Cyber Security Method and System

JP2025522535A5Pending Publication Date: 2026-06-25タロン サイバー セキュリティ リミテッド

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
タロン サイバー セキュリティ リミテッド
Filing Date
2023-06-22
Publication Date
2026-06-25

AI Technical Summary

Technical Problem

The increasing complexity of cyberattacks on communication networks due to the use of personal devices (BYOD) and remote work environments exacerbates the challenge of providing adequate cyber protection for enterprise data and resources, particularly in cloud-based systems like IaaS, PaaS, and SaaS.

Method used

The CyberSafe system employs a cloud-based data and processing security hub with a CyberSafe Secure Web Browser (SWB) that operates within a CyberSafe Isolated Secure Environment (CISE) to monitor and control data movement, enforce security policies, and provide high-resolution visibility and protection against cyber threats by isolating enterprise resources from personal device software, and managing user behavior and access based on data content and user clearance levels.

Benefits of technology

Enhances cyber protection by providing real-time monitoring and control of data access and movement, ensuring secure access to enterprise resources while mitigating cyber threats and data leakage, even in diverse and remote work environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 00000000_0000_ABST
    Figure 00000000_0000_ABST
Patent Text Reader

Abstract

A method for controlling access to digital resources among a group of digital resources, comprising the following steps: determining sensitive features in the information included in the information content of the resource, wherein access to the features is limited to the selection of users from a group of users associated with the group of resources; determining whether the content of the digital resource includes at least one of the sensitive features in the information; determining, based on the at least one sensitive feature in the information, whether a user in the group of users has authorization to access at least a part of the resource; and enabling access by the user only to the at least a part of the resource for which the user is determined to have authorization.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] Embodiments of the present disclosure relate to providing a cybersecure access channel and workspace for communication networks and digital resources.

[0002] Related Applications This application claims the benefit under 35 U.S.C. § 119(e) of U.S. Provisional Patent Application No. 63 / 354,896, filed on Jun. 23, 2022, the disclosure of which is incorporated herein by reference.

Background Art

[0003] The various computer and communication technologies that provide modern communication networks and the Internet include a wide variety of virtual and bare-metal network elements (NEs) that support the operation of communication networks, and fixed and / or mobile user equipment (UE) that provides access to the network. This technology enables information technology (IT) and operational technology (OT), which are the foundation of today's society, and provides numerous methods, devices, infrastructures, and protocols for controlling industrial equipment, supporting business operations, and generating and propagating data, voice, and video content over the Internet. All types of information are readily available to most people in the world through the Internet, regardless of their physical location. And today, most of the global community typically works remotely from home, coffee shops, and vacation venues using personal-owned devices (Bring Your Owen Device, BYOD), such as personal smartphones, laptops, tablets, and home desktops, via connections to employers and workgroups. The network has democratized the consumption of information and accelerated changes in social infrastructure.

[0004] However, the advantages provided by computers and communication technologies do not come without their costs. The same technologies and advantages have substantially increased the difficulty in providing and maintaining legitimate individual and collective rights to confidentiality, and in protecting the integrity and security of the same industries and business activities that the technology has enabled against violations and damages from cyberattacks.

[0005] For example, the fingerprint of the cyberattack surface characterizes each UE, whether it is a personal, spatially unconstrained BYOD or an enterprise workplace user equipment (WPUE), and provides exploitable vulnerabilities, perhaps on the UE and more frequently on the entities and systems to which the UE connects, to avoid chaos by malicious hackers. Each UE, and especially BYOD, is a potential cyberattack node for any communication network to which it connects, in addition to functioning as a human communication node. For enterprises that must communicate with clients, workers, and / or colleagues at least partially using their personal BODS for remote work, the vulnerability to cyberattacks is amplified by the number of its remote connections, the software configuration in each BODS of those connections, and the diversity of non-enterprise communications in which the connection is involved when using the UE. The impact on enterprise data and storage resources in the cloud, and the rapid increase in technologies such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) as services accessed and used by remote contacts, further exacerbates the complexity of providing adequate cyber protection. SUMMARY OF THE INVENTION

[0006] One aspect of embodiments of the present disclosure relates to providing an optionally CyberSafe system or simply a cyber secure communication system called "CyberSafe". This provides enhanced visibility and management of communication traffic propagated by the system. CyberSafe utilizes the improved visibility to provide enhanced cyber protection and secure access to the digital resources of the body of resources for authorized users of the UE (BOYD or WPUE) associated with the body of resources.

[0007] Digital resources include any information in digital format, whether static or moving, and include, by way of example, executable code and / or data, electronic documents, images, files, data, databases, and / or software. Digital resources also include any software and / or hardware that can be used to manipulate or generate digital resources. A moving digital resource is a digital resource that is being used and / or operating on a node of a communication system and / or is in transit between nodes of a communication system. A static digital resource is a digital resource that is in storage and not moving.

[0008] For purposes of presentation, it is assumed that the body of digital resources is optionally owned by a company, optionally referred to as "MyCompany". It undertakes or is engaged in the task of authorized users using the UE associated with the body of resources to access MyCompany resources. The UE associated with the body of resources is a UE configured to enable authorized user access to MyCompany resources in accordance with embodiments of the present disclosure and can be referred to as a MyCompany UE. An authorized user who uses a MyCompany UE to access MyCompany resources can be referred to as a MyCompany user or simply a user.

[0009] In one embodiment, CyberSafe includes an optionally cloud-based data and processing security hub, also referred to as a CyberSafe hub, and a web browser, also referred to as a CyberSafe Secure Web Browser (SWB), that resides within a CyberSafe isolated secure environment (CISE) of a MyCompany UE configured by or according to CyberSafe. In one embodiment, the CISE operates to isolate software included in the SWB and other applications that may reside within the CISE from software within the UE, also referred to as UE environment software, that can be used for tasks not related to MyCompany resources and from software external to the UE. In one embodiment, the SWB monitors and controls the movement of data into and out of the CISE and between the applications within the CISE and MyCompany resources to enforce CyberSafe and / or MyCompany security policies. In one embodiment, CyberSafe supports high-resolution monitoring and control of the movement of data into and out of the CISE and the propagation of data by the communication system by configuring the SWB to provide high visibility into the movement of data. Providing high visibility includes making visible communications originating from the CISE before the SWB encrypts the outgoing communications and making visible communications destined for the CISE after the SWB decrypts the incoming communications. The isolation and control of movement and access to data and the enforcement of security policies according to embodiments of the present disclosure operate to provide enhanced protection against cyber threats and security against data leakage from and / or into MyCompany resources that may result from communications with and through the MyCompany UE.

[0010] In one embodiment, monitoring and controlling the movement of digital data includes vetting the information content of the data and controlling the movement of the data in response to the vetted content. Vetting the content can include determining the text, image, audio, and / or video components of the data and processing the components to determine the information content of each. Controlling the movement of the data in response to the data content can include denying access to the data, masking or deleting portions of the data, and / or optionally watermarking the data depending on an assessment of the data's confidentiality and the clearance of the users involved with the data.

[0011] Monitoring and controlling the movement of the data includes operating and using the MyCompany UE to monitor the user behavior, determining user key performance indicators (U-KPIs) that characterize the user behavior when interacting with the MyCompany UE and MyCompany digital resources and using the U-KPIs to control the movement of the data. Optionally, monitoring the user behavior includes recording and storing at least a portion of the communication session in which the user is involved in using the MyCompany UE.

[0012] Optionally, monitoring the movement of data may include determining and recording the locus across which digital resources traverse between communication nodes included within the cyber safe and / or between a cyber safe node and a node external to the cyber safe, as well as changes that resources may receive at the nodes. Communication nodes include, by way of example, UEs, websites, and / or CCaaSs (cloud computing as a service) resources. Communication nodes within or external to the cyber safe are nodes that are either controlled or not controlled by the cyber safe, respectively.

[0013] This summary is provided to introduce a selection of concepts in a simplified form that will be further described in the detailed description below. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

Brief Description of the Drawings

[0014] Non-limiting examples of embodiments of the present invention are described below with reference to the drawings attached hereto, which are listed after this paragraph. The same features that appear in two or more drawings are generally labeled with the same label in all the drawings in which they appear. Labels labeling icons representing a given feature according to one embodiment of the present invention in the drawings may be used to refer to the given feature. The dimensions of the features shown in the drawings are selected for convenience of presentation and clarity and are not necessarily shown to scale.

