US007886359B2 (12) United States Patent (10) Patent N0.: US 7,886,359 B2 Jones et a]. (45) Date of Patent: Feb. 8, 2011 (54) METHOD AND APPARATUS TO REPORT (52) US. Cl. ....................... .. 726/26; 707/758; 707/781; POLICY VIOLATIONS IN MESSAGES 707/783 (58) Field of Classi?cation Search ................... .. 707/6, (75) Inventors: Chris Jones, San Francisco, CA (US); 707/758, 785, 781, 783; 726/26 Hai Chen, Belmont, CA (US); Joseph See application ?le for complete search history. Ansanelli, San Francisco, CA (US); (56) References Cited Michael R. Wolfe, San Francisco, CA (US); Kevin T. RoWney, San Francisco, U.S. PATENT DOCUMENTS CA (US) 4,858,152 A 8/1989 Estes (73) Assignee: Symantec Corporation, Mountain View 5,212,821 A * 5/1993 Gorin et a1. ................. .. 706/20 5,379,391 A 1/1995 Belsan et a1. 5,384,892 A * 1/1995 Strong ...................... .. 704/243 (*) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 (Continued) U.S.C. 154(b) by 583 days. FOREIGN PATENT DOCUMENTS (21) Appl. N0.: 10/s92,9s2 CA 2 499 508 4/2004 (Continued) (22) Filed: Jul. 15, 2004 OTHER PUBLICATIONS (65) Prior Publication Data PCT Search Report PCT /US03/30178 dated Mar. 11,2004, 5 pages. US 2005/0027723 A1 Feb. 3, 2005 (Continued) Related US. Application Data Primary Examinerilohn R. Cottingham (63) Continuation-in-part of application No. 10/ 833,538, Assistant ExamineriMariela D Reyes ?led on Apr. 27, 2004, noW Pat. No. 7,472,114, Which (74) Attorney, Agent, or FirmiBlakely, Sokoloff, Taylor & is a continuation-in-part of application No. 10/607, Zafman LLP 718, ?led on Jun. 27, 2003, Which is a continuation in-part ofapplication No. 10/431,145, ?led on May 6, (57) ABSTRACT 2003, noW Pat. No. 7,673,344, Which is a continuation A method and apparatus for reporting policy Violations in in-part of application No. 10/ 247,002, ?led on Sep. 18, 2002. messages is described. In one embodiment, a Violation is identi?ed by detecting fragments in a message that match (51) Int. Cl. information from any one or more roWs Within a tabular G06F 7/04 (2006.01) structure of source data. The fragments that match this infor G06F 1 7/30 (2006.01) mation are then speci?ed as part of reporting the Violation. G06F 7/00 (2006.01) H04N 7/16 (2006.01) 49 Claims, 19 Drawing Sheets 202 RECEIVE USER INPUT DEFINE, BASED ON USER INPUT, A SET OF POLICIES 2B4 FOR DETECTING VIOLATIONS IN INFORMATION N CONTENT 206 INDEX SOURCE DATA DEPLOV THE INDEX TO LOCATIONS MONITORING INFORMATION CONTENT DEPLDY THE SET OF POLICIES TO LOCATIONS MONITORING INFORMATION CONTENT MONITOR INFORMATION CONTENT 214 VIOLATION DETECTED" REPORT DETECTED POLICY VIOLATION US 7,886,359 B2 Page 2 US. PATENT DOCUMENTS 2005/0182765 A1 8/2005 Liddy 2005/0216771 A1 9/2005 Malcolm 5,577,249 A 11/ 1996 Califono 2006/0005247 A1 1/2006 Zhang et a1. 