System and Method to Associate a Private User Identity with a Public User Identity

US 20100217819A1
Filed: 04/30/2010
Published: 08/26/2010
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for associating a user identity used for accessing a network, comprising:

(a) recognizing an application session between a network and an application via a security gateway; and

(b) creating an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein the creating comprises;

(b1) querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;

(b2) comparing by the identity server the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;

(b3) returning by the identity server the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and

(b4) storing the second user identity as the user identity used for accessing the network in the application session record.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user'"'"'s public user identity used to access the public application, the user'"'"'s private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

44 Citations

View as Search Results

18 Claims

1. A method for associating a user identity used for accessing a network, comprising:
- (a) recognizing an application session between a network and an application via a security gateway; and
  
  (b) creating an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein the creating comprises;
  
  (b1) querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  (b2) comparing by the identity server the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;
  
  (b3) returning by the identity server the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  (b4) storing the second user identity as the user identity used for accessing the network in the application session record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the recognizing (a) comprises:
    - (a1) identifying a pattern of a data packet transmitted between the network and the application; and
      
      (a2) matching the pattern with an application identifier for the application.
  - 3. The method of claim 1, wherein the creating (b) further comprises:
    - (b5) extracting a source IP address from an IP header of a data packet transmitted during the application session; and
      
      (b6) storing the source IP address as the host identity in the application session record.
  - 4. The method of claim 1, wherein the creating (b) further comprises:
    - (b5) storing a user identity used for accessing the application in the application session record.
  - 5. The method of claim 4, wherein the storing (b5) comprises:
    - (b5i) examining a pattern of a data packet transmitted between the network and the application; and
      
      (b5ii) extracting the user identity used for accessing the application based on the pattern.
  - 6. The method of claim 1, wherein the application comprises a public application and the network comprises a company internal network.
  - 7. The method of claim 6, wherein the public application comprises one of the following:
    - an instant messaging application;
      
      an email application;
      
      a conferencing application;
      
      a voice application;
      
      a video application;
      
      or a collaboration application.
  - 8. The method of claim 1, wherein the application comprises one of the following:
    - an instant messaging application;
      
      an email application a conferencing application;
      
      a voice application;
      
      a video application;
      
      or a collaboration application.

9. A system, comprising:
- a host;
  
  a network comprising a gateway;
  
  an application, wherein an access session for a user is established between the application and the network via the gateway, wherein the gateway creates an application session record for the application session, wherein the application session record comprises a user identity for the user used for accessing the network through the host, a host identity for the host, and an application session time; and
  
  an identity server, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time,wherein the gateway queries the identity server by sending the host identity and the application session time in the application session record,wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and compares the access session time with the application session time,wherein the identity server returns the second user identity in the access session record to the gateway, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time,wherein the gateway stores the second user identity as the user identity used for accessing the network in the application session record.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the gateway identifies a pattern of a data packet transmitted between the network and the application, and matches the pattern with an application identifier for the application.
  - 11. The system of claim 9, wherein the gateway extracts a source IP address from an IP header of a data packet transmitted during the application session, and stores the source IP address as the host identity in the application session record.
  - 12. The system of claim 9, wherein the gateway stores a user identity used for accessing the application in the application session record.
  - 13. The system of claim 12, wherein the gateway examines a pattern of a data packet transmitted between the network and the application, and extracts the user identity used for accessing the application based on the pattern.
  - 14. The system of claim 9, wherein the application comprises a public application and the network comprises a company internal network.
  - 15. The system of claim 14, wherein the public application comprises one of the following:
    - an instant messaging application;
      
      an email application;
      
      a conferencing application;
      
      a voice application;
      
      a video application;
      
      or a collaboration application.
  - 16. The system of claim 9, wherein the application comprises one of the following:
    - an instant messaging application;
      
      an email application a conferencing application;
      
      a voice application;
      
      a video application;
      
      or a collaboration application.

17. A computer program product comprising a computer useable medium having a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- recognize an application session between a network and an application via a security gateway; and
  
  create an application session record for the application session, wherein the application session record comprises the user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein the create comprises;
  
  query an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time;
  
  compare by the identity server the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;
  
  return by the identity server the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  store the second user identity as the user identity used for accessing the network in the application session record.

18. A computer program product comprising a computer useable medium having a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- recognize an application session between a network and a public application via a gateway, wherein the public application resides externally to the network; and
  
  create an application session record for the application session, wherein the application session record comprises the public user identity used to access the public application, the private user identity used for accessing the network through a host, a host identity for the host, and an application session time, wherein the create comprises;
  
  query an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second private user identity, a second host identity for the second host, and an access session time;
  
  compare by the identity server the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time;
  
  return by the identity server the second private user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and
  
  store the second private user identity as the private user identity in the application session record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Wang, Xin, Chiong, John

Granted Patent

US 7,979,585 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

H04L 12/66   Arrangements for connecting...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 2101/668   Internet protocol [IP] addr...

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/30   for supporting lawful inter...

H04L 63/308   retaining data, e.g. retain...

H04L 65/1069   Session establishment or de...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

H04L 65/401   wherein the services involv...

H04L 67/14   Session management for real...

H04L 67/141   Setup of application sessio...

H04L 67/146   Markers for unambiguous ide...

H04L 9/40   Network security protocols

System and Method to Associate a Private User Identity with a Public User Identity

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method to Associate a Private User Identity with a Public User Identity

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links