Figure 1

Figure 2A

Figure 2B

Figure 2C

Figure 3A

Figure 3B

Figure 3C

Figure 4A

Figure 4B

Figure 5

[0015] In this description, unless otherwise specified, adjectives such as “substantially” and “about” that modify the conditions or relative characteristics of one or more features according to embodiments of the present disclosure are understood to mean that the condition or characteristic is defined within the tolerances allowed for the operation of the embodiment for the intended use. Whenever a general term in the present disclosure is indicated by reference to one example instance or a list of instances, the one or more instances referred to are by way of non-limiting exemplary instances of the general term, and the general term is not intended to be limited to the particular instances referred to. The phrase “in an embodiment” is used to introduce for purposes of consideration of an example, whether or not associated with permissive terms such as “may,” “optionally,” or “by way of example,” but is not necessarily a required configuration of a possible embodiment of the present disclosure. Unless otherwise indicated, the term “or” in this specification and the claims is considered to be inclusive rather than exclusive, and indicates at least one of the items it joins, or any combination of two or more. The features and operations of the flowcharts shown in and described in this specification are presented and described in a substantially continuous order defined by consecutive block numbers referring to the blocks in the drawings, but the operations presented in the blocks may be performed simultaneously or in an order not defined by the block numbers.

[0016] FIG. 1 schematically shows a cyber-safe system 50 that operates to provide cyber-secure communications for a communication network of a company 20, also referred to as MyCompany 20, according to one embodiment of the present disclosure, and for MyCompany users 10 who use the communication network. The company may have cloud-based digital resources 22, a premises 24 that houses an on-premises server (not shown) for storing and processing the company's on-premises digital resources 28, and WPUEs 30 that are used by MyCompany users 10 on-premises to access, use, and process cloud-based on-premises resources to conduct the company's business. The company can permit users 10 to access the company's resources from various locations using any of various types of BYOD 32 when off-premise. MyCompany users 10 can use their respective BYOD 32 for personal activities, and it is assumed that MyCompany users are permitted to use WPUEs 30 for personal activities according to permissions defined by the company's policies when on-premise. Personal activities can include web browsing, social networking, uploading, and downloading via the communication node 41 and the cloud infrastructure of the website 40. The company network may need to support communications between any of various combinations of the company's on-premises digital resources 28, cloud-based digital resources 22, on-premises users 10 who use WPUE 30 installed within the company premises 24, and off-premises users 10 who use BYOD 32 at various off-premises locations, as schematically shown by the two-arrowhead dotted line 43.

[0017] According to embodiments of the present disclosure, the CyberSafe 50 comprises an optional cloud-based CyberSafe processing and data hub 52, and a software architecture 60 that operates to cyber-protect company communications and digital resources in each of a plurality of company UEs, BYODs 32, and / or WPUEs 30 that are accessed by and used by company users 10 to access and use company resources. The CyberSafe hub 52 comprises cloud-based and / or bare-metal processing and memory resources that enable and support the functionality provided by the CyberSafe 50 and the components of the CyberSafe, and / or has access thereto.

[0018] As an example, FIG. 1 schematically shows a CyberSafe software architecture 60 that configures a company UE 33 to protect company digital resources during rest and / or operation, and provides cyber-secure access to the resources for a user 10 who may use the company UE 33. The company UE 33 may be a BYOD or a WPUE, and may be referred to as a My-WorkStation 33.

[0019] The architecture 60 includes a CyberSafe isolated environment, CISE 62, which is isolated from the environment software 35 resident within the my workstation 33 and includes the SWB 64 resident within the CISE 62. The environment software 35 may typically include data and applications not intended to be used when conducting my company business. By way of example, the environment software 35 may include browsers, application office suites, clipboards, family photo albums, photo albums, and WhatsApp. The CISE 62 may also optionally import from the environment software 35 cyber security functions required by the CyberSafe and / or my company policy functions and associate them with the applications, and may include a set 65 of applications wrapped by the CyberSafe and optionally containerized. In one embodiment, the CISE comprises an ensemble of shared secure services 66 that can be accessed for use by the SWB 64 and by the applications within the set 65 via the SWB 64. The shared secure services 66 optionally include a secure clipboard and a secure encrypted file system.

[0020] CISE62 provides an isolated security domain that is generated and supported by security applications, features, and functionality related to the wrapping of SWB64, shared secure service 66, and wrapped application 65, and is delimited by a substantially continuous security boundary. According to one embodiment, CISE62 can be configured to provide cybersecurity and isolation using and in accordance with standard methods such as PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and / or SOC2 (American Institute of CPA’s Service Organization Control). Optionally, CISE62 is separated from ambient software at the network level.

[0021] In one embodiment for providing isolation and security, SWB64 is configured to monitor and control the entry and exit of data into and from CISE62, as well as between cyber-safe wrapped applications, shared secure service 66, and / or applications within SWB64. Advantageously, SWB64 is configured by cyber-safe to enforce cyber-safe and / or my-company security policies related to access to my-company data and the movement of data into, within, and out of CISE. The isolation and control of data movement and access to data, as well as the enforcement of policies, operate to provide enhanced protection against cyber threats and security against the leakage of data from and / or into my-company resources resulting from communication with and through my-company UE.

[0022] In one embodiment, monitoring the data ingress and egress includes monitoring the communications supported by the SWB64, storing and processing the data included in the monitored communications, and making the data available to the CyberSafe hub and the MyCompany IT. In one embodiment, for the outgoing communications originating from the CyberSafe Isolation Environment CISE62 (Figure 1), the monitoring is performed before the transmitted communications are encrypted by the SWB b and, for the incoming communications to the CISE, the monitoring is performed after the incoming communications are decrypted by the SWB64. As a result, the user's browsing is substantially fully visible to the CyberSafe and the MyCompany and can be processed locally or remotely.

[0023] The monitoring can be substantially continuous, probabilistic, or periodic. Probabilistic monitoring includes monitoring communications for a limited duration of a monitoring period that starts at a randomly determined start time, optionally according to a predefined probability function or in response to a "trigger" event such as an event considered to be an anomaly and requiring attention. Periodic monitoring includes continuous monitoring of communications during the monitoring period at periodic start times. The monitored communications may be mirrored by the SWB64 to destinations within the CyberSafe hub and / or the MyCompany for storage and / or processing, or may be filtered for data of interest before being sent to destinations within the CyberSafe hub and / or the MyCompany for storage and / or processing. The characteristics and constraints that constitute how the monitored communications are processed by the SWB64 can be determined based on the CyberSafe and / or MyCompany policy. Such policy may specify how the processing of data is shared between the local SWB and the CyberSafe hub.

[0024] In one embodiment, SWB64 can be an existing web browser such as Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox, Opera, or Brave that is modified and provided with additional cyber-safe features and / or functionality either as a stand-alone application with cyber-safe features and / or functionality or by modifications and / or additions to browser code and / or by integration with a cyber-safe extension. The features and functionality can be incorporated into an existing browser, and the browser can be converted into a cyber-safe SWB by, for example, interfacing with the input and output of the existing browser using operating system hooks, patching the original binary of the browser, building a dedicated extension on top of the browser's API and / or SDK, and / or dynamically modifying the memory of the browser while it is running.

[0025] By way of example, the features and / or functionality, hereinafter generically referred to as functionality, can include at least one or any combination of functionality that enables SWB60 to: cooperate with the Micompany IDP to authenticate and authorize User 10 to access CISE62 and Micompany resources; obtain data characterizing web sites visited by Micompany users that can be used to classify the cyber risk associated with the web site; obtain data characterizing browser extensions that can compromise the SWB64 security features; obtain data that can be processed to determine the normal behavior and use of Micompany resources by Micompany users as a group and / or as individuals; monitor the involvement of Micompany users with Micompany resources; and control the involvement to enforce cyber-safe and / or Micompany security constraints.

[0026] In one embodiment, implementing cyber-safe and / or my-company security constraints requires that all communication between the UE 33 and the my-company resources be propagated via the SWB 64 and a cyber-safe tunnel connecting the SWB to the resources, and includes implementing cyber-safe and / or my-company permissions for the resources. Optionally, implementing the security constraints includes identifying anomalies in the communication between the UE 33 and the enterprise resources, and operating to eliminate or mitigate damage from the identified anomalies and generate an alert for their occurrence.

[0027] The flowcharts presented in FIGS. 2A-5 illustrate elements of procedures executed by a cyber-safe system and an SWB, such as cyber-safe system 50 and SWB 64, according to one embodiment, showing and exemplifying the functions of the cyber-safe system and the SWB. This description assumes that the cyber-safe system provides cyber-security services for a given my-company enterprise having a plurality of users U n (1 ≦ n ≦ N) identified by their respective user IDs, U-ID n (1 ≦ n ≦ N). The user is assumed to access and use a user device identified by a user device ID, UE-ID e (1 ≦ e ≦ E). And the cyber-safe configures the UE using a cyber-safe browser SWB b -ID b identified by CISE and the SWB browser ID b (1 ≦ b ≦ B).

[0028] FIGS. 2A-2C thereby show a given user U e using the user device UE n contacting the cyber-safe security hub 52 to access and request authorization to use the CISE within the UE e and the resident SWB within the CISEb shows a flowchart 100 of a procedure for issuing a security token for access to My Company resources.