5739391 A 4/1998 Ruppol or 91- 2006/0184549 A1 8/2006 Rowney et al. 5796948 A 8/1998 Cohen 2006/0224589 A1 10/2006 Rowney et al. 5,832,212 A 11/1998 Cragun or 91 2007/0130255 A1 6/2007 WolovitZ et al. 5,835,722 A 11/1998 Bradshaw or 91- 2008/0066150 A1 3/2008 Lim et al. 5,883,588 A 3/1999 Okamura 5,884,033 A 3/1999 Duvall et al. 5,892,905 A 4/ 1999 Brandt et al. FOREIGN PATENT DOCUMENTS 5,958,015 A 9/1999 Dascalu CA 2 597 083 g/2006 5,960,080 A 9/1999 Fahlman et al. GB 2 343 030 A 4/2()()() 5,996,011 A 11/1999 Humes GB 2466367 A 6/2010 6,047,283 A 4/2000 Braun JP 2005-539334 12/2005 6,055,538 A * 4/2000 Kessenich et al. ......... .. 707/101 JP 2008.171 101 7/2008 6,065,056 A 5/2000 Bradshaw et al. JP 2008537195 9/2008 6,073,142 A 6/2000 Geiger et al. W0 WO2004/027653 4/2004 6,138,168 A 10/2000 Kelly et al. W0 WO2006/0gg952 g/2006 6,233,618 B1 5/2001 Shannon 6,314,190 B1 11/2001 Zimmermann 6,321,224 B1 11/ 2001 Beall et al. OTHER PUBLICATIONS 6,347,374 B1 2/2002 Drake et a1~ Alonso, Omar, et al, Oracle Secure Enterprise Search 10g, An Oracle 6,360,215 B1 3/2002 Judd et 31' Technical White Patper, Mar. 2006, 21 pages. 6,374,241 B1 4/2002 Lambun AtteneX, AtteneX Patterns Suite, http://www.atteneX.com/ 6,396,513 B1 5/2002 Helfman et 31' productsiservices/attenexipatternsisuite.aspX, Downloaded Feb. 6,442,607 B1 8/2002 Korn et al. 20, 2008, 2 pages‘ 6,442,686 B1 * 8/2002 Mc-Ardle et al. .......... .. 713/151 Autonomy, Autonomy Group product Overview, http?/www‘aw 6’453’338 Bl 9/2002 Shlono tonomy.com/content/products/indeX.en.html, Downloaded Feb. 20, 6,507,846 B1 1/2003 Consens 2008, 2 pages‘ 6’604’l4l Bl 8/2003 Ventura Autonomy, Security, http://www.autonomy.com/content/Technol 6’6l8’725 B1 9/2003 Fukuda et 31' ogy/TechnologyiBene?ts/security, Feb. 20, 2008, 2 pages. 6,636,838 B1* 10/2003 Per.l man et al. ............. .. 705/51 Au tonomy, Technology overv1. ew, http‘ .//www.autonomy.com/con _ 6’639’6l5 Bl 10/2003 Majumdar tent/Technmology/indeX.en.htrnl Downloaded Feb. 20 2008 2 6,714,936 B1 3/2004 Nevin, III pages‘ ’ ’ ’ 6’732’087 Bl 5/2004 Hughes et 31' Autonomy, Limitations of Other Approaches, http://www.autonomy. 6,768,986 B2 7/2004 Cras et al. . . . 6 769 032 B 1 70004 Kati M et a1‘ com/content/Technology/L1m1tat1onsiOtheriApproaches, Down ’ ’ y loaded Feb. 20 2008 2 a es. 6,778,979 B2 8/2004 Grefenstette et al. ’ ’ P g . . 6,779,120 B1 8/2004 Valente et a1‘ Buchta, Stefan, Oracle Secure Enterpr1se SearchVers1on 10.1.8.2, An 6,829,613 B1 * 12/2004 Liddy ........................ .. 707/10 Oracle Techmcal Wh‘te Paper’ Oct‘ 2007.’ 