Monitoring network traffic by using event log information

US 20060179140A1
Filed: 04/04/2006
Published: 08/10/2006
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A method for associating network traffic according to a selected category item, said network traffic traversing on a networked environment that has an authentication service for logging network authentication-related events, including network logon and logoff events, in an event log during an occurrence of a network authentication-related event, said method including:

receiving network traffic traversing on the networked environment;

extracting a first user name and a first network address from the event log;

identifying at least one packet from said network traffic that contains a second network address matching said first network address; and

associating said at least one packet with said first user name.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A solution is provided for associating network traffic traversing a networked environment according to a selected category item, such as a user name or other network entity identity-related information. The solution includes a collector and a monitor. The collector extracts a user name and a network address from an event log maintained on the networked environment. The monitor receives the network traffic and identifies at least one packet having a network address that matches the extracted network address. After at least one of the packets is identified, the collector associates the identified packet(s) with the extracted user name.

Citations

24 Claims

1. A method for associating network traffic according to a selected category item, said network traffic traversing on a networked environment that has an authentication service for logging network authentication-related events, including network logon and logoff events, in an event log during an occurrence of a network authentication-related event, said method including:
- receiving network traffic traversing on the networked environment;
  
  extracting a first user name and a first network address from the event log;
  
  identifying at least one packet from said network traffic that contains a second network address matching said first network address; and
  
  associating said at least one packet with said first user name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said first user name is used to select said at least one packet to determine the network usage of a real user associated with said first user name.
  - 3. The method of claim 1, wherein said extracting a first user name, further includes extracting a time stamp.
  - 4. The method of claim 1, further including using said first user name as a category item in a first set of category items;
    - and wherein said first user name is used for selecting said at least one packet to determine the network usage of a real user associated with said first user name.
  - 5. The method of claim 4, further including extracting a second user name and a third network address.
  - 6. The method of claim 5, further including:
    - identifying at least one packet from said network traffic that contains a fourth network address matching said third network address; and
      
      associating said at least one packet that contains said fourth network address with said second user name.
  - 7. The method of claim 6, further including:
    - using said second user name as a category item in a second set of category items; and
      
      wherein said second user name is used for selecting said at least one packet that contains said fourth network address to determine the network usage of a real user associated with said second user name.
  - 8. The method of claim 1, further including obtaining additional category items for said first set of category items from a directory service provided on the networked environment, said additional category items including a group id attribute and an organizational unit attribute from a user object having a user name attribute matching said first user name.

9. A system for associating network traffic according to a selected category item, said network traffic traversing on a networked environment that has an authentication service for logging network authentication-related events, including network logon and logoff events, in an event log during an occurrence of a network authentication-related event, said system including:
- a collector that extracts a first user name and a first network address from the event log;
  
  a monitor that receives said network traffic traversing on the networked environment and that identifies at least one packet from said network traffic received if said at least one packet contains a second network address that matches said first network address; and
  
  wherein said collector associates said at least one packet with said first user name.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein said collector enables said first user name to be is used to select said at least one packet to determine the network usage of a real user associated with said first user name.
  - 11. The apparatus of claim 9, wherein said collector uses said first user name as a category item in a first set of category items, and said collector enables said first user name to be used to select said at least one packet to determine the network usage of a real user associated with said first user name.
  - 12. The apparatus of claim 11, wherein said collector extracts a second user name and a third network address.
  - 13. The apparatus of claim 11, wherein said collector obtains additional category items for said first set of category items from a directory service provided on the networked environment, said additional category items including a group id attribute and an organizational unit attribute from a user object having a user name attribute matching said first user name.
  - 14. The apparatus of claim 11, further including a database for storing said first set of category items.
  - 15. The apparatus of claim 14, further including a HTTP server for enabling queries to be performed on said database from a HTTP-enabled browser application executing on a computer.
  - 16. The apparatus of claim 9, wherein said monitor includes a packet processing engine and a network interface;
    - and wherein said packet processing engine and network interface are coupled to the networked environment.

17. A computer program embodied on at least one computer-readable medium for executing a method for associating network traffic according to a selected category item, said network traffic traversing on a networked environment that has an authentication service for logging network authentication-related events in an event log during an occurrence of a network authentication-related event, said method including:
- receiving network traffic traversing on the networked environment;
  
  extracting a first user name and a first network address from the event log;
  
  identifying at least one packet from said network traffic that contains a second network address matching said first network address; and
  
  associating said at least one packet with said first user name.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program of claim 17, wherein said first user name is used to select said at least one packet to determine the network usage of a real user associated with said first user name.
  - 19. The computer program of claim 17, wherein said extracting a first user name, further includes extracting a time stamp.
  - 20. The computer program of claim 17, further including using said first user name as a category item in a first set of category items;
    - and wherein said first user name is used for selecting said at least one packet to determine the network usage of a real user associated with said first user name.
  - 21. The computer program of claim 20, further including extracting a second user name and a third network address.
  - 22. The computer program of claim 21, further including:
    - identifying at least one packet from said network traffic that contains a fourth network address matching said third network address; and
      
      associating said at least one packet that contains said fourth network address with said second user name.
  - 23. The computer program of claim 22, further including using said second user name as a category item in a second set of category items;
    - and wherein said second user name is used for selecting said at least one packet that contains said fourth network address to determine the network usage of a real user associated with said second user name.
  - 24. The computer program of claim 17, further including obtaining additional category items for said first set of category items from a directory service provided on the networked environment, said additional category items including a group id attribute and an organizational unit attribute from a user object having a user name attribute matching said first user name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Erlund, Maxine R., John, Pramod, Marti, Ramachandran V., Wang, Yingxian

Granted Patent

US 9,584,522 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

G06F 11/30   Monitoring

H04L 43/028   by filtering

H04L 43/04   Processing captured monitor...

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/02   based on web technology, e....

H04L 67/535   Tracking the activity of th...

Monitoring network traffic by using event log information

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring network traffic by using event log information

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links