[0029] In block 102, user U n operates the UE e to sign in to the Cyber Safe Security Hub 52 and submit a request for a security token. This request includes an Extended ID that includes the following. Namely, the user ID, U-ID n and the user device ID, UE-ID e and the SWB e ID, B-ID, which identifies the SWB installed in the UE b ID, B-ID b and. U-ID n may include data associated with the My Company, such as the username, password, and / or the date on which the user was first registered as a My Company user, the UE e SWB b and / or the date on which the user was first registered as a My Company user. UE-ID e may be any suitable identifier, such as a MAC (media access) address, UUID (Universal Unique Identifier), or IMSI (international mobile subscriber identity), and / or information associating the UE e with the user U n SWB b and / or the My Company. B-ID b may be a browser user agent string, any suitable identifier that Cyber Safe assigns to the SWB b and / or information associating the SWB b with the UE e U n and / or the My Company.

[0030] A given user U n may have two or more UEse and / or two or more SWBs b associated with and the user ID U-ID n It should be noted that may include data identifying the association. Similarly, a given user UE e is two or more U n and / or two or more SWBs b associated with and a given SWB b is two or more U n and / or two or more UEs e associated with and the ID, UE-ID e and B-ID b may comprise data mapping the association. U n UE e and / or SWB b Any combination of one or more of may comprise the time of day (ToD) for each of at least one previous sign-in to CyberSafe.

[0031] Optionally, in block 104, the CyberSafe security hub authenticates the extended ID. Authenticating the extended ID may involve multi-factor, optionally three factors, authentication of the user U n and determining the association and / or the consistency of the ToD between any combination of two or more of U-ID n UE-ID e or B-ID b

[0032] In decision block 106, if the extended ID is not OK, the hub proceeds to block 142, rejects the requested token, and optionally sends a rejection alert to the CyberSafe hub. On the other hand, if the extended ID is OK, the hub optionally proceeds to decision block 108, SWB b ​Determine whether to perform an integrity test on software. The determination of whether to perform the integrity test may depend on MyCompany and / or the test policy of CyberSafe. The policy may depend on when CyberSafe Hub last performed an integrity test on SWB b , and / or UE e , the user profile characterizing the browsing behavior and Internet usage patterns of user U n , and / or the characteristics of the cyber attack situation. For example, MyCompany may have a policy that the delay between integrity tests is above a predetermined lower limit delay and upper limit delay. The determination may depend on whether user U n browses cyber-dangerous websites listed in the list of dangerous websites more frequently than a predetermined frequency, or whether the user tends to be lenient regarding password updates or applying patches to applications. The cyber attack situation may include the frequency and / or severity of cyber attacks recently experienced by MyCompany or other companies, and / or what types of cyber attacks have been encountered. Optionally, if the determination in decision block 108 is to skip the integrity test, the hub proceeds to block 140 and issues the desired token. If the determination is to perform the integrity test, the hub proceeds to block 110 and retrieves a set "SIT" of at least one software integrity test "sit i " from a database that the hub has or accesses. Here, SIT = {sit i |1 ≤ i ≤ I}, which can be used to determine the integrity of SWB b software. Exemplary SIT may include at least one of the following, or any combination of two or more of the following. sit1 = CRT (Challenge Response Test); sit2 = BAT (Proof of Behavior Test); sit3 = AV (Anti-Virus Check); sit4 = EDR (Endpoint Detection and Response); sit5 = BDS (Binary Digital Signature); : sit i

[0033] In block 112, the cyber - safe hub provides an estimate of how suitable each sit b is for determining the integrity of the software by testing sit i and determines a weight vector WIT that includes a weight wit i for each sit. In one embodiment, the wit i for a given sit i is the following function. i is as follows. UE e Hardware type, e.g., UE e If the mobile device, tablet, or desktop that can restrict which type of a given sit i is a UE e it can be executed on; Sensitivity, the true positive rate of a given sit i ; Specificity, the true negative rate of a given sit i ; Nuisance rating, provides a measure of the inconvenience that the execution of the test imposes on the user UE e ; Past executions of the test; and / or The current cyber - attack context; identifying the current prevalence and severity of the cyber - attack type

[0034] In block 114, the cyber - safe hub executes the selection of the test sit i on the SWB software according to each weight wit b . For example, here, a larger weight wit i means a completeness test sit i whose respective weight is greater than the median of the weights wit i and iBy selecting, it shows a greater relevance.

[0035] In block 116, the cyber - safe hub responds to the integrity metrics returned by each of the selected test sit i to determine the value of the measure of the QoI(e,b) (quality of integrity) of the SWB e within the UE. b In one embodiment, QoI(e,b) is the average of the integrity metrics provided by sit i weighted by their respective weights wit i Optionally, in decision block 118, the cyber - safe hub 52 determines whether the QoI value is satisfactory. If the QoI is not satisfactory, the hub proceeds to block 142, and rejects the issuance of the token and optionally sends an alert. On the other hand, if the QoI is satisfactory, the hub proceeds to decision block 120 and determines whether to perform a surrounding software environment test on the UE e .

[0036] The software environment test is a test to determine to what extent, if any, the surrounding software within the UE e has been compromised by a cyber - attack or is inadequately protected against a cyber - attack. The decision of whether to perform an environment test on the UE e can be based on many of the same considerations that are weighted when deciding whether to perform a completeness test. For example, the decision can depend on the my - company and / or cyber - safe policy, and, for example, whether the UE e is a mobile phone or a laptop, the browsing behavior pattern of the user U e when the last environment test was performed on the UE n , and / or characteristics of the cyber - attack situation, such factors as the UE e hardware.

[0037] Optionally, if the decision in decision block 120 is to skip the software environment test, the cyber-safe hub can proceed to block 140 and issue the desired token. On the other hand, if it is decided to perform the environmental test, the hub can optionally proceed to block 110 and, from the database, at least one cyber-attack vulnerability feature hvf e,j whose presence or absence is to be determined can be retrieved from the set "HVF(e)". Here, HVF(e) = {hvf e,j | 1 ≤ j ≤ J}. HVF(e) can include static and / or dynamic vulnerability features. Static vulnerability features are features that are code and / or data elements included within the UE e 's environmental software, and are considered to render the environmental software and / or digital resources not included within the environmental software. They are vulnerable to cyber-attacks, such as cyber-safe and / or my company's resources. Dynamic vulnerability features are temporary vulnerability features that characterize the current usage of the UE e , such as whether the UE e is connected to a public WiFi (registered trademark) or a cyber-dangerous website. One exemplary HVF(e) can include at least one, or any combination of two or more, of the vulnerability features, and its presence or absence can optionally be determined by the response to the following queries. hvf e,1 = Is AV (anti-virus) / EDR (EndPoint Detection & Response) installed? hvf e,2 = Is a firewall installed and enabled? hvf e,3 = Is the OS (operating system) patched to the latest version? hvf e,4 = Is the application patched to the latest version? hvfe,5 = UE e Does access to the UE require authentication? hvf e,6 Are there dangerous software defaults? hvf e,7 Is public Wi-Fi being used? hvf e,8 = UE connected to a VPN (Virtual Private Network) e or? hvf e,9 = Security level of the connected network? hvf e,10 Is there a security misconfiguration? hvf e,11 Is it cross-site scripting? hvf e,12 Is there an irregular power supply? : hvf e,j

[0038] Optionally, in block 124, the cyber-safe hub scans the UE's e surrounding software environment to detect the presence of each hvf e,j and determines a risk vector HVR(e) that includes a cyber-attack risk estimate hvr e,j for each hvf. Here, HVR(e) = {1 ≤ j ≤ J}. Determining a risk estimate value for a given vulnerability hvf e,j generally depends on the type of vulnerability and the cyber-attack landscape. For example, determining a risk estimate value for a given public Wi-Fi may depend on the physical location of the Wi-Fi, the current traffic carried by the Wi-Fi at the time the estimate is made, and the recent history of cyber-attacks attempted via the Wi-Fi. The risk associated with patching may be a function of the type of patching required or installed e,j In block 126, the cyber-safe scans the UE's

[0039] In block 126, the cyber-safe, for the UE eScan the surrounding software to determine the set HCC(e) of components hcc k in the surrounding software that have been compromised. Here, HCC(e) = {hcc e,k | 1 ≤ k ≤ K}. And in block 128, CyberSafe can retrieve the user profile U-PRF(n) from the CyberSafe and / or MyCompany database, which can be used to characterize the behavior characteristics of user U n when interacting with MyCompany and / or non-MyCompany digital resources. In one embodiment, U-PRF(n) includes a set U-KPI(n) of key performance indicator (KPI) values for user key performance indicators ukpi n,k where U-KPI(n) = {ukpi n,k | 1 ≤ k ≤ K}, and a user cyber risk profile U-CRP(n) that includes the values of user risk components ucrp n,r where U-CRP(n) = {ucrp n,r | 1 ≤ r ≤ R}. U-KPI(n) can include values for at least one or any combination of two or more of the user keyboard typing pattern, user mouse activity pattern, user response time to digital resource actions, use of wrap apps, use of shared secure services, data patterns used by the user during a session including data typed locally within the SWB, uploaded and downloaded files, file names, interruptions for using environmental software, and / or hover time on a particular web page. The values of the U-CRP(n) component can optionally include risk estimation values derived from the U-KPI(n) component values for at least one or any combination of two or more of careless password management, careless permission management, reckless clicks on executable content, insufficient sensitivity to phishing bait, or risk estimation of users who abuse privileges to MyCompany resources.

