	US 12,423,428 B2
	Method and system for inferring document sensitivity
Rajan Peng Kiat Koo, Greenhill (AU); William Peter Abbott, Hillcrest (AU); Russell Alan Bruechert, Crafers West (AU); Aditya Mandyam, Fremont, CA (US); Aditya Raghavan, San Jose, CA (US); and Andre Costa, Seacliff (AU)
Assigned to DTEX SYSTEMS, INC., San Jose, CA (US)
Filed by Dtex Systems Inc., San Jose, CA (US)
Filed on Dec. 21, 2022, as Appl. No. 18/085,658.
Prior Publication US 2024/0211599 A1, Jun. 27, 2024
Int. Cl. G06F 21/56 (2013.01); G06F 21/55 (2013.01); G06F 21/57 (2013.01)

CPC G06F 21/568 (2013.01) [G06F 21/554 (2013.01); G06F 21/577 (2013.01)]

5 Claims

1. A method for implementing data loss prevention (DLP), the method comprising:

receiving an asset risk score calculation request for an asset from an administrator,

wherein the administrator has sent the request because of an alert triggered in a client,

wherein the alert specifies a malicious activity performed by a compromised user using the asset;

obtaining, in response to the request, file system metadata for the asset in the client,

wherein the file system metadata specifies an offset for data of the asset stored in a storage, an access control list of the asset, a number of users interacting with the asset, and a number of size changes associated with the asset;

analyzing the file system metadata to generate an asset lineage map,

wherein, while generating the asset lineage map, the file system metadata, a reduced identifier of the asset, and a hash of a file system activity related to the asset are used;

identifying, based on the asset lineage map, input features linked to the asset, a type of the asset, and a plurality of activities linked to the asset,

wherein the input features comprise a number of pre-determined sensitive keywords in an identifier of the asset and a key user that has interacted with the asset,

wherein the key user has a high propensity to interact with sensitive assets;

obtaining, based on the type of the asset, coefficients for the input features;

executing, based on the input features and the coefficient, a model to obtain an asset sensitivity score for the asset;

obtaining, based on the plurality of activities, a malicious score and a data loss score for the asset;

determining, based on the asset sensitivity score, the malicious score, and the data loss score, an asset risk score;

determining a user level of the compromised user;

making a determination, based on the asset risk score, that the asset is a sensitive asset;

tagging, based on the user level of the compromised user and the asset risk score of the sensitive asset, the compromised user as a high-risk user;

making a second determination that the plurality of activities are malicious; and

implementing, based on the second determination, a medium-level DLP policy to deter the compromised user.