Identities Correlation Infrastructure for Passive Network Monitoring

US 20080109870A1
Filed: 09/12/2007
Published: 05/08/2008
Est. Priority Date: 11/08/2006
Status: Active Grant

First Claim

Patent Images

1. An identity enabled policy monitoring system, comprising:

a network monitor for receiving network traffic from a network under observation;

an Identity Acquisition Manager (IAM), connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic;

an identity enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and

a mechanism for connecting actively into an identity infrastructure of the network under observation to get information regarding identities and for passing said identity information back to the IAM;

wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and

wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User names and user groups serve as the basis of a formal policy in a network. A passive monitor examines network traffic in near real time and indicates: which network traffic is flowing on the network as before; which users or user groups were logged into workstations initiating this network traffic; and which of this traffic conforms to the formal policy definition. In one embodiment of the invention, users and user groups are determined by querying Microsoft® Active Directory and Microsoft® Windows servers, to determine who is logged onto the Microsoft® network. Other sources of identity information are also possible. The identity information is then correlated with the network traffic, so that even traffic that does not bear on the Microsoft® networking scheme is still tagged with identity

195 Citations

27 Claims

1. An identity enabled policy monitoring system, comprising:
- a network monitor for receiving network traffic from a network under observation;
  
  an Identity Acquisition Manager (IAM), connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic;
  
  an identity enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and
  
  a mechanism for connecting actively into an identity infrastructure of the network under observation to get information regarding identities and for passing said identity information back to the IAM;
  
  wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and
  
  wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein said mechanism for connecting actively comprises:
    - a distributed logon collector (DLC).
  - 3. The identity enabled policy monitoring system of claim 1, wherein an identity which served as a basis for authentication is carried forward during a session for purposes of policy enforcement.

4. A computer implemented, distributed network monitoring method, comprising the steps of:
- providing a mapping from IP address to identity in which said mapping may be a null mapping which indicates that there is no identity for said IP address;
  
  providing a formal policy definition based, at least in part, upon any of user names, authenticated computer names, user groups, and computer groups;
  
  examining network traffic in near real time with a passive network monitor to determine conformance with said formal policy definition;
  
  said passive network monitor indicating which network traffic is flowing on the network, and at least one of;
  
  which users were logged into workstations initiating the network traffic, the identity of computers initiating said network traffic, to which groups said users and/or computers belong, and where said users and/or computers have previously authenticated to a network authentication infrastructure;
  
  which of said authenticated computers is receiving the network traffic; and
  
  which of the network traffic conforms to the formal policy definition.
- View Dependent Claims (5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 5. The method of claim 4, wherein said network traffic comprises information flows about events within a small delay of the real time of those events, labeled with their actual time, such that the flow of events is equivalent to a real-time event flow.
  - 6. The method of claim 4, wherein the mapping from IP address to identities is determined by querying a network authentication system for logon events, and by referencing a network directory to map logon information to user, computer, and group information.
  - 7. The method of claim 6, wherein users, authenticated computers, user groups, and computer groups are determined by querying a Microsoft®
    - Active Directory and Microsoft®
      
      Windows servers, to determine who is logged onto a Microsoft®
      
      network; and
      
      wherein authenticated computer identities are also represented as special user accounts associated with authenticated computers on the network.
  - 8. The method of claim 4, further comprising the step of:
    - providing an identity acquisition manager (IAM) module for determining which users are logged into computers on the network, wherein said IAM distributes this information to one or more remote network monitors.
  - 9. The method of claim 8, further comprising the step of:
    - synthesizing logout information using a combination of timeouts and remote probing techniques where said probing techniques are both identity aware and non-identity aware.
  - 11. The method of claim 8, further comprising the step of:
    - providing at least one distributed logon collector (DLC) for performing queries into network identities sources under control of the IAM.
  - 12. The method of claim 4, further comprising the step of:
    - providing an identity-enhanced policy development tool for allowing an operator to describe formal policies about network connections between machines when described by any of;
      
      machine IP address;
      
      authenticated computer identity;
      
      authenticated computer group identity;
      
      user identity;
      