[0040] In block 130, CyberSafe processes a set of values CPA(b) that provide security measures for protecting SWB from cyber damage by software such as HVR(e), HCC(e), U-PRF(n), and / or optionally anti-injection and / or anti-exploitation software, also known as cladding. For example, for users with high privileges, access to my company resources may be required by CPA(b) to perform additional security checks and install additional security controls such as EDR to enable the user to access my company resources. Additionally, some capabilities that affect the system's vulnerability to cyberattacks when the user is accessing an unknown website or a website with a low security rating and thus a high risk may be restricted or disabled by CPA(b). In one embodiment, the processing is performed by a neural network configured to operate on an input feature vector that includes component features based on components of HVR(e), HCC(e), U-PRF(n), and / or CPA(b). b To protect SWB from cyber damage, a set of values CPA(b) that provide security measures are processed. For example, for users with high privileges, access to my company resources may be required by CPA(b) to perform additional security checks and install additional security controls such as EDR to enable the user to access my company resources. Additionally, some capabilities that affect the system's vulnerability to cyberattacks when the user is accessing an unknown website or a website with a low security rating and thus a high risk may be restricted or disabled by CPA(b). In one embodiment, the processing is performed by a neural network configured to operate on an input feature vector that includes component features based on components of HVR(e), HCC(e), U-PRF(n), and / or CPA(b).

[0041] Optionally, in block 132, if the cyber - safe hub determines that cladding protection is advantageous, the hub proceeds to block 140 and issues the requested token. On the other hand, if cladding protection is not advantageous, the hub can proceed to block 134 to determine whether to modify the cladding protection to improve the protection. If the hub determines not to modify, the hub proceeds to block 142 and can reject the token and issue an alert. On the other hand, if the decision is to modify the cladding, the hub proceeds to block 136, modifies the cladding, and optionally proceeds to decision block 138 to determine whether the modification has resulted in a sufficient improvement in cyber - protection. If the improvement is not sufficient, the cyber - safe hub proceeds to block 142 and rejects the token.

[0042] In one embodiment, once a token is provided to the MyCompany user U n , user UE e , and browser SWB b for a presentation that interacts with MyCompany resources, the SWB can be configured to provide an inspection of access to the resources and control of the movement of the resources based on the information content of the resources, according to one embodiment of the present disclosure. FIGS. 3A - 3C show a flowchart 200 of a procedure, optionally called an Information Content Approval Procedure (ICAP), according to one embodiment of the present disclosure, in which the cyber - safe, MyCompany, and / or SWB b cooperate to provide control of access to and movement of MyCompany resources that user U n attempts to access.

[0043] In block 202, user U n requests a MyCompany security token from the cyber - safe hub 52 for U - ID n , UE - ID e , and B - IDb Optionally submit the extended ID, which includes b . In decision block 204, the cyber safe vets the extended ID to determine whether the security hub requirements are met, and in block 206, if they are met, grants the requested tokens.

[0044] Optionally, in block 208, the SWB downloads and / or provides access to the user clearance profile CLR(n,e,b) for user U, which includes the my company user profile, U-PRF(n)=(U-KPI(n) ∪ U-CRP(n)) for user U, the confidentiality level CON of information sensitive features of my company resources, and the user clearance level CLR for access to information sensitive features. Information sensitive features, also called confidentiality sensitive features, are any information features of resources that the company considers advantageously require restricted distribution to my company users based on the user clearance level. Restricted distribution is determined and can be implemented by assigning a confidentiality level CON to each information sensitive feature and a corresponding clearance level CLR of the information sensitive feature to each my company user. Optionally, CON can be assumed to be equal to an arbitrary integer value from a favorable integer range for the value of the confidentiality level of a given information sensitive feature, (1-C n with respect to user U, including the my company user profile, U-PRF(n)=(U-KPI(n) ∪ U-CRP(n)) for user U, the confidentiality level CON of information sensitive features of my company resources, and the user clearance level CLR for access to information sensitive features. Information sensitive features, also called confidentiality sensitive features, are any information features of resources that the company considers advantageously require restricted distribution to my company users based on the user clearance level. Restricted distribution is determined and can be implemented by assigning a confidentiality level CON to each information sensitive feature and a corresponding clearance level CLR of the information sensitive feature to each my company user. Optionally, CON can be assumed to be equal to an arbitrary integer value from a favorable integer range for the value of the confidentiality level of a given information sensitive feature, (1-C n with respect to user U, including the my company user profile, U-PRF(n)=(U-KPI(n) ∪ U-CRP(n)) for user U, the confidentiality level CON of information sensitive features of my company resources, and the user clearance level CLR for access to information sensitive features. Information sensitive features, also called confidentiality sensitive features, are any information features of resources that the company considers advantageously require restricted distribution to my company users based on the user clearance level. Restricted distribution is determined and can be implemented by assigning a confidentiality level CON to each information sensitive feature and a corresponding clearance level CLR of the information sensitive feature to each my company user. Optionally, CON can be assumed to be equal to an arbitrary integer value from a favorable integer range for the value of the confidentiality level of a given information sensitive feature, (1-C m) Larger values indicate that a higher confidentiality level requires stricter restrictions on access to features than lower values. The CLR clearance level can assume any value from the same range of values as CON. A user can be permitted access to a given highly confidential feature only if the user is assigned a CLR level equal to or higher than the CON level of the feature. The CON level and the CLR level can be determined, for example, by considering the personnel of MyCompany, or by using artificial intelligence (AI), such as machine learning algorithms like decision trees or clustering algorithms, or convolutional neural networks (CNNs), that have been trained with supervised learning and / or unsupervised learning.

[0045] Each confidentiality level can be equipped with a set of confidentiality levels STF, SIF, and SAF for confidentiality-sensitive text features, which are string, optionally regex (regular expression) string, image features, and audio features that the MyCompany digital resources may contain. For example, the confidentiality level of video material containing a sequence of images generally related to audio material and / or text material, such as ticker tape, or explanatory or labeling signage, can be determined based on relevant material from STF, SIF, and / or SAF using appropriate processing to account for temporal correlation.

[0046] The set STF optionally consists of confidentiality levels CON(stf m ) for a plurality of confidentiality-sensitive text features stf of α (1 ≤ α ≤ α α,η ) sensitive to confidentiality, and at least one data class, CLS α,η (1 ≤ η ≤ η η ) to which the text feature belongs. m) Each of them is included. A text feature sensitive to confidentiality can be any text object or function of a text object that is considered to include itself or in combination with information sensitive to the confidentiality of at least one other text object. By way of example, a text feature sensitive to confidentiality can be a string such as a regex (regular expression) string, an n-gram, a pattern of text features, for example, a cluster of at least two associated text phrases that are spatially distant from each other within a resource, or a text feature sensitive to confidentiality from a cluster of confidentiality text features associated with each other by a textual similarity distance, or can include it. A text feature sensitive to confidentiality can include, for example, marketing data such as release data about the features of a new product or a new advertising campaign, financial data such as a profit or loss statement, management data such as employee evaluations, and / or technical data such as chemical formulas or details of a manufacturing process, or otherwise indicate or disclose. Data class CLS η can be any one of a plurality of η classes that the company may consider advantageous for classifying information for limited distribution. And also, as shown by the above examples related to text features sensitive to confidentiality, the data class can include, for example, each class of marketing data, financial data, management data, technical data, and / or RnD data. In one embodiment, the data class can be determined, for example, by considering the company's personnel or by using a machine learning algorithm, such as a decision tree or a clustering algorithm, or a convolutional neural network (CNN), which is educated by supervised learning and / or unsupervised learning.

[0047] Similarly, the set SIF optionally includes text features sif sensitive to confidentiality related to a plurality of image features of β (1 ≤ β ≤ β m )β,η confidentiality level CON(sif β,η ) for it, and at least one data CLS used to classify text feature data sensitive to confidentiality, to which the image feature is considered to belong η is included. Image features sensitive to confidentiality can be any image feature, or a function of image features that is considered to contain information sensitive to confidentiality, either by itself or in combination with at least one other image feature. By way of example, image features sensitive to confidentiality can be images related to new products such as new sports shoes, revenue graphs, or management charts. Image features sensitive to confidentiality can be features derived from images. For example, a new armored personnel carrier (APC) is not confidential in itself, but features such as the vertical tire distortion derived from an image of the APC can be considered confidentially sensitive because the weight or load of the APC can be derived from the distortion.

[0048] Similarly, the set SAF optionally includes, for each confidentially sensitive audio feature saf related to audio features of a plurality of γ (1 ≤ γ ≤ γ m ) sound tracks γ,η confidentiality level CON(saf γ,η ) for it, and at least one data class CLS to which the audio feature is considered to belong η .

[0049] The clearance profile set, CLR(n, e, b), optionally includes clearance levels CLR α,η (stf β,η ), CLR γ,η (sif n ), CLR α,η (saf n ) for the information features stf β,η , sif n , saf γ,η sensitive to confidentiality, which can generally be referred to as CLR n (α, β, γ, η), or simply as CLR.

[0050] In block 210, user U n uses SWB b to request access to specific MyCompany digital resources for authorization to interact with the resources for any of a variety of activities such as, for example, navigation, viewing, downloading, uploading, copying, or modifying information. In decision block 212, MyCompany and / or the specific resource may present the appropriate standard MyCompany permission for access to the resource and satisfy the associated ID authentication constraints, whereby SWB b used by U n can determine whether U meets the standard authorization requirements. Standard authorization requirements do not include scrutinizing the resource for information characteristics sensitive to confidentiality and configuring access to the document based on the level of confidentiality of the characteristics and the clearance level of the user added to the standard MyCompany permission. If the standard authorization requirements are not met, ICAP proceeds to block 244 and denies user U n access to the resource and ends the procedure.

[0051] On the other hand, if the standard authorization procedure associated with block 212 is successful, ICAP proceeds to decision block 214 and can determine whether the resource is a “clearance resource” that requires processing the user U n clearance CLR and confidentiality level CONs determined for the confidential information characteristics within the resource for approval of the authorization. If the resource is not a clearance resource, ICAP proceeds to block 242, approves the request, and ends.

[0052] On the other hand, if the resource is a clearance resource, ICAP optionally proceeds to block 216 and within the user profile U-PRF(n) and / or in the UE e and SWB bDetermine whether there are any anomalies in the operating environment. An anomaly in the user U-PRF(n) is, for example, a user key performance indicator, ukpi, in the set U-KPI(n) such as a user typing pattern, use of a data pattern, or response time that is greater than the standard deviation from the value of ukpi n,k downloaded or accessed at block 208. A change in the value of the set U-KPI(n) that is greater than the standard deviation of the values for the set U-KPI(n) such as a user typing pattern, use of a data pattern, or response time that is greater than the standard deviation from the value of ukpi n,k could be a change in the value of the user risk estimate ucrp in the set U-CRP(n) such as reckless clicks on executable content or an inattentive risk estimate for permission management. An anomaly in the operating environment could include, for example, excessive overuse or underuse of the bandwidth of the my company network, unstable communication traffic due to anomalies on the network, or frequent interruptions in the power supply to the network or user UE n,r that is greater than the standard deviation of the estimated values. An anomaly in the operating environment could include, for example, excessive overuse or underuse of the bandwidth of the my company network, unstable communication traffic due to anomalies on the network, or frequent interruptions in the power supply to the network or user UE e could include excessive overuse or underuse of the bandwidth of the my company network, unstable communication traffic due to anomalies on the network, or frequent interruptions in the power supply to the network or user UE.

[0053] If an anomaly is detected, ICAP optionally proceeds from block 216 to block 218 and adjusts the confidentiality level CONs and / or the user clearance level CLR. For example, for a harmful change, ICAP can increase the CON level and / or decrease the CLR level of user U n . For an advantageous change, ICAP can decrease the CON level and / or increase the CLR level of user U n . Following the adjustment, ICAP can proceed to block 220 and determine whether the resources include text, images, audio data, or a mixture of two or more of the data types. On the other hand, if no anomaly is detected, ICAP can proceed directly from block 216 to block 220. From block 220, ICAP proceeds to block 222 where the data class CLS ηcan be determined. Determining the information type and data class can be performed by accessing metadata characterizing the resource or by sampling the resource and using an appropriate classifier to determine the information type and class.

[0054] Optionally, in decision block 224, if it is determined that the MyCompany resource contains text information, ICAP proceeds to block 226 and for each of at least one data class CLS η for which the resource is classified in block 222, optionally determines the presence of text features stf α,η that are sensitive to confidentiality, and optionally determines, according to the following formula, a text confidentiality figure of merit RCON(TxT) for the resource and a text clearance performance index UCLR(TxT) for user U n thereof. [Table 1] In equations (1) and (2), [Table 2] (hereinafter referred to as "H") is the Heaviside function, and δ is a bias value less than 1 that ensures that H equals 1 when CLR(stf α,η ) = CLR(stf α,η ).

[0055] Optionally, in block 226, if (RCON(TxT) - UCLR(TxT)) is greater than or equal to a predefined threshold TH(TxT), ICAP proceeds to block 250, rejects the request, and terminates. On the other hand, if (RCON(TxT) - UCLR(TxT)) is less than the threshold TH(TxT), ICAP may approve the request, but (CON(stf α,η ) - CLR(stf α,η)) in resources where it is greater than the default text masking threshold TH(MTxT), those sensitive text features stf α,η can operate to locally mask or delete them.

[0056] Given text feature stf α,η To locally mask or delete, according to one embodiment, means for the UE e to display the resource to the user without affecting the data defining the original version of the resource received by the UE e in the user interface (UI) of the UE, to mask or delete a given text feature within the version of the resource. Local masking or deletion refers to masking or deleting a given feature in the UE e by hooking the SWB b renderer within the UE, optionally executed, and as a result, preventing the resource from being changed in the source downloaded from it by the SWB b to the CISE. For example, local masking or deletion of a web page does not change the HTML (HyperText Markup Language), CSS (Cascading Style Sheets), or JavaScript as received by the SWB b nor does it change the DOM (Document Object Model) tree of the web page.

[0057] In decision block 224, if the text information does not exist in the My Company resource, the ICAP proceeds to decision block 230. In decision block 230, if it is determined that the My Company resource contains image information, the ICAP proceeds to block 232 to determine the probability P(sif β,η ). The image feature sif β,η exists respectively in the image information. Optionally, the probability P(sif β,η) is determined by processing image information using a deep convolution neural network (DNN). Optionally, in block 234, ICAP may determine the image confidentiality index RCON(ImG) for the orange company resources and the image clearance index UCLR(TxT) for user U n Optionally, in block 236, ICAP may determine, optionally, the image clearance index UCLR(TxT) for user U according to the following formula.

Table 3

[0058] Optionally, in block 236, ICAP may determine whether (RCON(ImG) - UCLR(ImG)) is greater than or equal to a predetermined threshold TH(ImG). And if so, proceed to block 250, reject the request, and end. On the other hand, if (RCON(ImG) - UCLR(ImG)) is less than the threshold TH(ImG), ICAP approves the request but for (CON(sif α,η ) - CLR(sif α,η )) that is greater than a predetermined masking threshold TH(MImG), it may operate to locally mask or delete those confidentially handled image features sif α,η .

[0059] When it is determined in decision block 230 and the image information does not exist in the orange company resources, ICAP may proceed to decision block 238. In decision block 238, if it is determined that the orange company resources include voice information, ICAP proceeds to block 240 and optionally uses a natural language processor (NLP) to determine the presence of voice information related to saf γ,η . In the block, ICAP may optionally determine the voice confidentiality index RCON(Audio) for the orange company resources and the voice clearance index UCLR(Audio) for user Un for the saf γ,η found to exist within the orange company resources according to the following formula. [Table 4]

[0060] In block 242, ICAP may determine whether (RCON(Audio) - UCLR(Audio)) is greater than or equal to a predetermined threshold TH(Audio). And if so, it proceeds to block 250, rejects the request, and ends. On the other hand, when (RCON(Audio) - UCLR(Audio)) is less than the threshold TH(Audio), ICAP approves the request, but for (CON(saf α,η ) - CLR(saf α,η )) that is greater than a predetermined masking threshold TH(MAudio), it may operate to locally mask or delete those confidentially handled audio features saf α,η .

[0061] In block 244, ICAP may determine whether RCOR(TxT) is greater than a predetermined text watermarking threshold TH(TxT - Wmark), whether RCOR(ImG) is greater than a predetermined image watermarking threshold TH(ImG - Wmark), or whether RCOR(Audio) is greater than a predetermined audio watermarking threshold TH(ImG - Wmark). And if so, it operates to locally watermark the My Company resources using a visible or invisible watermark. The local watermarking according to one embodiment is implemented in the same way as performing local masking or deletion without causing a change to the data defining the resources received by the UE e . From block 244, ICAP optionally proceeds to block 248, approves the request, and ends.

