System and method for correlating network identities and addresses

US 8,972,571 B2
Filed: 05/06/2013
Issued: 03/03/2015
Est. Priority Date: 01/26/2010
Status: Active Grant

First Claim

Patent Images

1. A system for correlating network identities and addresses, comprising:

one or more physical processors programmed with computer executable instructions which, when executed, cause the one or more physical processors to;

receive logs that describe traffic observed on a network, wherein the network traffic includes one or more network sessions observed on the network and wherein the logs comprise a first log describing at least one authentication event and a second log describing at least another type of event;

identify an authentication event described in the logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions;

map the first network address to a second network address based on information in the logs;

map the network identity to one or more of the first network address or the second network address based on the information in the logs;

identify a relationship between the network identity, the first network address, and the second network address responsive to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address; and

generate an alert responsive to identifying the relationship between the network identity, the first network address, and the second network address.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method for correlating network identities and addresses described herein may include a log correlation engine distributed on a network that identifies relationships between certain network identities and Internet Protocol (IP) and Ethernet addresses in the network. In particular, the log correlation engine may analyze various event logs that describe activity in a network to learn relationships between network identities and network addresses and generate alerts in response to discovering changes in the learned relationships. For example, the log correlation engine may identify authentication events described in the logs to map network identities to IP addresses, and may further analyze the logs to map the IP addresses to Ethernet addresses. Thus, the log correlation engine may discover new and changed relationships between the network identities, the IP addresses, and the Ethernet addresses.

126 Citations

18 Claims

1. A system for correlating network identities and addresses, comprising:
- one or more physical processors programmed with computer executable instructions which, when executed, cause the one or more physical processors to;
  
  receive logs that describe traffic observed on a network, wherein the network traffic includes one or more network sessions observed on the network and wherein the logs comprise a first log describing at least one authentication event and a second log describing at least another type of event;
  
  identify an authentication event described in the logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions;
  
  map the first network address to a second network address based on information in the logs;
  
  map the network identity to one or more of the first network address or the second network address based on the information in the logs;
  
  identify a relationship between the network identity, the first network address, and the second network address responsive to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address; and
  
  generate an alert responsive to identifying the relationship between the network identity, the first network address, and the second network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the first network address includes an Internet Protocol address and the second network address includes a Media Access Control address.
  - 3. The system of claim 1, wherein the alert indicates that the network identity accessed the first network address or the second network address and that another network identity previously had a relationship to the first network address or the second network address.
  - 4. The system of claim 1, wherein the one or more physical processors are further caused to:
    - generate at least another alert responsive to a determination that the authentication event describes an invalid authentication event.
  - 5. The system of claim 1, wherein the one or more physical processors are further caused to:
    - update a network identity and address list responsive to identifying the relationship between the network identity, the first network address, and the second network address.
  - 6. The system of claim 1, wherein the network identity and address list includes a time stamp that describes when the relationship between the network identity, the first network address, and the second network address was identified, and wherein the network identity and address list includes a hash value that describes the relationship between the network identity, the first network address, and the second network address.
  - 7. The system of claim 1, wherein the another type of event is a hardware device detection event, and wherein the one or more physical processors are further caused to:
    - identify the hardware device detection event described in the logs, wherein the hardware device detection event includes a Media Access Control network address for a new hardware device that an active vulnerability scanner observes in the one or more network sessions; and
      
      identify a relationship between the new hardware device and the Media Access Control network address.
  - 8. The system of claim 1, wherein the another type of event is a hardware device detection event, and wherein the one or more physical processors are further caused to:
    - identify the hardware device detection event described in the logs, wherein the hardware device detection event includes a Media Access Control network address for a new hardware device that an active vulnerability scanner detects in the network; and
      
      identify a relationship between the new hardware device and the Media Access Control network address.
  - 9. The system of claim 1, wherein the another type of event is a media activity event, and wherein the one or more physical processors are further caused to:
    - identify the media activity event described in the logs, wherein the media activity event describes an insertion or removal of a media device from another device in the network; and
      
      generate at least another alert responsive to identifying the media activity event.

10. A method for correlating network identities and addresses, the method being implemented on a computer system that includes one or more physical processors executing computer executable instructions which, when executed, perform the method, the method comprising:
- receiving, at the computer system, logs that describe traffic observed on a network, wherein the network traffic includes one or more network sessions observed on the network and wherein the logs comprise a first log describing at least one authentication event and a second log describing at least another type of event;
  
  identifying, by the computer system, an authentication event described in the logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions;
  
  mapping, by the computer system, the first network address to a second network address based on information in the logs;
  
  mapping, by the computer system, the network identity to one or more of the first network address or the second network address based on the information in the logs;
  
  identifying, by the computer system, a relationship between the network identity, the first network address, and the second network address responsive to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address; and
  
  generating, by the computer system, an alert responsive to identifying the relationship between the network identity, the first network address, and the second network address.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the first network address includes an Internet Protocol address and the second network address includes a Media Access Control address.
  - 12. The method of claim 10, wherein the alert indicates that the network identity accessed the first network address or the second network address and that another network identity previously had a relationship to the first network address or the second network address.
  - 13. The method of claim 10, further comprising:
    - generating, by the computer system, at least another alert responsive to a determination by the log correlation engine that the authentication event describes an invalid authentication event.
  - 14. The method of claim 10, further comprising:
    - updating, by the computer system, a network identity and address list responsive to identifying the relationship between the network identity, the first network address, and the second network address.
  - 15. The method of claim 10, wherein the network identity and address list includes a time stamp that describes when the relationship between the network identity, the first network address, and the second network address was identified, and wherein the network identity and address list includes a hash value that describes the relationship between the network identity, the first network address, and the second network address.
  - 16. The method of claim 10, wherein the another type of event is a hardware device detection event, and wherein the method comprises:
    - identifying, by the computer system, the hardware device detection event described in the logs, wherein the hardware device detection event includes a Media Access Control network address for a new hardware device that an active vulnerability scanner observes in the one or more network sessions; and
      
      identifying, by the computer system, a relationship between the new hardware device and the Media Access Control network address.
  - 17. The method of claim 10, wherein the another type of event is a hardware device detection event, and wherein the method comprises:
    - identifying, by the computer system, the hardware device detection event described in the logs, wherein the hardware device detection event includes a Media Access Control network address for a new hardware device that an active vulnerability scanner detects in the network; and
      
      identifying, by the computer system, a relationship between the new hardware device and the Media Access Control network address.
  - 18. The method of claim 10, wherein the another type of event is a media activity event, and wherein the method comprises:
    - identifying, by the computer system, the media activity event described in the logs, wherein the media activity event describes an insertion or removal of a media device from another device in the network; and
      
      generating, by the computer system, at least another alert responsive to identifying the media activity event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Nappier, Jason, Gula, Ron
Primary Examiner(s)
Patel, Hitesh

Application Number

US13/887,822
Publication Number

US 20130247148A1
Time in Patent Office

666 Days
Field of Search

709/220, 709223-224
US Class Current

709/224
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/1433 Vulnerability analysis

System and method for correlating network identities and addresses

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for correlating network identities and addresses

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links