Method and system of applying policy on screened files -> Monitor Keywords
Fresh Patents
Monitor Patents Patent Organizer File a Provisional Patent Browse Inventors Browse Industry Browse Agents Browse Locations
site info Site News  |  monitor Monitor Keywords  |  monitor archive Monitor Archive  |  organizer Organizer  |  account info Account Info  |  
07/02/09 - USPTO Class 707 |  1 views | #20090171957 | Prev - Next | About this Page  707 rss/xml feed  monitor keywords

Method and system of applying policy on screened files

USPTO Application #: 20090171957
Title: Method and system of applying policy on screened files
Abstract: Described is a mechanism comprising a data screening filter and user mode service that applies (enforces) policies regarding allowing or blocking file content of a directory, based on matching the filename against patterns associated with that directory. An administrator configures a screening policy, such as the types of files to allow in a particular directory and the types of files to block. File groups of member patterns and non-member exclusion patterns are defined and selectively collected in directory screening objects (DSOs). A directory screening object (DSO) is associated with a directory. When an I/O create request specifying a filename and a target directory is received, the filename is evaluated against the member/non-member patterns in the file groups referenced by the DSO for that directory to make for an allow or block policy decision. If not matched, DSOs on parent directories are evaluated upwards seeking a policy decision. (end of abstract)



Agent: Merchant & Gould (microsoft) - Minneapolis, MN, US
Inventors: Sarosh Cyrus Havewala, Neal R. Christiansen, Ran Kalach, Ravinder S. Thind, Jeremiah J. Moon
USPTO Applicaton #: 20090171957 - Class: 707 6 (USPTO)

Method and system of applying policy on screened files description/claims


The Patent Description & Claims data below is from USPTO Patent Application 20090171957, Method and system of applying policy on screened files.

Brief Patent Description - Full Patent Description - Patent Application Claims
  monitor keywords FIELD OF THE INVENTION

The invention relates generally to computer systems, and more particularly to computer files and storage.

BACKGROUND

Computer system administrators want to control the content that is stored on the computer systems (e.g., individual user\'s managed computers and network server shares) for which they are responsible. There are many reasons for needing control, including blocking certain types of files from being saved, preventing wasted space, organizing files on particular storage volumes for convenience and possibly security, and in general just knowing what is and what is not present on a file system volume.

For example, an enterprise may not want its employees to store large video files on shares on an enterprise server, as this consumes space. Similarly, an enterprise may also want to prevent storage of content such as music files that potentially make the enterprise liable for copyright infringement.

An enterprise or group therein may want only certain types of files on a network share, such as shared files used in day-to-day work operations. With respect to knowing what is on a storage volume, an administrator may want to know when certain files are added to the storage volume, such as to know when a user has installed (or even attempted to install) an executable program on a managed computer that is supposed to have a carefully-controlled set of executables.

At present, there is no known way to control content storage in such various ways, other than by manually inspecting file storage, or applying a utility program to do so, sometime after those files have already been stored and possibly used. While a utility could scan the file system and remove files deemed undesirable or move files where they do belong, doing so is time-consuming as well as after the fact. Such post-storage approaches also would lead to situations in which incorrectly named files or files inadvertently stored on the wrong file share suddenly disappear without the user knowing what happened.

What is needed is a mechanism for administrators to control the content on computer systems and storage volumes according to a policy, in which the policy may be applied in conjunction with the initial request to create a file (including copying the file from elsewhere) or rename a file on a storage volume. Such a mechanism should be sufficiently flexible for administrators to handle the many possible situations that may arise in a given computing environment.

SUMMARY OF THE INVENTION

Briefly, the present invention is directed towards a system and method by which the I/O requests issued by programs are screened to determine whether to allow certain file system-related operations (e.g., file creates) with respect to individual directories in a directory hierarchy. For example, based on a relationship between a filename provided with a create request and pre-established pattern data, certain files or types of files trigger policy, which may include blocking that file from being created (or renamed to a blocked name) on the target directory for which file creation has been requested. Instead of or in addition to blocking, additional policy such as writing an audit log record, or sending an e-mail, may be applied.

In one implementation, the administrator uses file groups containing pattern data (sets of file namespace patterns which may include wildcards) arranged into member patterns and/or non-member patterns (a list of exceptions to member patterns). A file group is a logical classification of files based on certain properties, such as the name and extension of the file. For a given filename, membership of a file in a file group is determined by establishing whether the filename matches any of the non-member patterns; if so then the file is not a member of the group. If not, the filename is evaluated to determine whether it matches any of the member patterns; if so, then the file is a member of the group. If there is not a match with the non-member patterns or member patterns, the file is not a member of the group. Thus, the non-member list takes precedence over the member list, enabling an administrator to grant file group membership to certain categories of files yet specify exceptions to membership via the non-member patterns list.

Via pattern data arranged within file groups, an administrator applies policy to a directory based on whether a given file is a member of a file group or set of file groups. To tie the pattern data to a directory, a data screen object is used as an association unit, in which the data screen object contains lists of one or more file groups to associate with a directory, and thereby defines the screening policy on a directory.