[0062] In flowchart 300, ICAP determines authorization, masking or deletion, and / or watermarking based on data class CLS, resource confidentiality level CON, and user clearance level CLR, but note that the practice of embodiments of the present disclosure is not limited to using CLS, CON, and / or CLR as shown in the flowchart. For example, a DNN network can be trained to recognize resource data classes, confidentiality levels, and / or clearance levels, and, given a sufficient number of training examples of resource-user pairs, can be used to determine authorization and masking or deletion. Such a DNN can be trained to determine how to watermark which resources. For example, the DNN can determine that the resources being processed in SWB b by user U n should be watermarked with a visible or hidden steganographic watermark before SWB b sends the resources, when provided with the profile U-PRF(n) of user U and the scan or feature vector of the resource. According to one embodiment, a DNN can determine whether a user should be granted or denied authorization to engage a resource and, if authorization is granted, whether the resource should undergo feature masking or deletion. The DNN can also be trained to determine how to watermark which resources. For example, the DNN can determine that the resources being processed in SWB b should be watermarked with a visible or hidden steganographic watermark before SWB

[0063] To facilitate the protection of my company's resources and secure access thereto, CyberSafe can configure my company UE e so that the high resolution observation (HIRO) procedure for observing the activities of the user operating UE e within SWB b to interact with my company's resources can be performed by SWB e in accordance with one embodiment of the present disclosure.

[0064] Figures 4A-4B illustrate the operation of HIRO procedure 300 for monitoring the activities of user U n in accordance with one embodiment of the present disclosure.

[0065] In block 302, in accordance with one embodiment, user U, who is a target of and is restricted by a my-company and / or cyber-safe policy, accesses and uses my-company resources that have been cyber-safe authorized n is “tagged” by the my-company as using the UE e and SWB b to interact with my-company resources. Optionally, in block 304, the my-company instructs the SWB b to perform HIR to observe the activities of U n and, in block 306, HIRO initializes a monitoring mode to monitor the activities of user U n while the user is interacting with the my-company.

[0066] The monitoring mode is optionally defined by at least one, or any combination of two or more, of the following: namely, a user KPI, ukpi n,k selected from the set of user key performance indicators U-KPI(n) = {ukpi n,k | 1 ≤ k ≤ K}, optionally called an active ukpi n,k ; a temporal configuration characterizing the time-dependence of the monitoring; a transmission mode, batch or streaming, in which the ukpi n,k data being monitored is sent to the my-company; and / or a data analysis profile specifying at least one desired type of analysis data generated by processing the data being monitored.

[0067] The active user KPI, ukpi, selected for monitoring n,s is the exemplary ukpi described above with respect to flowchart 100 n,k and may comprise any one of (1 ≦ k ≦ K). As an additional example, the exemplary ukpi n,k is either the number and type of websites or resources that the user engages with per session, or any of the various common human-computer action events that the user performs per unit time to communicate with the computer. By way of example, common human-computer action events are “mouseover”, “mouseout”, “submit”, and / or “resize” events.

[0068] The temporal configuration of the monitoring mode can be characterized as a duty cycle or a continuous configuration. And the corresponding monitoring modes can be characterized as a duty cycle mode or a continuous monitoring mode, respectively. The active ukpi n,k The duty cycle mode for the active ukpi n,k is a mode in which the active ukpi is monitored during each of a plurality of discrete sampling periods separated by a hiatus while the active ukpi is not being monitored. The duty cycle for the mode is equal to the ratio of the monitoring period of the object during which the active ukpi is being monitored. When the sampling periods have the same duration and the sampling frequency at which the sampling periods are initiated is substantially constant, the duty cycle is substantially equal to the sampling frequency multiplied by the duration of the sampling period divided by the duration of the monitoring period of the object. The sampling periods and sampling frequencies of the duty cycle monitoring mode can be the same for some or all of the active ukpi n,k The active ukpi is monitored during the monitoring period of the object. The duty cycle for the mode is equal to the ratio of the monitoring period of the object during which the active ukpi is being monitored. When the sampling periods have the same duration and the sampling frequency at which the sampling periods are initiated is substantially constant, the duty cycle is substantially equal to the sampling frequency multiplied by the duration of the sampling period divided by the duration of the monitoring period of the object. The sampling periods and sampling frequencies of the duty cycle monitoring mode can be the same for some or all of the active ukpi n,k is monitored. The duty cycle for the mode is equal to the ratio of the monitoring period of the object during which the active ukpi is being monitored. When the sampling periods have the same duration and the sampling frequency at which the sampling periods are initiated is substantially constant, the duty cycle is substantially equal to the sampling frequency multiplied by the duration of the sampling period divided by the duration of the monitoring period of the object. The sampling periods and sampling frequencies of the duty cycle monitoring mode can be the same for some or all of the active ukpi n,k The sampling periods and sampling frequencies of the duty cycle monitoring mode can be the same for some or all of the active ukpi n,kDifferent active ukpis for at least some of them n,k may have different sampling periods and / or sampling frequencies. The active ukpi n,k monitoring mode for is the active ukpi n,k is considered to be in a continuous monitoring mode if it is monitored substantially continuously for the entire monitoring period of interest and the monitoring mode is not advantageously characterized as a duty cycle.

[0069] In one embodiment, the analysis data specified by the data analysis profile may include at least one of proactive help analysis, security analysis, enrichment analytics, and / or audit analysis, or any combination of two or more.

[0070] Proactive help analysis includes processing monitoring data to infer possible user needs for help and prescribing substantial help according to those needs. The inferences can be based on, for example, identifying characteristics of a frenetic search pattern exhibited by the user, breaks in abnormal user activity, screenshots at the time of the break, abnormal user wait times in response to resource actions. Substantial help can be determined and composed, for example, based on responses to queries submitted to heuristics, machine learning algorithms, and / or generative AI.

[0071] Security analysis includes processing monitoring data to identify anomalous events that may indicate the risk of cyber damage and / or violations of my company policies. Anomalous events can be determined by identifying outliers or outlier members of any component of the set used to determine the initial monitoring mode in block 306. User KPI, ukpi n,kor website risk vulnerabilities, wrv w,v Outlier values of components, such as w,v and website risk vulnerabilities, wrv, can be values of components that deviate by an amount greater than the standard deviation from the average value for the component, optionally historically. An outlier member can be, for example, a new and possibly high-risk website that a user attempts to access for the first time. The response to an exceptional event can, according to one embodiment of the present disclosure, include invoking an ICAP procedure similar to the ICAP 200 shown by flowchart 200 of FIGS. 3A-3C to reduce user permission and / or access to data within the resource. Although ICAP 200 is described as managing data shown as confidentiality-sensitive information features with each having an assigned confidentiality level, note that an ICAP according to one embodiment can similarly manage features sensitive to the risk of the resource by assigning a risk level to the feature and an appropriate risk tolerance clearance to the user, and can be configured to respond thereto.

[0072] Enhanced analysis can include processing monitoring data to identify analysis data, optionally called new data, that can be used to update or add information included in any of the sets used to determine the initial monitoring mode in block 306. Identifying the monitored data as new data can be determined by comparing a value provided by or derived from the monitored data to a corresponding value within the set used to determine the initial monitoring mode in block 306.

[0073] Audit analysis involves processing monitoring data to identify and specify the details of a trajectory that traverses a company's digital resources and to generate audit data records. The trajectory can be any traversal of resources between communication nodes included in the company and / or cyber-safe local or wide area network communication networks (local area network or wide area network, respectively), and / or between the company and / or cyber-safe nodes and nodes external to the company or cyber-safe, and can also be a change that a resource can undergo at a node. Audit data records can optionally be generated for each of a plurality of audit trigger events, including, by way of example, downloading company resources, modifying resources, copying materials from resources, pasting materials to the clipboard, and / or sending resources, modified resources, or portions of resources to a printer. In one embodiment, the user UE e The audit data records for events occurring at include the values of each of a plurality of keys related to key-value pairs. Here, the keys include an event timestamp, the UE e extended ID associated with the company user using the, the hash of the metadata that identifies and / or characterizes the resource, the hash of the content of the resource or at least a portion of the resource, and the source address of the source from which the UE e received the resource, and / or the destination address of the destination to which the resource was sent from the UE e , including at least one, or any combination of two or more, of the above.

[0074] In one embodiment, the HIR is the component of the user U n profile U-PRF(n), the user equipment UE e UE e component of the risk vector HVR(e) for, UE eComponent, SWB, of the set HCC(e) of components exposed to risks related to environmental software b Optionally in response to any one or any combination of two or more of the components of the set CPA(b) related to cybercladding software attributes and / or the components of the user clearance profile CLR(n,e,b), a monitoring mode can be initialized. The initialized monitoring mode is also a set WS = {ws W | (1 ≤ w ≤ W)} of websites from the set of websites ws W and / or can also be determined in response to the values WRV(w) = {wrv W,V | (1 ≤ v ≤ V)} of the risk components of the set of website risk vulnerabilities. Here, wrv W,V quantifies the cyber risk vulnerability for the website ws W determined by the company or CyberSafe. Any of various artificial intelligences (AIs) such as a deep neural network (DNN) or a machine learning algorithm (ML) can be used to assign a risk level to the vulnerability. Optionally, heuristic classification is used to determine the risk vulnerability. In one embodiment, HIRO can initialize the monitoring mode in response to a data analysis profile.

