System and method for correlating network identities and addresses
First Claim
1. A computer system for correlating network identities and addresses, comprising:
- at least one processing device coupled to a machine-readable storage medium with computer executable instructions for implementing a log correlation engine in a network, wherein the log correlation engine causes the at least one processing device to;
receive one or more logs that describe traffic observed on the network, wherein the network traffic includes one or more network sessions observed on the network;
identify an authentication event described in the one or more logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions;
map the first network address to a second network address from information in the one or more logs that describe the traffic observed in the network;
map the network identity to one or more of the first network address or the second network address from the information in the one or more logs that describe the traffic observed in the network; and
identify a relationship between the network identity, the first network address, and the second network address in response to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address, wherein a network identity and address list comprises a hash value generated from the first network address, the network identity, and a login type to provide an index that can be referenced to determine whether a corresponding entry in the network identity and address list includes new or updated information.
3 Assignments
0 Petitions
Accused Products
Abstract
The system and method for correlating network identities and addresses described herein may include a log correlation engine distributed on a network that identifies relationships between certain network identities and Internet Protocol (IP) and Ethernet addresses in the network. In particular, the log correlation engine may analyze various event logs that describe activity in a network to learn relationships between network identities and network addresses and generate alerts in response to discovering changes in the learned relationships. For example, the log correlation engine may identify authentication events described in the logs to map network identities to IP addresses, and may further analyze the logs to map the IP addresses to Ethernet addresses. Thus, the log correlation engine may discover new and changed relationships between the network identities, the IP addresses, and the Ethernet addresses.
113 Citations
20 Claims
-
1. A computer system for correlating network identities and addresses, comprising:
at least one processing device coupled to a machine-readable storage medium with computer executable instructions for implementing a log correlation engine in a network, wherein the log correlation engine causes the at least one processing device to; receive one or more logs that describe traffic observed on the network, wherein the network traffic includes one or more network sessions observed on the network; identify an authentication event described in the one or more logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions; map the first network address to a second network address from information in the one or more logs that describe the traffic observed in the network; map the network identity to one or more of the first network address or the second network address from the information in the one or more logs that describe the traffic observed in the network; and identify a relationship between the network identity, the first network address, and the second network address in response to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address, wherein a network identity and address list comprises a hash value generated from the first network address, the network identity, and a login type to provide an index that can be referenced to determine whether a corresponding entry in the network identity and address list includes new or updated information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method for correlating network identities and addresses, comprising:
-
distributing a log correlation engine on a network; receiving, at the log correlation engine, one or more logs that describe traffic observed on the network, wherein the network traffic includes one or more network sessions observed on the network; identifying, by the log correlation engine, an authentication event described in the one or more logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions; mapping, by the log correlation engine, the first network address to a second network address from information in the one or more logs that describe the traffic observed in the network; mapping, by the log correlation engine, the network identity to one or more of the first network address or the second network address from the information in the one or more logs that describe the traffic observed in the network; and identifying, by the log correlation engine, a relationship between the network identity, the first network address, and the second network address in response to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address, wherein a network identity and address list comprises a hash value generated from the first network address, the network identity, and a login type to provide an index that can be referenced to determine whether a corresponding entry in the network identity and address list includes new or updated information. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification