Real-time user awareness for a computer network

US 8,127,353 B2
Filed: 04/29/2008
Issued: 02/28/2012
Est. Priority Date: 04/30/2007
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer system, for determining a user name likely to be associated with an attack, a configuration, or a vulnerability, comprising:

obtaining first data which associates user names with individual IP addresses onto which the user names were logged in by the computer system;

obtaining second data which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations were changed or vulnerabilities existed;

determining whether the user name from the first data was logged-in to the IP address at a time of the attack, the configuration change, or the vulnerability existence; and

associating the user names from the first data with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in,wherein an individual user name is indicated as being associated with attacks which occurred or with configurations which were changed or with vulnerabilities which existed, while the individual user name was logged in instead of while logged out for an IP address onto which the user logs in.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in.

168 Citations

20 Claims

1. A method performed by a computer system, for determining a user name likely to be associated with an attack, a configuration, or a vulnerability, comprising:
- obtaining first data which associates user names with individual IP addresses onto which the user names were logged in by the computer system;
  
  obtaining second data which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations were changed or vulnerabilities existed;
  
  determining whether the user name from the first data was logged-in to the IP address at a time of the attack, the configuration change, or the vulnerability existence; and
  
  associating the user names from the first data with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in,wherein an individual user name is indicated as being associated with attacks which occurred or with configurations which were changed or with vulnerabilities which existed, while the individual user name was logged in instead of while logged out for an IP address onto which the user logs in.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, further comprising displaying a list of attacks, configurations or vulnerabilities and respective user names individually associated therewith.
  - 3. The method according to claim 1, further comprising deriving vulnerabilities for the configurations from the second data, and displaying a list of configurations which have the derived vulnerabilities and respective user names individually associated therewith.
  - 4. The method according to claim 1, further comprising querying for respective real names of the user names, and providing the respective real names and attacks, configurations or vulnerabilities individually associated therewith.
  - 5. The method according to claim 1, wherein the user name is determined to be no longer associated with the IP address if there is another log-in on the IP address.
  - 6. The method according to claim 1, wherein the user name includes an e-mail address or an IM (instant message) address.
  - 7. The method according to claim 1, further comprising writing rules for a compliance policy or remediation system based on the user name.

8. A non-transitory computer-readable medium comprising instructions being executed by a computer, the instructions including a computer-implemented method for determining a user name likely to be associated with an attack, a configuration, or a vulnerability, the instructions for implementing:
- obtaining first data which associates user names with individual IP addresses onto which the user names were logged in;
  
  obtaining second data which associates attacks, configurations or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations were changed or vulnerabilities existed;
  
  determining whether the user name from the first data was logged-in to the IP address at a time of the attack, the configuration change, or the vulnerability existence; and
  
  associating the user names from the first data with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in,wherein an individual user name is indicated as being associated with attacks which occurred with configurations which were changed or with vulnerabilities which existed, while the individual user name was logged in instead of while logged out for an IP address onto which the user logs in.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium according to claim 8, further comprising instructions for displaying a list of attacks, configurations or vulnerabilities and respective user names individually associated therewith.
  - 10. The non-transitory computer-readable medium according to claim 8, further comprising instructions for deriving vulnerabilities for the configurations from the second data, and displaying a list of configurations which have the derived vulnerabilities and respective user names individually associated therewith.
  - 11. The non-transitory computer-readable medium according to claim 8, further comprising instructions for querying for respective real names of the user names, and providing the respective real names and attacks, configurations or vulnerabilities individually associated therewith.
  - 12. The non-transitory computer-readable medium according to claim 8, wherein the user name is determined to be no longer associated with the IP address if there is another log-in on the IP address.
  - 13. The non-transitory computer-readable medium according to claim 8, wherein the user name includes an e-mail address or an IM (instant message) address.
  - 14. The non-transitory computer-readable medium according to claim 8, further comprising instructions for writing rules for a compliance engine or remediation system based on the user name.

15. A computer system for determining a user name likely to be associated with an attack, a configuration, or a vulnerability, comprising:
- a display operable to receive screens to be displayed to a user; and
  
  a processor cooperatively operable with the memory and the display, and configured to facilitate;
  
  obtaining first data which associates user names with individual IP addresses onto which the user names were logged in;
  
  obtaining second data which associates attacks, configurations or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations were changed or vulnerabilities existed;
  
  determining whether the user name from the first data was logged-in to the IP address at a time of the attack, the configuration change, or the vulnerability existence; and
  
  associating the user names from the first data with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in,wherein an individual user name is indicated in a screen to be displayed to a user as being associated with attacks which occurred or with configurations which were changed or with vulnerabilities which existed, while the individual user name was logged in instead of while logged out for an IP address onto which the user logs in.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer system according to claim 15, wherein the processor is further configured to display, on the display, a list of attacks, configurations or vulnerabilities and respective user names individually associated therewith.
  - 17. The computer system according to claim 15, wherein the processor is further configured to derive vulnerabilities for the configurations from the second data, and to display a list of configurations which have the derived vulnerabilities and respective user names individually associated therewith.
  - 18. The computer system according to claim 15, wherein the processor is further configured to query for respective real names of the user names, and providing the respective real names and attacks, configurations or vulnerabilities individually associated therewith.
  - 19. The computer system according to claim 15, wherein the processor is further configured to determine that the user name is no longer associated with the IP address if there is another log-in on the IP address.
  - 20. The computer system according to claim 15, wherein the user name includes an e-mail address or an IM (instant message) address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Rittermann, Brian
Primary Examiner(s)
Song, Hosuk

Application Number

US12/149,196
Publication Number

US 20080276319A1
Time in Patent Office

1,400 Days
Field of Search

726 2- 5, 726/11, 726 22- 25, 713187-188, 709223-225
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Real-time user awareness for a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Real-time user awareness for a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links