least one of the data items comprises executable binary data encoded in plain text comprises identifying, in at least one of the data items, one or more patterns of text that are indicative of a header found in encoded executable binary files; in response to determining that at least one of the data items comprises executable binary data encoded in plain text, transforming the executable binary data encoded in plain text into an executable binary file; and analyzing the executable binary file in a sandboxed software testing environment.

“12. The non-transitory computer-readable medium of claim 11, wherein analyzing the executable binary file in the sandboxed software testing environment comprises executing the executable binary file in the sandboxed software testing environment.

“13. The non-transitory computer-readable medium of claim 11, wherein analyzing the executable binary file in the sandboxed software testing environment further comprises identifying an effect of executing the executable binary file.

“14. The non-transitory computer-readable medium of claim 13, wherein the effect comprises deleting or revising particular data within the sandboxed software testing environment, and/or attempting to contact a particular third-party computer system.

“15. The non-transitory computer-readable medium of claim 13, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: providing an alert identifying the effect.

“16. The non-transitory computer-readable medium of claim 11, wherein the executable binary data is encoded in base64.

“17. The non-transitory computer-readable medium of claim 11, wherein the third-party site is a paste site, and wherein the data items are paste items published on the paste site in plain text.

“18. The non-transitory computer-readable medium of claim 11, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: processing, by the one or more processors, the data items stored in the local, computer-readable memory based on at least one search criteria, wherein one or more of the search criteria corresponds to a string of plain text indicative of malicious software or computer code.

“19. The non-transitory computer-readable medium of claim 11, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: monitoring, by the one or more processors, the computing system for newly published data items.

“20. The non-transitory computer-readable medium of claim 19, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: determining, by the one or more processors, that a data item has been published by the computing system, and in response, retrieving the published data item.

“21. A system comprising: one or more processors; and a non-transitory computer-readable medium including one or more sequences of instructions which, when executed by the one or more processors, causes: retrieving, by the one or more processors, data items stored on a computer system over a network, the computer system hosting a third-party site, to which the data items are published; determining, by the one or more processors, that at least one of the data items comprises executable binary data encoded in plain text, wherein determining that at least one of the data items comprises executable binary data encoded in plain text comprises identifying, in at least one of the data items, one or more patterns of text that are indicative of a header found in encoded executable binary files; in response to determining that at least one of the data items comprises executable binary data encoded in plain text, transforming the executable binary data encoded in plain text into an executable binary file; and analyzing the executable binary file in a sandboxed software testing environment.

“22. The system of claim 21, wherein analyzing the executable binary file in the sandboxed software testing environment comprises executing the executable binary file in the sandboxed software testing environment.

“23. The system of claim 21, wherein analyzing the executable binary file in the sandboxed software testing environment further comprises identifying an effect of executing the executable binary file.

“24. The system of claim 23, wherein the effect comprises deleting or revising particular data within the sandboxed software testing environment, and/or attempting to contact a particular third-party computer system.

“25. The system of claim 23, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: providing an alert identifying the effect.

“26. The system of claim 21, wherein the executable binary data is encoded in base64.

“27. The system of claim 21, wherein the third-party site is a paste site, and wherein the data items are paste items published on the paste site in plain text.

“28. The system of claim 21, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: processing, by the one or more processors, the data items stored in the local, computer-readable memory based on at least one search criteria, wherein one or more of the search criteria corresponds to a string of plain text indicative of malicious software or computer code.

“29. The system of claim 21, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: monitoring, by the one or more processors, the computing system for newly published data items.

“30. The system of claim 29, wherein the one or more sequences of instructions, when executed by one or more processors, further causes: determining, by the one or more processors, that a data item has been published by the computing system, and in response, retrieving the published data item.”

For the URL and additional information on this patent, see: Neel, Robert Jason; Wright, Jordan Matthew. Identifying Sensitive Data On Computer Networks. U.S. Patent Number 10,440,050, filed January 27, 2017, and published online on October 21, 2019. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=10,440,050.PN.&OS=PN/10,440,050RS=PN/10,440,050

(Our reports deliver fact-based news of research and discoveries from around the world.)