Identities Correlation Infrastructure for Passive Network Monitoring
First Claim
1. An identity enabled policy monitoring system, comprising:
- a network monitor for receiving network traffic from a network under observation;
an Identity Acquisition Manager (IAM), connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic;
an identity enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and
a mechanism for connecting actively into an identity infrastructure of the network under observation to get information regarding identities and for passing said identity information back to the IAM;
wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and
wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy.
16 Assignments
0 Petitions
Accused Products
Abstract
User names and user groups serve as the basis of a formal policy in a network. A passive monitor examines network traffic in near real time and indicates: which network traffic is flowing on the network as before; which users or user groups were logged into workstations initiating this network traffic; and which of this traffic conforms to the formal policy definition. In one embodiment of the invention, users and user groups are determined by querying Microsoft® Active Directory and Microsoft® Windows servers, to determine who is logged onto the Microsoft® network. Other sources of identity information are also possible. The identity information is then correlated with the network traffic, so that even traffic that does not bear on the Microsoft® networking scheme is still tagged with identity
195 Citations
27 Claims
-
1. An identity enabled policy monitoring system, comprising:
-
a network monitor for receiving network traffic from a network under observation; an Identity Acquisition Manager (IAM), connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic; an identity enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and a mechanism for connecting actively into an identity infrastructure of the network under observation to get information regarding identities and for passing said identity information back to the IAM; wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy. - View Dependent Claims (2, 3)
-
-
4. A computer implemented, distributed network monitoring method, comprising the steps of:
-
providing a mapping from IP address to identity in which said mapping may be a null mapping which indicates that there is no identity for said IP address; providing a formal policy definition based, at least in part, upon any of user names, authenticated computer names, user groups, and computer groups; examining network traffic in near real time with a passive network monitor to determine conformance with said formal policy definition; said passive network monitor indicating which network traffic is flowing on the network, and at least one of; which users were logged into workstations initiating the network traffic, the identity of computers initiating said network traffic, to which groups said users and/or computers belong, and where said users and/or computers have previously authenticated to a network authentication infrastructure; which of said authenticated computers is receiving the network traffic; and which of the network traffic conforms to the formal policy definition. - View Dependent Claims (5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
10. (canceled)
-
18. (canceled)
Specification