Extended user session tracking

US 10,425,437 B1
Filed: 09/18/2018
Issued: 09/24/2019
Est. Priority Date: 11/27/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive network activity data;

use the received network activity data to identify a user login activity on a first machine; and

generate a logical graph comprising a plurality of edges and nodes, wherein generating the logical graph includes linking the user login activity on the first machine to;

at least one of;

(1) a first node corresponding to a user associated with the user login activity on the first machine, and (2) a second node corresponding to a process executed on the first machine; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network activity data is received, for example, from a set of agents reporting collectively information about a set of hosts. The received network activity data is used to identify a user login activity. A logical graph that links the user login activity to at least one user and at least one process is generated.

Citations

37 Claims

1. A system, comprising:
- a processor configured to;
  
  receive network activity data;
  
  use the received network activity data to identify a user login activity on a first machine; and
  
  generate a logical graph comprising a plurality of edges and nodes, wherein generating the logical graph includes linking the user login activity on the first machine to;
  
  at least one of;
  
  (1) a first node corresponding to a user associated with the user login activity on the first machine, and (2) a second node corresponding to a process executed on the first machine; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1 wherein the network activity data is received from a plurality of agents configured to report information, respectively, about a plurality of hosts.
  - 3. The system of claim 1 wherein generating the logical graph includes matching connections between the first machine and a second machine.
  - 4. The system of claim 3 wherein the first machine and second machine are different.
  - 5. The system of claim 3 wherein the first machine and second machine are the same.
  - 6. The system of claim 1 wherein identifying the user login activity includes identifying secure shell (ssh) connection records occurring within a first time period.
  - 7. The system of claim 1 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records occurring within a first time period, wherein a first member of a matched pair corresponds to a source of a connection and wherein a second member of the matched pair corresponds to a destination of the connection.
  - 8. The system of claim 1 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records in which a first member of a matched pair occurs within a first time period and wherein a second member of the matched pair occurs outside the first time period.
  - 9. The system of claim 1 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records, and wherein, in response to a determination that multiple matches are possible, a pair having the smallest delta between respective start times is selected.
  - 10. The system of claim 1 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records using a globally unique identifier (GUID) included by a client in a connection request.
  - 11. The system of claim 1 wherein generating the logical graph includes joining an secure shell (ssh) connection record and a new login record.
  - 12. The system of claim 1 wherein the processor is further configured to identify an original session associated with a subsequent chain of sessions.
  - 13. The system of claim 12 wherein the processor is configured to identify the original session at least in part by using an secure shell (ssh) lineage table.
  - 14. The system of claim 12 wherein the original session occurs on a first machine and wherein at least one session included in the subsequent chain of sessions occurs on a second machine that is different from the first machine.
  - 15. The system of claim 1 wherein generating the logical graph includes determining an adjacency relationship between two login sessions.
  - 16. The system of claim 1 wherein generating the logical graph includes associating a connection to a process.
  - 17. The system of claim 16 wherein generating the logical graph further includes associating the process to a child process using a process hierarchy.
  - 18. The system of claim 16 wherein generating the logical graph includes associating the process to a parent process using a process hierarchy.

19. A method, comprising:
- receiving network activity data;
  
  using the received network activity data to identify a user login activity on a first machine; and
  
  generating a logical graph comprising a plurality of edges and nodes, wherein generating the logical graph includes linking the user login activity on the first machine to;
  
  at least one of;
  
  (1) a first node corresponding to a user associated with the user login activity on the first machine, and (2) a second node corresponding to a process executed on the first machine.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The method of claim 19 wherein the network activity data is received from a plurality of agents configured to report information, respectively, about a plurality of hosts.
  - 21. The method of claim 19 wherein generating the logical graph includes matching connections between the first machine and a second machine.
  - 22. The method of claim 21 wherein the first machine and second machine are different.
  - 23. The method of claim 21 wherein the first machine and second machine are the same.
  - 24. The method of claim 19 wherein identifying the user login activity includes identifying secure shell (ssh) connection records occurring within a first time period.
  - 25. The method of claim 19 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records occurring within a first time period, wherein a first member of a matched pair corresponds to a source of a connection and wherein a second member of the matched pair corresponds to a destination of the connection.
  - 26. The method of claim 19 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records in which a first member of a matched pair occurs within a first time period and wherein a second member of the matched pair occurs outside the first time period.
  - 27. The method of claim 19 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records, and wherein, in response to a determination that multiple matches are possible, a pair having the smallest delta between respective start times is selected.
  - 28. The method of claim 19 wherein identifying the user login activity includes matching a pair of secure shell (ssh) connection records using a globally unique identifier (GUID) included by a client in a connection request.
  - 29. The method of claim 19 wherein generating the logical graph includes joining an secure shell (ssh) connection record and a new login record.
  - 30. The method of claim 19 further comprising identifying an original session associated with a subsequent chain of sessions.
  - 31. The method of claim 30 identifying the original session includes using an secure shell (ssh) lineage table.
  - 32. The method of claim 30 wherein the original session occurs on a first machine and wherein at least one session included in the subsequent chain of sessions occurs on a second machine that is different from the first machine.
  - 33. The method of claim 19 wherein generating the logical graph includes determining an adjacency relationship between two login sessions.
  - 34. The method of claim 19 wherein generating the logical graph includes associating a connection to a process.
  - 35. The method of claim 34 wherein generating the logical graph further includes associating the process to a child process using a process hierarchy.
  - 36. The method of claim 34 wherein generating the logical graph includes associating the process to a parent process using a process hierarchy.

37. A computer program product embodied in a tangible computer readable storage medium and comprising computer instructions for:
- receiving network activity data;
  
  using the received network activity data to identify a user login activity on a first machine; and
  
  generating a logical graph comprising a plurality of edges and nodes, wherein generating the logical graph includes linking the user login activity on the first machine to;
  
  at least one of;
  
  (1) a first node corresponding to a user associated with the user login activity on the first machine, and (2) a second node corresponding to a process executed on the first machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lacework Inc.
Original Assignee
Lacework Inc.
Inventors
Bog, Murat, Kapoor, Vikram, Pullara, III, Samuel Joseph, Chen, Yijou, Singh, Harish Kumar Bharat
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US16/134,798
Time in Patent Office

371 Days
Field of Search

726 3, 726 23, 726 22, 706 47, 706 12, 706 52, 706 59, 709224
US Class Current
CPC Class Codes

G06F 16/2456   Join operations

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 16/9038   Presentation of query results

G06F 16/9535   Search customisation based ...

G06F 16/9537   Spatial or temporal depende...

G06F 21/57   Certifying or maintaining t...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/545   where tasks reside in diffe...

H04L 43/045   for graphical visualisation...

H04L 43/06   Generation of reports

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/306   User profiles

H04L 67/535   Tracking the activity of th...

Extended user session tracking

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Extended user session tracking

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links