      user group identity; and
      
      combinations of the above.
  - 13. The method of claim 12, further comprising the step of:
    - providing an identity-enhanced policy engine for reading policy from said identity-enhanced policy development tool and for using said policy to annotate a near real time description of traffic with policy results.
  - 14. The method of claim 4, further comprising the step of:
    - providing a report showing traffic from groups to select computers which represent critical business systems, said report comprising a matrix display with larger and smaller bubbles and including colors for policy.
  - 15. The method of claim 4, further comprising the steps of:
    - providing for multi-user computers, where an IP address is associated with more than one concurrent directory user, and wherein multi-user computers are considered to have no individually identifiable users logged on and, thus, no user groups beyond those of which the computers themselves are members and an authenticated users built-in group; and
      
      flagging multi-user computers, wherein a so-specified machine is always considered as a multi-user computer regardless of the number of users that are logged on concurrently, to ensure that policy applied to multi-user computers is applied consistently and deterministically regardless of the number of users logged on at that computer at any one point in time.
  - 16. The method of claim 4, further comprising the step of:
    - ranking identity policy objects with respect to each other, as well as with respect to addressable network objects, to determine a relative priority policy relationships and, a network object'"'"'s effective policy.
  - 17. The method of claim 16, wherein said ranking of identity policy objects comprises in decreasing rank order:
    - a user object or a computer object;
      
      a group object representing a user group, a computer group, or a custom group;
      
      a built-in authenticated users group;
      
      a built-in authenticated computers group; and
      
      a built-in anonymous group; and
      
      ranking identity policy objects higher than any addressable network object;
      
      wherein identity policy overrides host-based policy, with the exception of prescriptive policy.
  - 19. The method of claim 4, further comprising the step of:
    - filtering the selection of available policy relationships using a current mapping from IP address to identity.
  - 20. The method of claim 19, further comprising the step of:
    - selecting a policy relationship based upon any of whether said mapping has a single user identity, multiple user identities, a single authenticated computer identity, or no identities.
  - 21. The method of claim 4, further comprising the step of:
    - arranging identity policy objects in a containment hierarchy to determine how policy defined for an object that is a policy relationship target is inherited by other objects that it contains.
  - 22. The method of claim 4, further comprising the step of:
    - delaying evaluation of network traffic from a particular IP address until such time as the user identities associated with the source and destination IP addresses can be ascertained.
  - 23. The method of claim 4, further comprising either of the steps of:
    - saving network event information offline in a file;
      
      orcapturing a sequence of packets from traffic data in a file; and
      
      further comprising the steps of;
      
      evaluating policy on said file data offline; and
      
      processing identities offline.
  - 24. The method of claim 4, further comprising the step of:
    - computing effective policy relationships for any given network object by;
      
      determining a relative ranking of a relationships'"'"' services;
      
      wherein said ranking is based on said services'"'"' transport layer specifications;
      
      for relationships that have identically ranked services, determining a ranking of said relationships'"'"' targets; and
      
      for relationships that have identically ranked targets, determine a ranking of the relationships'"'"' initiators;
      
      wherein a relationship with a higher ranking overrides a relationship with a lower ranking.
  - 25. The method of claim 4, further comprising the step of:
    - binding identity policy objects to zero, one, or more addressable network objects;
      
      wherein an addressable network object or host comprises, directly or indirectly, an IP address space; and
      
      wherein if an Identity policy object does not specify a host binding, it is implicitly bound to an entire identity address space.
  - 26. The method of claim 25, further comprising the step of:
    - determining the relative ranking of two bound and otherwise identical identity objects;
      
      wherein said ranking is determined by the relative ranking of the addressable network objects to which they are bound.
  - 27. The method of claim 7, further comprising the step of:
    - performing multiple logon disambiguation when multiple user or computer logons are detected.

10. (canceled)

18. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Guzik, John Richard, Pearcy, Derek Patton, Cooper, Geoffrey Howard, Sherlock, Kieran Gerard, Valente, Luis Filipe Pereira

Granted Patent

US 8,584,195 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1425 Traffic logging, e.g. anoma...

Identities Correlation Infrastructure for Passive Network Monitoring

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

195 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Identities Correlation Infrastructure for Passive Network Monitoring

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links