Netskope Global Technical Success (GTS)

Use Case - Netskope DLP - Using File Classifiers with Machine Learning (Blocking Similar Files)

Netskope Cloud Version - 129

Objective

This document outlines the steps to Create a File Classifier trained with Machine Learning that can be used in a DLP Policy to block the transfer of similar files.

Context

Using File Classifiers trained with Machine Learning in Netskope is ideal when an organization wants to automatically identify and control the movement of sensitive or risky content—especially when traditional pattern-matching (e.g. regex or DLP rules) is insufficient or too rigid.

Example Escenario: 

A company which manages a vast network of libraries around the world is concerned about potential data leakage involving sensitive documents that detail the books they import into various countries.

To prevent this type of information from being exposed—intentionally or unintentionally—by employees, the company wants to block the transfer of importation-related documents to destinations outside the organization.

However, the challenge lies in accurately identifying Importation Manifests, which may not follow a fixed format or contain consistent keywords. These documents often include key shipment and inventory details critical to the company operations, and traditional DLP techniques may not reliably detect them.

By leveraging Machine Learning-based File Classifiers in Netskope, the company can train a model to automatically recognize the structure and context of Importation Manifests. This enables precise detection and enforcement—ensuring that such documents cannot be uploaded to unmanaged cloud apps, sent via personal email, or shared through unauthorized channels.

Configuration:

To archive that, the following steps need to be followed:

• Identify the files you would like to use for training the Identifier.
• Create the Custom Classifier
• Upload the Files used for train the Classifier
• Create a DLP Profile
• Create the DLP RTP Policy

Identify the files you would like to use for training the Identifier.

In this scenario, the company aims to identify and classify Importation Manifests as part of its data protection strategy. For demonstration purposes, several sample documents have been created to train and test the classifier. Below is an example the sample data:

Create the Custom Classifier

To create a File Classifier please go to Policies > Profiles > DLP > File Classifiers > Custom > New File Classifier 

Name the File Classifier and leave the Match Threshold in 60% as that’s the recommended value.

Upload the Files used for train the Classifier

Proceed by uploading the training files. (Click on Upload Training Files) Only images can be uploaded at this time and at least 20 files should be uploaded to train the classifier.

There are two types of training files used when building a Machine Learning File Classifier: Positive and Negative.

• Positive Training Data consists of files that represent the type of content you want the classifier to detect—these are examples of what should be identified as a match.
   
• Negative Training Data includes files that help the model understand what should not be classified as a match, reducing false positives.
   

In this scenario, only Positive Training Data was uploaded, focusing the model specifically on recognizing files that resemble Importation Manifests.

After uploading the training files, click Save to store both the files and the classifier configuration. Then, wait for the classifier's status to change to “Active.”

If the status does not become Active, it likely means that insufficient training data was provided or some of the uploaded files were invalid.

Create a DLP Profile

To create a DLP Profile please go to Policies > Profiles > DLP > New Profile > Next > File Classifier > Select the File Classifier previously created > Next and set a Profile Name > Save

Create the DLP RTP Policy

A policy to block Importation Manifests uploads and downloads from Google Gmail would be created.

To create a Real-Time Protection (RTP) policy, follow these steps:

1. Navigate to Policies > Real-Time Protection, then click New Policy and select Cloud App Access.
2. Choose the user or user group the policy will apply to.
3. Set the Application to Google Gmail.
4. Under Activities, select both Upload and Download.
5. Click on Add Profile to attach the previously created DLP Profile, and set the associated activity action to Block.
6. Provide a name for the policy and assign it to the appropriate Policy Group.
7. Click Save to apply the changes.

Demonstration:

File Used for Testing:

File Sample used for Training:

User Experience:

Netskope DLP Incidents:

Netskope App Event:

Conclusion

ML-trained file classifiers are really useful when:

• The content is complex, unstructured, or lacks clear identifiers
• You need higher accuracy and context-aware detection
• You want to go beyond what traditional DLP can detect
• Reducing false positives is a priority
• Visibility or control is required over intellectual property or internal documents.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This feature requires an Advanced DLP License.
• All the sample data used for the testing it’s not real and it was randomly created for documentation purposes.
• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.