[0075] As a simplified example, the initialized monitoring mode for a company user having a user profile U-PRF(n) that is considered to have a relatively high risk of cyber damage can be configured as a duty cycle monitoring mode having a relatively high duty cycle or as a continuous monitoring mode. The user profile U-PRF(n) is, for example, one or more user risk components ucrp of U-CRP(n) n,rWhen it is considered that there is a high risk of cyber damage, it can be considered to indicate a high risk. On the other hand, in the user clearance profile set, CLR(n,e,b), a component CLR n For a MyCompany user having (α,β,γ,η), the initialization mode can be a duty cycle mode having a relatively small duty cycle.

[0076] In decision block 308, when HIR initializes the monitoring mode to the duty cycle mode, HIR proceeds to block 310, and the active ukpi n,k Set k is selected, and for each of the selected ukpi n,k The duty cycle can be determined, and it can be determined whether data transmission is batch transmission or stream transmission.

[0077] On the other hand, when HIR does not initialize the monitoring mode to the duty cycle mode but initializes it to the continuous monitoring mode, HIR can proceed to block 312. In block 312, HIR selects the active user KPI ukpi n,k For continuous monitoring and determines whether data transmission is batch transmission or stream transmission.

[0078] In block 316, HIR starts monitoring, recording, and transmitting data to MyCompany according to the initialized monitoring mode.

[0079] Optionally, in block 318, HIR is the UE eWhile using, determine a substantially real-time value for a metric of user activity, optionally called activity temperature, which provides an indication of the intensity of user interaction with the company's resources. By way of example, the activity temperature is an average of real-time monitored values for at least a portion of optionally weighted active user ukpi n,k , optionally heat ukpi n,k and the like, which can be called . Optionally, HIRO determines the activity temperature as a function of the number of events per unit time determined from the monitoring data obtained for heat ukpi n,k . In one embodiment, heat events include human-computer action events such as keyboard, mouse, and screen touch events commonly used to interact with a computer.

[0080] Optionally, in block 320, HIR determines the difference between the real-time activity temperature and the baseline activity temperature determined from the normative value of heat ukpi n,k provided by the user profile U-PRF(n) used in block 306 to initialize a monitoring mode for observing the activity of user U n . If the difference is greater than a predefined threshold difference TH(temp), in block 322, HIR can adjust the monitoring mode, for example, by changing the duty cycle k of active and heat ukpi n,k , or by changing the monitoring mode from a duty cycle mode to a continuous mode or from a continuous mode to a duty cycle mode.

[0081] For example, when the real-time activity temperature is relatively low and indicates relatively low user activity, it may be advantageous to increase the sampling time and duty cycle of the active ukpi n,k to obtain sufficient timely monitoring data to generate a reliable analysis. Alternatively, when the activity temperature is relatively high and / or an improved temporal resolution is desired, it may be advantageous to decrease the sampling time but increase the sampling frequency, or to change the current monitoring mode from a duty cycle monitoring mode to a continuous monitoring mode. As another example, when the user activity temperature is relatively low and the user is interacting with a known web page or other resource without intense user activity, it may be appropriate to reduce the duty cycle when the current monitoring mode is the duty cycle mode, or to switch from the current continuous mode to the duty cycle mode. Adjustments to the monitoring mode can also be made by changing which user ukpi n,k is active, or by changing the number of active ukpi n,k . In one embodiment, HIRO is configured to dynamically adjust the monitoring mode in real time.

[0082] In decision block 324, when the monitoring mode data analysis profile specifies that the monitoring mode is involved in proactive help, HIRO proceeds to block 326 and calls help analysis to identify and respond to the user's needs as described above. Otherwise, HIRO may proceed to decision block 328. In decision block 328, when the analysis profile specifies that the monitoring mode is involved in security analysis, HIRO proceeds to block 330 and calls security analysis to identify security violations and, optionally, take remedial action to counter the identified violations as described above. Otherwise, HIRO may proceed to decision block 332. In decision block 332, when the analysis profile specifies that the monitoring mode is involved in data enhancement, HIRO proceeds to block 334 and calls enhancement analysis to identify new data and, optionally, update relevant company data such as data in the user profile U-PRF(n) and / or data in the website risk vulnerability WRV(w). Otherwise, HIRO may proceed to decision block 336. In decision block 336, when the analysis profile does not specify engaging in audit analysis, HIRO proceeds to block 340 and either ends the monitoring of the activities of user U n or returns to block 316 and continues monitoring. On the other hand, in block 336, when the analysis profile specifies engaging in audit analysis, HIRO proceeds to block 338, calls audit analysis, and generates an audit data record for an audit trigger event that enables the company to audit the history of company resources when the company moves across the company network and morphs. HIRO then proceeds to block 340 and either stops the monitoring activity or returns to block 316 and continues monitoring.

[0083] The virtual history of a given Micompany resource that traverses the Micompany network, optionally the research report "X", shows the operation of the HIRO audit analysis according to one embodiment of the present disclosure.

[0084] trg μ is the UE used by user U n Let the set of audit trigger events TRG(b)={(1≦μ≦U)} of the above-mentioned trigger events such as the audit trigger events that may occur in the SWB of the UE used by e the user U be represented. Let AUR(b) be the audit data record {aur b |(1≦α≦Aa)} generated by the SWB in response to the audit trigger events associated with the Micompany resources that may occur in the SWB and transferred to the Micompany. According to an embodiment of the present disclosure, the component includes the values for the above-mentioned key-value pairs, and, in addition, advantageously, the SWB b is caused to generate an audit data record and transfer it to the Micompany, and includes the ID of the audit trigger event. b including components α generated by b the SWB

[0085] Assume that the research report "X" of MyCompany is downloaded by the first user U1 of MyCompany at time ToD1 to the browser SWB1 in UE1. Downloading could be an audit trigger event "trg1" that causes SWB1 to generate the "first" audit data record AUR(1)1 and upload it to MyCompany. AUR(1)1 may indicate that at ToD1, user U1 downloaded X from IP address A1, where X has the hash H1-M of the metadata identifying X and the hash H1-C of a part of the content of X. In response to the trigger event trg2 of user U1 modifying X, the second audit data record AUR(1)2 generated and uploaded by SWB1 indicates that at time ToD2, U1 modified the metadata of X. All components of AUR(1)2 are the same as the corresponding components of AUR(1)1, except for the metadata hash H2-M that replaces the metadata hash H1-M. The third audit data record AUR(1)3 generated and uploaded by SWB1 indicates that at time ToD3, U1 sent a document with a content hash identical to the content hash of H1-C and the metadata hash H2-M to the IP address A2 of the second MyCompany user U2 who operates the browser SWB2. The fourth audit data record AUR(2)4 generated and uploaded by SWB2 indicates that at time ToD4, a little after time ToD3, user U2 received a document bearing the metadata hash H2-M from user U1. The fifth audit data record AUR(2)5 generated and uploaded by SWB2 indicates that U2 sent an email to a non-MyCompany employee with a document that has the third metadata hash H3-M but the same content hash H1-C as that in the audit data record AUR(1)1 of document X.By processing the uploaded audit data records, My Company can determine that the content of audit data records AUR(1)1 - AUR(2)5 is associated with Document X, and that Users U1 and U2 are collaborating in leaking My Company's confidential materials to external entities.

[0086] In one embodiment, the SWB in My Company UE e can be configured to implement a method for providing dynamic tailoring isolation (DYTI) to users to protect My Company resources from harm. DYTI refers to dynamically protecting a user's browsing activity in real - time by configuring the separation of browsing activities as needed in response to relevant historical and real - time user and website behavior. In one embodiment, DYTI can operate to provide dynamically tailored browser isolation according to a procedure similar to the procedure shown by flowchart 400. b In block 402, User U

[0087] starts a web browsing session using the SWB n contained in UE e . In response, optionally, in block 404, SWB b invokes DYTI, and the user profile U - PRF(n), UE b and / or SWB e and / or SWB b、and / or, operate to vet data included in or associated with at least one, or any combination of two or more, of a set of web site risk vulnerabilities WRV(w) that can affect cyber victimization risks associated with browsing. In response to this vetting, optionally, at block 406, DYTI determines whether isolation is advantageous. For example, DYTI may determine that isolation is advantageous when user profile U-PRF(n) indicates that user U n has a tendency to respond carelessly to phishing and has a relatively low clearance level CLR, UE e has old patches, and / or the web sites navigated by user U n are generally characterized by high risk vulnerabilities. On the other hand, DYTI may determine that isolation may not be necessary when it determines that the browsing risk for user U n , UE e , and / or SWB b is relatively low. When it is determined that isolation is not necessary, DYTI proceeds to block 416 and can enable browsing without isolation.