30 Pages‘ 6,829,635 B1 0/2004 Townshend Clearwell Systems, The Clearwell E-DISCOVGI'Y Platform®, http:// 6,871,284 B2 300% Cooper et a1‘ www.clearwellsystems.com/products/e-d1scovery-platform, Down 6,941,466 B2 9/2005 Mastrianni loaded Feb 20’ 2008 2 Pages' _ _ 6,965,886 B2 110005 Govrin et a1‘ Clearwell Systems, The Clearwell E-Dlscovery Platform: Analys1s, 6,983,186 B2 V2006 Navani et a1‘ http://www.clearwellsystems.corn/products/e-d1scovery-analys1s. php, Downloaded Feb. 20, 2008, 1 page. glfggrjteilél' Clearwell Systems, The Clearwell E-Discovery Platform: Case Man 7,146,402 B2 0/2006 Kucherawy agement, http://www.clearwellsystems.com/products/e-discovery 7 162 738 B2 1/2007 Dickinson III et a1‘ case-management, Downloaded Feb. 20, 2008 2 pages. 731913252 B2 3/2007 Redlich etaal‘ Clearwell Systems The Clearwell E-Discovery Platform: Processing, 7,222,158 B2 5/2007 Wexelblat http://www.clearwellsystems.corn/products/e-discovery-process 7,237,008 B1 6/2007 Tarbotton et al. ingPhP, Downloaded Feb 20, 2008, 2 Pages 7,249,175 B1 7/2007 Donaldson Clearwell Systems The Clearwell E-Discovery Platform: Review, 7,320,004 B1 1/200g DeLuca et a1, http://www.clearwellsystems.com/products/e-discovery-review. 7,472,114 B1 12/2008 Rowney et al. php, Downloaded Feb 20, 2008 2 P9899 7,516,492 B1 4/ 2009 Nisbet et a1, Clearwell Systems The Clearwell E-Discovery Platform: Search 2001/0037324 A1 1 1 /2()() 1 Agrawal et a1, &Cull-Down, http://www.clearwellsystems.com/products/e-discov 2002/0010679 A1 1/2002 Felsher ery-search-cull.php, Downloaded Feb. 20, 2008 1 page. 2002/0069098 A1 * 6/2002 Schmidt ...................... .. 705/7 Dale, et al., “Programming and Problem Solving with C++,” 2002, 2002/0073313 A1 6/2002 Brown et al. Jones and Bartlett Publishers, 3rd Edition, pp. 653-662. 2002/0093676 A1 7/2002 Parry Deitel, et al., “C++-How to Program,” 2001, Prentice Hall, 3rd Edi 2002/0129140 A1 9/2002 Peled et al. tion, pp. 273-279. 2002/ 0138579 A1 * 9/ 2002 Goldberg .................. .. 709/206 Fast, Fast ESP Revitalizing your search experience with intelligent, 2002/0178228 A1 * 11/2002 Goldberg .................. .. 709/206 user-centric search, 2007, Fast Search & Transfer ASA. , 6 pages. 2002/0198766 A1 12/2002 MagIiIIO et 61. Google, Google Search Appliance, http://www.google.com/enter 2002/0199095 A1 12/2002 Bandl-Ili et a1~ prise/gsa/, Downloaded, Feb. 20, 2008, 2 pages. 2003/0051026 A1 3/2003 Carter et a1~ Guidance Software, EnCase® eDiscovery Suite, http://www. 2003/0093518 A1 * 5/2003 Hiraga ...................... .. 709/224 guidancesoftware,Com/products/edjscoveryiindex,35px, Down. 2004/0039991 A1 2/2004 HOpklIlS 61 ill. loaded Feb, 20, 2008, 2 pages, 2004/0225645 A1 11/2004 RoWney et a1~ Kaufman, et al., “Network Security-Private Communication in a 2005/0060537 A1 3/2005 Stamos et al. Public World,” 1995, Prentice, Hall PTR, p. 80. 