CORRELATING USER INFORMATION TO A TRACKED EVENT

US 20180351978A1
Filed: 06/05/2017
Published: 12/06/2018
Est. Priority Date: 06/05/2017
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus for correlating user information to a tracked event, said apparatus comprising:

a processor; and

a memory on which is stored machine readable instructions that are to cause processor to;

access an event log that lists an event item corresponding to an event that occurred at a network appliance;

determine that the event item matches an item listed in a user log that lists records of user information and a plurality of items, wherein the records correspond to user events in a network;

identify the user information corresponding to the matching item;

determine a confidence level that the identified user information corresponds to the event item;

determine whether the confidence level exceeds a certain threshold value;

in response to a determination that the confidence level exceeds the certain threshold, correlate the user information to the event item; and

insert an entry into a database that the user information corresponds to the event item.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to examples, an apparatus may include a processor and a memory having instructions that are to cause processor to access an event log that lists an event item corresponding to an event that occurred at a network appliance, determine that the event item matches an item listed in a user log that lists records of user information and a plurality of items, in which the records correspond to user events in a network, identify the user information corresponding to the matching item, determine a confidence level that the identified user information corresponds to the event item, determine whether the confidence level exceeds a certain threshold value, in response to a determination that the confidence level exceeds the certain threshold, correlate the user information to the event item, and insert an entry into a database that the user information corresponds to the event item.

16 Citations

View as Search Results

20 Claims

1. An apparatus for correlating user information to a tracked event, said apparatus comprising:
- a processor; and
  
  a memory on which is stored machine readable instructions that are to cause processor to;
  
  access an event log that lists an event item corresponding to an event that occurred at a network appliance;
  
  determine that the event item matches an item listed in a user log that lists records of user information and a plurality of items, wherein the records correspond to user events in a network;
  
  identify the user information corresponding to the matching item;
  
  determine a confidence level that the identified user information corresponds to the event item;
  
  determine whether the confidence level exceeds a certain threshold value;
  
  in response to a determination that the confidence level exceeds the certain threshold, correlate the user information to the event item; and
  
  insert an entry into a database that the user information corresponds to the event item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus according to claim 1, wherein the instructions are further to cause the processor to:
    - perform an operation on data packets communicated to the network appliance by a user corresponding to the user information.
  - 3. The apparatus according to claim 1, wherein the user log is an Identity Management system that records user logins to a domain in the network.
  - 4. The apparatus according to claim 1, wherein instructions are further to cause processor to:
    - organize the records of user information and items into a plurality of time bins, wherein each of the plurality of time bins includes records of user information and items corresponding to user events in the network that occurred during a predefined time frame; and
      
      for each of the plurality of time bins, identify which of the user information corresponds to which of the items.
  - 5. The apparatus according to claim 4, wherein the instructions are further to cause the processor to:
    - determine that the event item matches an item of a record included in a certain time bin of the plurality of time bins;
      
      determine a number of user information that corresponds to the item in the certain time bin; and
      
      determine whether the confidence level exceeds the certain threshold based upon the determined number of user information.
  - 6. The apparatus according to claim 5, wherein the instructions are further to cause the processor to:
    - determine that the confidence level exceeds the certain threshold in response to the determined number of user information falling below a predefined number; and
      
      determine that the confidence level falls below the certain threshold in response to the determined number of user information exceeding the predefined number.
  - 7. The apparatus according to claim 5, wherein the event log additionally lists a time-stamp of a time at which the event at the network appliance occurred, and wherein the instructions are further to cause the processor to:
    - identify within which of the predefined time frames of the plurality of time bins that the time-stamp of the time at which the event at the network appliance occurred falls; and
      
      determine the match between the event item and the item of the record in the certain time bin corresponding to the identified predefined time frame.
  - 8. The apparatus according to claim 4, wherein the event log additionally lists a time-stamp of a time at which the event at the network appliance occurred, and wherein the instructions are further to cause the processor to:
    - determine that the event item matches an item of a record included in a certain time bin of the plurality of time bins;
      
      determine a difference in time between the time-stamp and the predefined time frame of the certain time bin; and
      
      determine whether the confidence level exceeds the certain threshold based upon the determined difference in time.
  - 9. The apparatus according to claim 8, wherein the instructions are further to cause the processor to:
    - determine that the confidence level exceeds the certain threshold in response to the determined difference in time falling below a predefined time period; and
      
      determine that the confidence level falls below the certain threshold in response to the determined difference in time exceeding the predefined time period.

10. A method for correlating information in an event log with information in a user log, said method comprising:
- accessing an event log that lists an event item corresponding to an event that occurred at the network appliance;
  
  determining whether the event item matches a first item of a plurality of first items listed in a user log that lists records of second items and first items corresponding to user events in a network;
  
  in response to a determination that the event item matches the first item of the plurality of first items, identifying the second item corresponding to the matching first item;
  
  determining, by a processor, a confidence level that the identified second item corresponds to the event item;
  
  determining, by the processor, whether the confidence level exceeds a certain threshold value;
  
  in response to a determination that the confidence level exceeds the certain threshold, correlating, by the processor, the second item to the first event information; and
  
  inserting, by the processor, an entry into a database that the second item corresponds to the event item.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method according to claim 10, wherein the second item comprises a user name, the method further comprising:
    - executing a policy on data packets communicated to the network appliance by a user corresponding to the second item.
  - 12. The method according to claim 10, further comprising:
    - organizing the records of the second items and the first items corresponding to user events in a network into a plurality of time bins, wherein each of the plurality of time bins includes records of the second items and the first items corresponding to user events in the network that occurred during a predefined time frame; and
      
      for each of the plurality of time bins, identifying which of the second items corresponds to which of the first item.
  - 13. The method according to claim 12, further comprising:
    - determining that the event item matches a first item of a record included in a certain time bin of the plurality of time bins;
      
      determining a number of second items that corresponds to the first item in the certain time bin;
      
      determining whether the determined number of second items exceeds a predefined number;
      
      in response to a determination that the determined number of second items falls below the predefined number, determining that the confidence level exceeds the certain threshold; and
      
      in response to a determination that the determined number of second items exceeds the predefined number, determining that the confidence level falls below the certain threshold.
  - 14. The method according to claim 10, wherein the event log additionally lists a time-stamp of a time at which the event at the network appliance occurred, the method further comprising:
    - determining that the event items matches a first item of a record included in a certain time bin of the plurality of time bins;
      
      determining a difference in time between the time-stamp and the predefined time frame of the certain time bin; and
      
      determining whether the confidence level exceeds the certain threshold based upon the determined difference in time.
  - 15. The method according to claim 14, further comprising:
    - determining that the confidence level exceeds the certain threshold in response to the determined difference in time falling below a predefined time period; and
      
      determining that the confidence level falls below the certain threshold in response to the determined difference in time exceeding the predefined time period.

16. A non-transitory computer readable medium on which is stored machine readable instructions that when executed by a processor, cause the processor to:
- access an event log that lists an event IP address corresponding to an event that occurred at a network appliance;
  
  determine that the event IP address matches an IP address of IP addresses listed in a user log that lists records of user information and IP addresses corresponding to user events in a network;
  
  identify the user information corresponding to the matching IP address;
  
  determine a confidence level that the identified user information corresponds to the event IP address;
  
  determine whether the confidence level exceeds a certain threshold value;
  
  in response to a determination that the confidence level exceeds the certain threshold, correlate the user information to the event IP address; and
  
  execute a policy pertaining to data packets communicated to the network appliance by a user corresponding to the user name.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable medium according to claim 16, wherein the instructions are further to cause the processor to:
    - organize the records of user information and IP addresses into a plurality of time bins, wherein each of the plurality of time bins includes records of user information and IP addresses corresponding to user events in the network that occurred during a predefined time frame; and
      
      for each of the plurality of time bins, identify which of the user information corresponds to which of the IP addresses.
  - 18. The non-transitory computer readable medium according to claim 17, wherein the instructions are further to cause the processor to:
    - determine that the event IP address matches an IP address of a record included in a certain time bin of the plurality of time bins;
      
      determine a number of user information that match the IP address in the certain time bin;
      
      determine whether the determined number of user information that corresponds to the IP address in the certain time bin;
      
      in response to a determination that the determined number of user information falls below the predefined number, determine that the confidence level exceeds the certain threshold; and
      
      in response to a determination that the determined number of user information exceeds the predefined number, determine that the confidence level falls below the certain threshold.
  - 19. The non-transitory computer readable medium according to claim 17, wherein the event log additionally lists a time-stamp of a time at which the event at the network appliance occurred, wherein the instructions are further to cause the processor to:
    - identify within which of the predefined time frames of the plurality of time bins that the time-stamp of the time at which the event at the network appliance occurred falls; and
      
      determine the match between the event IP address and the IP address of the record in the certain time bin corresponding to the identified predefined time frame.
  - 20. The non-transitory computer readable medium according to claim 19, wherein the instructions are further to cause the processor to:
    - determine that the event IP address matches an IP address of a record included in a certain time bin of the plurality of time bins;
      
      determine a difference in time between the time-stamp and the predefined time frame of the certain time bin;
      
      in response to a determination that the difference in time falling below a predefined time period, determine that the confidence level exceeds the certain threshold; and
      
      in response to a determination that the difference in time exceeding the predefined time period, determine that the confidence level falls below the certain threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
PREIZLER, Ido Y., BERKOVITZ, Avihai, KAPLAN, Shai, OLIVER, Yaniv J.

Application Number

US15/613,995
Publication Number

US 20180351978A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/069   using logs of notifications...

H04L 41/142   using statistical or mathem...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

CORRELATING USER INFORMATION TO A TRACKED EVENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

CORRELATING USER INFORMATION TO A TRACKED EVENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others