A Data Screen Object is defined by a list of zero or more “allow” file groups, and a list of zero or more “block” file groups. When a create request is received, the screening decision for a file with respect to the target directory is determined by establishing whether the file (based on the filename) is a member of any of the “allow” file groups listed in the data screen object on the directory; if so, a first policy is applied, which is typically NULL policy, wherein the requested operation is not considered a violation and the request is allowed to proceed.

If the file is a member of any of the “block” file groups of the data screen object on the directory, a second policy is applied, typically corresponding to a violation. Thus, on the same directory, allow takes precedence over block, so that a data screen object enables the administrator to block certain types of files in the directory, with the allow overriding the blocking action for certain groups of files.

If neither a member of an allow file group or a block file group, the parent of the directory is checked for a data screen object to look for policy to apply. If no policy is found, the mechanism walks up the tree to the next parent directory and so forth, looking for a data screen object that has an allow or block match, until a policy is applied or there is no parent. If no parent, the allow policy (typically no action, thereby allowing the request to proceed) is applied. Thus, screening policies on sub-directories take precedence over parent directories in an upward direction, whereby an administrator set a screening policy on a directory and also set one on a subdirectory to exclude the sub-directory from some screening policy effective on its parent. The screening for a subdirectory may be more restrictive.

In one implementation, the screening mechanism comprises a kernel mode data screen filter and a user-mode storage resource management service. As computer programs (e.g., user mode programs and kernel mode components above the data screen filter) make file system-directed create requests via API calls, corresponding I/O requests reach the data screen filter. The data screen filter then processes the request using data screen objects with their references to file groups as described above to match filenames against patterns for the directory, and if necessary for parent directories, until a policy application is determined. In this manner, file creates and other file I/O requests can be blocked by policy before occurring, providing dynamic screening for content on a per-directory basis.

Other advantages will become apparent from the following detailed description when taken in conjunction with the drawings, in which:

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram generally representing a computing environment into which the present invention may be incorporated;

FIG. 2 is a flow diagram generally representing logic for determining whether a given filename is a member or non-member of a file group, in accordance with various aspects of the present invention;



Continue reading about Method and system of applying policy on screened files...
Full patent description for Method and system of applying policy on screened files

Brief Patent Description - Full Patent Description - Patent Application Claims

Click on the above for other options relating to this Method and system of applying policy on screened files patent application.

Patent Applications in related categories:

20090292702 - Acquisition and association of data indicative of an inferred mental state of an authoring user - A computationally implemented method includes, but is not limited to: acquiring data indicative of an inferred mental state of an authoring user; and associating the data indicative of the inferred mental state of the authoring user with an electronic message. In addition to the foregoing, other method aspects are described ...

20090292701 - Method and a system for indexing and searching for video documents - (b) constructing a space-time video slice (STVSα) of the video document by extracting a set of pixels for each frame of the video document in the same line defined relative to a first direction (x) of the frames, juxtaposing the K lines of pixels corresponding to the K frames on ...

20090292703 - Methods, systems, and products for developing tailored content - Methods, systems, and products are disclosed for developing tailored content. A selection of content is received. Content information is received that describes the selected content. Clickstream data is received that describes at least one subscriber's action while receiving the selected content. A category is assigned to the selected content information. ...

20090292699 - Nucleotide and amino acid sequence compression - A biomolecular sequence database is encoded using a set of byte-aligned block codes. Some of the block codes encode a portion of a current sequence by pointing to an identical portion of another sequence. Others of the block codes are run length codes. Multiple different ways of encoding a current ...

20090292700 - System and method for semi-automatic creation and maintenance of query expansion rules - A system and method enable semi-automated generation of query expansion rules for searching a knowledge base. Candidate synonymy pairs are automatically extracted from queries made by users when searching a knowledge base. Synonymy rules are defined, based on the extracted candidate synonymy pairs, and may be context dependent. Query expansion ...


###
monitor keywords

How KEYWORD MONITOR works... a FREE service from FreshPatents
1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored.
3. Each week you receive an email with patent applications related to your keywords.  
Start now! - Receive info on patent apps like Method and system of applying policy on screened files or other areas of interest.
###


Previous Patent Application:
Frequent pattern array
Next Patent Application:
Methods and systems for implementing approximate string matching within a database
Industry Class:
Data processing: database and file management or data structures

###

Design/code © 2009 FreshContext LLC/Freshpatents.com. Website Terms and Conditions - Also read: About this Page
Patent data source: patents published by the United States Patent and Trademark Office (USPTO)
Information published here is for research/educational purposes only (and in conjunction with our Keyword Monitor) and is not meant to be used in place of the full USPTO patent document/images or a comprehensive patent archive search. Complete official applications are on file at the USPTO and often contain additional data/images (Freshpatents is currently text-only). FreshPatents.com is not affiliated with or endorsed by the USPTO or firms/individuals or products/designs/ideas related to listed patents.
FreshPatents.com Support
Thank you for viewing the Method and system of applying policy on screened files patent info.
IP-related news and info


Results in 2.26082 seconds


Other interesting Feshpatents.com categories:
Canon USA , Celera Genomics , Cephalon, Inc. , Cingular Wireless , Clorox , Colgate-Palmolive , Corning , Cymer , paws 		filepatents (1K)

* Protect your Inventions
* US Patent Office filing
patentexpress PATENT INFO