2005/0086252 A1 4/2005 Jones et a1. Koch, et al., “Oracle8-The Complete Reference,” 1997, Osborn 2005/0138110 A1 6/2005 Redlich et al. McGraw-Hill, pp. 9-7 and 51-62. US 7,886,359 B2 Page 3 Krishnaprasad, Muralidhar, et al, Oracle Searching Enterprise Appli Of?ce Action for US. Appl. No. 10/607,718 mailed Jul. 3, 2008. cations (Siebel 7.8 and E-Business Suite 11i) With Oracle Secure Notice of for US. Appl. No. 10/833,538 mailed Aug. 6,2008. Enterprise Search 10.1.8, An Oracle White Paper, Jan. 2007, 25 Of?ce Action for US. Appl. No. 10/892,615 mailed Dec. 5, 2008. pages. Of?ce Action for US. Appl. No. 11/057,988 mailed Aug. 18,2008. Oracle Secure Enterprise Search 10G, Mar. 2006, 8 pages. Of?ce Action for US. Appl. No. 11/058,551 mailed Sep. 9, 2008. Oracle8TM Tuning, Release 8.0, Dec. 1997, Oracle®. PCT Search Report PCT /US06/5317 dated Jul. 24, 2006, 5 pages. ZantaZ, Enterprise Archive Solution (EAS) Product family, (Cisco) A Report From Ironport Systems , “Data Loss Prevention Datasheet, 4 pages. Best PracticesiManaging Sensitive Data in the Enterprise”, 2007, Of?ce Action for US. Appl. No. 10/247,002 mailed Mar. 3, 2006. 21 pages. Of?ce Action for US. Appl .No. 10/247,002 mailed Aug. 21,2006. Of?ce Action for US. Appl. No . 10/607,718 mailed May 1, 2009. Of?ce Action for US. Appl .No. 10/247,002 mailed Jan. 23, 2007. Of?ce Action for US. Appl. No . 11/057,988 mailed Jan. 28, 2009. Of?ce Action for US. Appl .No. 10/247,002 mailed Sep. 17, 2007. Of?ce Action for US. Appl. No . 11/058,551 mailed Mar. 20,2009. Of?ce Action for US. Appl .No. 10/247,002 mailed Dec. 12, 2007. Of?ce Action for US. Appl. No . 10/247,002 mailed May 21, 2009. Of?ce Action for US. Appl .No. 10/431,145 mailed Oct. 23, 2006. Notice of Allowance for US. Appl. No. 10/431,145 mailed Jun. 5, Of?ce Action for US. Appl .No . 10/431,145 mailed Jul. 26, 2007. 2009. Of?ce Action for US. Appl .No. 10/431,145 mailed Feb. 25, 2008. Of?ce Action for US. Appl. No. 10/892,615 mailed May 12,2009. Of?ce Action for US. Appl .No . 10/607,718 mailed Feb. 10, 2006. Of?ce Action for US. Appl. No. 11/057,988 mailed Jul. 10,2009. Of?ce Action for US. Appl .No. 10/607,718 mailed Jun. 28, 2006. Of?ce Action for US. Appl. No. 11/058,551 mailed Sep. 11,2009. Of?ce Action for US. Appl .No . 10/607,718 mailed Nov. 15, 2006. Of?ce Action for US. Appl. No. 10/247,002 mailed Dec. 31, 2009. Of?ce Action for US. Appl .No. 10/607,718 mailed Jul. 10, 2007. Of?ce Action for US. Appl. No. 10/607,718 mailed Nov. 9, 2009. Of?ce Action for US. Appl .No . 10/607,718 mailed Jan. 8, 2008. Of?ce Action for US. Appl. No. 11/057,988 mailed Mar. 18,2010. Of?ce Action for US. Appl .No. 10/833,538 mailed Oct. 31, 2006. Of?ce Action for US. Appl. No. 11/058,551 mailed Mar. 8,2010. Of?ce Action for US. Appl . 