Method and system for information leak prevention

摘要

A method for mitigating false positive type errors while applying an information leak prevention policy to identify important information and to prevent outward leakage. A positive criterion is defined for a positive set, and a negative criterion for a negative set of benign traffic. An ambiguity set contains items showing indications for both positive and negative sets. An ambiguity resolution criterion allows ambiguous items to be placed in/removed from the positive set or negative set. Each information item is searched for matches with the positive set. Each item in the positive set is checked for membership in the ambiguity set. The ambiguity resolution criteria are used for each member of the ambiguity set and to remove items from the positive set accordingly. The leak prevention policy is applied for all items remaining in the positive set thus protecting the important information.

主权项

1. A method for mitigating false positive type errors while applying an information leak prevention policy to identify important information that it is desired to protect and to prevent said important information from leaking outwardly of an organization, the method comprising the computer implemented steps of:
defining at least one positive criterion for a positive set, wherein said positive criterion comprises at least one indicator that a corresponding item contains information the distribution of which may be a possible breach of said information leak prevention policy; defining at least one negative criterion for a negative set, wherein said negative criterion comprises at least one indicator of benign traffic; establishing an ambiguity set defined by an intersection between said positive set and said negative set, said intersection containing items showing indications for both said positive set and said negative set, such that information items in said intersection, being all of the information items that belong simultaneously to said positive set and to said negative set, enter said ambiguity set; defining at least one ambiguity resolution criterion for resolving ambiguity of all members of said ambiguity set, thereby to positively place in or to remove said member from said positive set accordingly; monitoring and analyzing electronic traffic, where each information item in said traffic is searched for matches with said positive set; checking each item in said positive set for membership in said ambiguity set; resolving ambiguities of items in said ambiguity set using one of said ambiguity resolution criterion for each member of the ambiguity set and removing items from the positive set accordingly, said resolving being carried out on the items in all said items in said ambiguity set, being said items which are simultaneously members of said positive set and said negative set; and applying an information leak prevention policy for all items remaining in said positive set following said removal of items using ones of said ambiguity resolution criteria, said ambiguity resolution criteria thus identifying important information that it is desired to protect, said policy preventing said important information from leaking outwardly of said organization wherein said positive set comprises social security numbers and wherein said negative set comprises CUISP identifiers that are numbers valid for the set of social security numbers.