[0088] On the other hand, when it is determined that isolation is necessary, DYTI optionally determines, at block 408, what type and degree of isolation configuration is appropriate for user U nIt can be determined whether to advantageously provide for browsing. In one embodiment, the isolation configuration type includes tab-by-tab isolation and browser isolation. The tab-by-tab isolation configuration provides separation for resources accessed during the session associated with a given tab, and optionally, different isolation features may be provided for different web pages accessed during and via the tab session. Browser isolation separates the entire browser and is generally considered to provide more comprehensive isolation than tab-by-tab isolation. Note that browser isolation for a given browser can "nest" tab-by-tab isolation and isolate the tabs opened within the browser from each other and from the given browser. The degree of isolation for a given isolation configuration type can be considered to increase as the number of isolation features included in the configuration type increases and as the severity of the restrictions imposed by each isolation feature on browsing increases. As an example, a short list of exemplary isolation features in an order that can be considered "severe" can be server signature invalidation, error message invalidation, clickjacking prevention, and remote file inclusion blocking.

[0089] In response to the determination at block 408, optionally, at block 410, DYTI determines whether tab-by-tab isolation is suitable for providing the desired degree of separation. If tab-by-tab isolation is considered appropriate, DYTI proceeds to block 412 and specifies isolation features for tab-by-tab isolation that provide the desired degree of isolation for user U n 's browsing, and proceeds to block 416 to enable user U n to browse. On the other hand, if at decision block 410 DYTI determines that tab-by-tab isolation is not appropriate, DYTI optionally proceeds to block 414 and uses a virtual technology sandbox such as a virtual machine or container, or via a bare metal server sandbox, for browser SWB bOptionally, operating system-based (OS-based) isolation may be provided. From block 414, DYTI proceeds to block 416, and enables browsing by user U n to occur.

[0090] In one embodiment, following the granting of U n browsing at block 416, at block 418, DYTI engages in real-time monitoring of user browsing and, optionally, at decision block 420, determines, for example, whether browsing characteristics such as abnormal events or user U n access to unknown or particularly malicious websites warrant a change in the isolation configuration. If a change in isolation is indicated, DYTI optionally returns to decision block 406 to determine the type and extent of isolation required. Optionally, DYTI is configured to make the change and makes the change. If no change in isolation is indicated, DYTI proceeds to decision block 422 to determine whether user U n has closed the browsing session, and if not, returns to block 418 to continue monitoring user browsing. If the user closes the browsing session, DYTI proceeds to block 424 to close the open sandbox and end DYTI activity. According to one embodiment, DYTI is configured to establish a particular isolation configuration and / or make changes to the isolation configuration during the browsing session to be substantially transparent to user U n and the like.

[0091] In the specification and claims of this application, each of the verbs “comprise,” “include,” and “have,” and their conjugations, are used to indicate that the object of the verb is not necessarily a complete list of components, elements, or parts of the subject of the verb.

[0092] The description of embodiments of the invention in this application is provided by way of example and is not intended to limit the scope of the invention. The described embodiments include different features, and not all of them are required in all embodiments of the invention. Some embodiments utilize only some of the features, or possible combinations of the features. Variations of the described embodiments of the invention, and embodiments of the invention that include different combinations of the features described in the described embodiments, will occur to those skilled in the art. The scope of the invention is limited only by the claims.

Claims

1. A method, A step of determining one or more clearance levels for a user, wherein the one or more clearance levels correspond to one or more data types. The steps include determining one or more confidentiality levels for the resource corresponding to one or more data types based on the user's request to access the resource in the browser, For each of the one or more confidentiality levels and each of the one or more clearance levels that correspond to the data types in the one or more data types: A step of blocking the request based on the fact that the confidentiality level and the clearance level meet the first criterion, and Based on the fact that the confidentiality level and the clearance level meet the second criterion, the steps include performing at least one of the following: masking, deleting, and watermarking the data of the data type associated with the resource, The steps of granting the request based on the fact that the first criterion is not met for each of the aforementioned data types, Methods that include...

2. The method described above, further, A step of adjusting one or more clearance levels based on one or more abnormalities observed for the user in the operating environment. The method according to claim 1, including the method described in claim 1.

3. The one or more abnormalities include a change in the value of the user's key performance indicator. The method according to claim 2.

4. The one or more data types include image data, text data, and audio data. The method according to claim 1.

5. The first criterion includes the criterion that the difference between a first performance index for the confidentiality of the data type of the resource and a second performance index for the user clearance of the data type exceeds a first threshold, The second criterion includes the criterion that the difference between the confidentiality level and the clearance level exceeds the second threshold. The method according to claim 1.

6. The step of determining one or more confidentiality levels for the resource is: This includes determining one or more data classes for the data associated with the aforementioned resource, The method according to claim 1.

7. The one or more data classes include at least one of marketing data, financial data, technical data, and research and development data. The method according to claim 6.

8. A non-temporary machine-readable storage medium in which program code is stored, wherein the program code includes instructions, and when an instruction is executed, A step of determining one or more clearance levels for a user, wherein the one or more clearance levels correspond to one or more data types. The steps include determining one or more confidentiality levels for the resource corresponding to one or more data types based on the user's request to access the resource in the browser, For each of the one or more confidentiality levels and each of the one or more clearance levels that correspond to the data types in the one or more data types: A step of blocking the request based on the fact that the confidentiality level and the clearance level meet the first criterion, and Based on the fact that the confidentiality level and the clearance level meet the second criterion, the steps include performing at least one of the following: masking, deleting, and watermarking the data of the data type associated with the resource, The steps of granting the request based on the fact that the first criterion is not met for each of the aforementioned data types, A non-temporary machine-readable storage medium that implements [the following].

9. The program code includes further instructions, and when the instructions are executed, A step of adjusting one or more clearance levels based on one or more abnormalities observed for the user in the operating environment. A non-temporary machine-readable storage medium according to claim 8, which implements the above.

10. The one or more abnormalities include a change in the value of the user's key performance indicator. The non-temporary machine-readable storage medium according to claim 9.

11. The one or more data types include image data, text data, and audio data. The non-temporary machine-readable storage medium according to claim 8.

12. The first criterion includes a criterion that the difference between a first performance index for the confidentiality of the data type of the resource and a second performance index for the user clearance of the data type exceeds a first threshold, The second criterion includes the criterion that the difference between the confidentiality level and the clearance level exceeds the second threshold. The non-temporary machine-readable storage medium according to claim 8.

13. With respect to the resource, the instruction for determining one or more confidentiality levels is: The instruction includes, for determining one or more data classes for the data associated with the said resource, The non-temporary machine-readable storage medium according to claim 8.

14. The one or more data classes include at least one of marketing data, financial data, technical data, and research and development data. The non-temporary machine-readable storage medium according to claim 13.

15. A device, It includes a processor and a machine-readable storage medium in which instructions are stored, When the aforementioned instruction is executed by the processor, the device: A step of maintaining a user profile, wherein the profile includes one or more clearance levels for the user, and the one or more clearance levels correspond to one or more data types. The steps include determining one or more confidentiality levels for the resource corresponding to one or more data types based on the user's request to access the resource in the browser, For each of the one or more confidentiality levels and each of the one or more clearance levels that correspond to the data types in the one or more data types: A step of blocking the request based on the fact that the confidentiality level and the clearance level meet the first criterion, and Based on the fact that the confidentiality level and the clearance level meet the second criterion, the steps include performing at least one of the following: masking, deleting, and watermarking the data of the data type associated with the resource, The steps of granting the request based on the fact that the first criterion is not met for each of the aforementioned data types, A device that enables the execution of an action.

16. The machine-readable storage medium includes further instructions, When the aforementioned instruction is executed by the processor, the device: A step of adjusting one or more clearance levels based on one or more abnormalities observed for the user in the operating environment. The apparatus according to claim 15, which enables the following to be carried out.

17. The one or more abnormalities include a change in the value of the user's key performance indicator. The apparatus according to claim 16.

18. The one or more data types include image data, text data, and audio data. The apparatus according to claim 15.

19. The first criterion includes a criterion that the difference between a first performance index for the confidentiality of the data type of the resource and a second performance index for the user clearance of the data type exceeds a first threshold, The second criterion includes the criterion that the difference between the confidentiality level and the clearance level exceeds the second threshold. The apparatus according to claim 15.

20. With respect to the resource, the instruction for determining the one or more confidentiality levels is: The aforementioned processor is executable, and the device, The process involves determining one or more data classes for the data associated with the aforementioned resource. The aforementioned one or more data classes include at least one of the following: marketing data, financial data, technical data, and research and development data. The apparatus according to claim 15.