10/833,538 mailed Jul. 23, 2007. GB0921722.5 Search Report dated Mar. 26, 2010, 1 page. Of?ce Action for US. Appl. No. 10/833,538 mailed Feb. 14, 2008. Of?ce Action for US. Appl. No. 10/607,718 mailed Nov. 14, 2008. Of?ce Action for US. Appl. No. 10/892,615 mailed Apr. 27, 2007. Of?ce Action for US. Appl. No. 10/607,718 mailed Apr. 12, 2010. Of?ce Action for US. Appl. No. 10/892,615 mailed Dec. 12, 2007. Of?ce Action for US. Appl. No. 10/607,718 mailed Aug. 17,2010. Of?ce Action for US. Appl. No. 10/892,615 mailed Apr. 21, 2008. Of?ce Action for US. Appl. No. 10/892,615 mailed Mar. 24, 2010. Of?ce Action for US. Appl. No. 10/247,002 mailed Jun. 18, 2008. Advisory Action for US. Appl. No. 10/892,615 mailed Jul. 2, 2010. Of?ce Action for US. Appl. No. 10/247,002 mailed Nov. 25, 2008. Of?ce Action for US. Appl. No. 11/058,551 mailed Aug. 2, 2010. Notice ofAlloWance for US. Appl. No. 10/431,145 mailed Aug. 20, 2008. * cited by examiner US. Patent Feb. 8, 2011 Sheet 1 0f 19 US 7,886,359 B2 ,/ 100 POLECY INDEX VIOLATION REPORTING SPECIFIER CREATOR DETECTOR TOOL m LE 1% 19 FIG. 1 US. Patent Feb. 8, 2011 Sheet 2 0f 19 US 7,886,359 B2 I START I v 202 RECEIVE uSER INPUT N V DEFINE, BASED ON USER INPUT, A SET OF POLICIES 204 FOR DETECTING VIOLATIONS IN INFORMATION "\J CONTENT 206 INDEX SOURCE DATA N V DEPLOY THE INDEX TO LOCATIONS MONITORING N208 INFORMATION CONTENT DEPLOY THE SET OF POLICIES TO LOCATIONS N210 MONITORING INFORMATION CONTENT ‘L 212 MONITOR INFORMATION CONTENT N 214 N VIOLATION DETECTED? Y 216 REPORT DETECTED POLICY VIOLATION N ‘I, END FIG. 2A U S. Patent Feb. 8, 2011 Sheet 3 0f 19 US 7,886,359 B2 Ill COPY MESSAGE INTO N A FIRSY BUFFER I10 DECODE MESSAGE AND DIVIDE N IN'O CONPONENYS FUllEY ENVEkOPE CDNCERNS VIOLATES ENVELOPE 0F POLICY? Y SYORE DAIA PERTAINING N YD VIOLAYION 2! POLICY INClUDES RULES NO‘ CONCERNING 230 POLICV PRoPEFHv CONCERNS U‘ SUBCOMPONEN'S PROPERYIES OF OLA'ES POHCY UBCOMFONENY') STORE DATA PERTAINING T0 VIO\ATION Poucv CONl’AlNS muss N0! Continuum; vworznnzs 06 SVBCQIAPONENKS? SUBCOMPONENTS CONTAINS TEXT? V v AFPLV RULE N CONCERNING TEXT OF SUB-COMPONENT VIOLATES POLICV7 Y STORE DATA PERYAINING N YO VIOLAYIDN MORE COMPONENTS IN MESSAGE? 2A6 PROCESS svoasn DATA N PERTAINING T0 VIOllTIONS _| FIG. 25 US. Patent Feb. 8, 2011 Sheet 4 0f 19 US 7,886,359 B2 252 DETECT VIOLATION OF POLICY N CONCERNING SOURCE DATA DETERMINE USER'S PERMISSION LEVEL TO N 254 ACCESS SOURCE DATA 256 LEVEL ALLOWS FULL ACCESS TO SOURCE HIGHLIGHT MESSAGE FRAGMENTS MATCHING PROHIBITIVE SOURCE DATA ON THE SCREEN 260 LEVEL ALLOWS LIMITE IE;262 ACCESS TO SOURCE DISPLAY REDACTED SOURCE DATA AND NAMES N 254 OF COLUMNS CONTAINING I / THE SOURCE DATA DISPLAY REDACTED SOURCE DATA , 2‘ END FIG. 2C U S. Patent Feb. 8, 2011 Sheet 5 0f 19 US 7,886,359 B2 £a23“52Wm1t92.:93.> 5 ...... U S. Patent Feb. 8, 2011 Sheet 6 0f 19 US 7,886,359 B2 T22%, $221m US. Patent Feb. 8, 2011 Sheet 7 0f 19 US 7,886,359 B2 l-bguld in m Admini?nlo' may I 14.012 5W!“ hm Edit Securc Dala Pro?le ?elds ny sum Input, (E (E C KER! 308 FIG. 3A
Description: