Verifying user authentication

US 20060190736A1
Filed: 04/04/2006
Published: 08/24/2006
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A system for verifying the authentication of a real user attempting to log onto a networked environment by using a computing device, the real user entering a user name as part of said attempt to log on, wherein the networked environment includes a directory service that maintains objects representing network entities, said network entities including the computing device and the real user, the system comprising:

a monitor for extracting user information from an authentication exchange packet transmitted on the networked environment, said selected information including a user name;

a collector for determining whether said user name matches a user name attribute of an object maintained by the directory service; and

means for indicating that the authentication of the real user has been verified if said user name matches said user name attribute.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A solution for transparently verifying the authentication of a real user includes a monitor that receives network packets and a collector. The monitor identifies an authentication exchange packet from network traffic, extracts information from the packet and sends it to the collector, which obtains objects from a directory service and determines if the information includes a user name equivalent to a name attribute in an object. If so, authentication is deemed verified. For additional verification, the monitor extracts from the packet a destination address if it is an response packet, or a source address if it is a request packet. Monitor sends the extracted address to the collector, which uses the extracted address to obtain a hostname and determines whether a user account associated with the name attribute is active on a computing device having the hostname. If so, the authentication of the real user is deemed further verified.

Citations

48 Claims

1. A system for verifying the authentication of a real user attempting to log onto a networked environment by using a computing device, the real user entering a user name as part of said attempt to log on, wherein the networked environment includes a directory service that maintains objects representing network entities, said network entities including the computing device and the real user, the system comprising:
- a monitor for extracting user information from an authentication exchange packet transmitted on the networked environment, said selected information including a user name;
  
  a collector for determining whether said user name matches a user name attribute of an object maintained by the directory service; and
  
  means for indicating that the authentication of the real user has been verified if said user name matches said user name attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - wherein said monitor includes a means for extracting a source network address from said authentication exchange packet if said authentication exchange packet is identified as an authentication exchange request packet;
      
      a means for identifying a computing device associated with said source network address; and
      
      said collector querying said computing device to determine whether a user account having said user name attribute is logged onto said computing device.
  - 3. The system of claim 1, wherein:
    - wherein said monitor includes a means for extracting a destination network address from said authentication exchange packet if said authentication exchange packet is identified as an authentication exchange response packet;
      
      a means for identifying a computing device associated with said destination network address; and
      
      said collector querying said computing device to determine whether a user account having said user name attribute is logged onto said computing device.
  - 4. The system of claim 3, wherein said collector includes a means for indicating that the authentication of the real user has been further verified if it is determined that said user account is logged onto said computing device.
  - 5. The system of claim 3, wherein said means for identifying includes using a name service.
  - 6. The system of claim 1, wherein said user name and said user name attribute have the same format.
  - 7. The system of claim 1, wherein the objects include user objects.

8. A computer program embodied on at least one computer-readable medium for executing a method for verifying the authentication of a real user attempting to log onto a networked environment by using a computing device, the real user entering a user name as part of said attempt to log on, the method comprising:
- extracting selected information from an authentication exchange packet transmitted on the networked environment, said selected information including a user name;
  
  determining whether said user name from said selected information matches a name attribute maintained by a directory service;
  
  initiating a routine if said user name matches said user name attribute; and
  
  wherein the networked environment includes said directory service, said directory service for storing and maintaining objects and attributes that represent network entities on the networked environment, said network entities including the computing device and real users.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program of claim 8, further including:
    - extracting a network address from said authentication exchange packet, said network address in the form of a destination network address if said authentication exchange packet is a response packet, or in the form of source network address if said authentication exchange packet is a request packet;
      
      identifying a computing device associated with said network address; and
      
      querying said computing device to determine whether a user account having said name attribute is active on said computing device.
  - 10. The computer program of claim 9, further including indicating that the authentication of the real user has been verified.
  - 11. The computer program of claim 9, wherein said identifying includes using a name service.
  - 12. The computer program of claim 8, wherein said user name from said selected information and said user name attribute follow the same format.
  - 13. The computer program of claim 8, wherein said objects include user objects.

14. A system for verifying the authentication of a real user seeking to log onto a networked environment, wherein the networked environment includes at least one computing device, a directory service, an authentication service and a name service, and wherein the directory service maintains user objects, the system comprising:
- a monitor that receives network packets traversing through the networked environment;
  
  a collector having a connection to said monitor and the networked environment;
  
  wherein said monitor includes program code that identifies an authentication exchange packet from said network packets and if found, extracts user information from said authentication exchange packet, and sends the users information to said collector; and
  
  wherein said collector includes program code that obtains at least one user object from the directory service and that determines whether the user information includes a user name that is equivalent to a name attribute from at least one user object, and that performs a predetermined routine if said name attribute is found equivalent to said user name.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The system of claim 14, further including a memory store for storing said at least one user object.
  - 16. The system of claim 15, wherein said memory store is a database.
  - 17. The system of claim 15, wherein said memory store is a database server accessible using the networked environment.
  - 18. The system of claim 14, wherein said monitor includes a packet processing engine having at least one network port for receiving network packets transmitted on the networked environment.
  - 19. The system of claim 17, wherein said collector includes a first computing device and said monitor further includes a second computer device coupled to said packet processing engine and said first computing device.
  - 20. The system of claim 14, wherein the networked environment includes an attachment point for sending said network packets to said monitor without impeding the routing of said network packets on the networked environment.
  - 21. The system of claim 14, wherein the networked environment includes an attachment point implemented using a network switch having a span port.
  - 22. The system of claim 14, wherein the networked environment includes an attachment point implemented using a network switch having a mirror port.
  - 23. The system of claim 14 wherein said monitor and said collector are provided as software applications on a computing device.
  - 24. The system of claim 14, wherein said program code of said monitor and said program code of said collector execute from a single computing device.

25. A system for verifying the authentication of a real user having a user account defined on a networked environment, wherein the networked environment includes at least one computing device, a directory service, an authentication service and a name service, and wherein the directory service maintains user objects, the system comprising:
- a monitor that receives network packets traversing through the networked environment;
  
  a collector having a connection to said monitor and the networked environment;
  
  wherein said monitor includes program code that identifies an authentication exchange request packet from said network packets and if found, extracts user information from said authentication exchange request packet, and sends said user information to said collector; and
  
  wherein said collector includes program code that obtains at least one user object from the directory service and that determines whether said user information includes a user name that is equivalent to a name attribute from at least one user object, and that performs a predetermined routine if said name attribute is found equivalent to said user name.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The system of claim 25, wherein:
    - said program code of said monitor also extracts a destination network address from said authentication exchange response packet and sends said destination network address to said collector;
      
      said program code of said collector attempts to obtain a hostname from the name service using said destination network address, and if said program code receives said hostname, said program code performs a user account query using said hostname to determine whether a user account associated with said name attribute is active on a computing device defined with said hostname; and
      
      if said program code of said collector finds said user account active on said computing device, said collector performs another predetermined routine indicating further verification of the authentication of the real user.
  - 27. The system of claim 25, further including a memory store for storing said at least one user object.
  - 28. The system of claim 26, wherein said memory store is a database.
  - 29. The system of claim 25, wherein said monitor includes a packet processing engine having at least one network port for receiving network packets transmitted on the networked environment.
  - 30. The system of claim 29, wherein said collector includes a first computing device and said monitor further includes a second computer device coupled to said packet processing engine and said first computing device.
  - 31. The system of claim 25, wherein the networked environment includes an attachment point for sending said network packets to said monitor without impeding the routing of said network packets on the networked environment.
  - 32. The system of claim 26, wherein said predetermined routine and said another predetermined routine are substantially equivalent.
  - 33. The system of claim 25, wherein said authentication exchange response packet complies with the authentication protocol used by the authentication service.

34. A system for verifying the authentication of a real user seeking to log onto a networked environment, wherein the networked environment includes at least one computing device, a directory service, an authentication service and a name service, and wherein the directory service maintains user objects, the system comprising:
- a monitor that receives network packets traversing through the networked environment;
  
  a collector having a connection to said monitor and the networked environment;
  
  wherein said monitor includes management software that identifies an authentication exchange response packet from said network packets and if found, extracts user information and a destination network address from said authentication exchange response packet and sends the user information and said destination network address to said collector;
  
  wherein said collector includes control software that obtains at least one user object from the directory service, determines whether said user information includes a user name that is equivalent to a name attribute from one of said at least one user object, and determines whether a user account associated with said user name is currently active on a computing device on the networked environment; and
  
  wherein said control software indicates the successful verification of the authentication of the real user if said name attribute is found equivalent to said user name and said user account is found active on said computing device.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The system of claim 34, wherein said control software obtains a hostname associated with said computing device by querying the name service using said destination network address.
  - 36. The system of claim 34, further including a memory store for storing said at least one user object.
  - 37. The system of claim 35, wherein said memory store is a database.
  - 38. The system of claim 34, wherein said monitor includes a packet processing engine having at least one network port for receiving network packets transmitted on the networked environment.
  - 39. The system of claim 38, wherein said collector includes a first computing device and said monitor further includes a second computer device coupled to said packet processing engine and said first computing device.
  - 40. The system of claim 34, wherein the networked environment includes an attachment point for sending said network packets to said monitor without impeding the routing of said network packets on the networked environment.

41. A system for verifying the authentication of a user on a networked environment, wherein the networked environment provides directory, authentication and name services to devices connected thereto, the system comprising:
- a monitor that receives and inspects network packets transmitted on the networked environment, said monitor identifying at least one authentication exchange response packet from said network packets, said authentication exchange response packet containing at least a principal name; and
  
  a collector that uses information managed by the directory service to verify said user principal name.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48)
- - 42. The system of claim 41, wherein the directory service maintains at least one user object;
    - and further including;
      
      determining whether one of said user objects includes a name attribute that is equivalent to said principal name; and
      
      setting an indicator if said name attribute is equivalent to said principal name.
  - 43. The system of claim 42, wherein a LDAP-based directory service application provides said directory service.
  - 44. The system of claim 42, wherein the Active Directory®
    - directory service software application provides said directory service.
  - 45. The system of claim 42, wherein said authentication exchange response packet further includes a destination network address.
  - 46. The system of claim 45, wherein the name service maps at least one client name to a network address;
    - and further including determining whether the name service maintains a client name have a network address equivalent to said destination network address and if so, querying a client having said client name to determine whether a user account containing a user name that is equivalent to said principle name is logged onto to said client.
  - 47. The system of claim 41, wherein the provision of the authentication services includes using the Kerberos protocol.
  - 48. The system of claim 41, wherein said principal name is a user name formatted as an email address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
PacketMotion Incorporated (Broadcom, Inc.)
Inventors
Erlund, Maxine R., John, Pramod, Marti, Ramachandran V., Wang, Yingxian

Granted Patent

US 8,024,779 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 11/30   Monitoring

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Verifying user authentication

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying user authentication

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links