System and method for correlating network identities and addresses
First Claim
1. A system for correlating network identities and addresses, comprising:
- one or more physical processors programmed with computer executable instructions which, when executed, cause the one or more physical processors to;
receive logs that describe traffic observed on a network, wherein the network traffic includes one or more network sessions observed on the network and wherein the logs comprise a first log describing at least one authentication event and a second log describing at least another type of event;
identify an authentication event described in the logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions;
map the first network address to a second network address based on information in the logs;
map the network identity to one or more of the first network address or the second network address based on the information in the logs;
identify a relationship between the network identity, the first network address, and the second network address responsive to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address; and
generate an alert responsive to identifying the relationship between the network identity, the first network address, and the second network address.
3 Assignments
0 Petitions
Accused Products
Abstract
The system and method for correlating network identities and addresses described herein may include a log correlation engine distributed on a network that identifies relationships between certain network identities and Internet Protocol (IP) and Ethernet addresses in the network. In particular, the log correlation engine may analyze various event logs that describe activity in a network to learn relationships between network identities and network addresses and generate alerts in response to discovering changes in the learned relationships. For example, the log correlation engine may identify authentication events described in the logs to map network identities to IP addresses, and may further analyze the logs to map the IP addresses to Ethernet addresses. Thus, the log correlation engine may discover new and changed relationships between the network identities, the IP addresses, and the Ethernet addresses.
126 Citations
18 Claims
-
1. A system for correlating network identities and addresses, comprising:
one or more physical processors programmed with computer executable instructions which, when executed, cause the one or more physical processors to; receive logs that describe traffic observed on a network, wherein the network traffic includes one or more network sessions observed on the network and wherein the logs comprise a first log describing at least one authentication event and a second log describing at least another type of event; identify an authentication event described in the logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions; map the first network address to a second network address based on information in the logs; map the network identity to one or more of the first network address or the second network address based on the information in the logs; identify a relationship between the network identity, the first network address, and the second network address responsive to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address; and generate an alert responsive to identifying the relationship between the network identity, the first network address, and the second network address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A method for correlating network identities and addresses, the method being implemented on a computer system that includes one or more physical processors executing computer executable instructions which, when executed, perform the method, the method comprising:
-
receiving, at the computer system, logs that describe traffic observed on a network, wherein the network traffic includes one or more network sessions observed on the network and wherein the logs comprise a first log describing at least one authentication event and a second log describing at least another type of event; identifying, by the computer system, an authentication event described in the logs, wherein the authentication event includes a network identity and a first network address observed in the one or more network sessions; mapping, by the computer system, the first network address to a second network address based on information in the logs; mapping, by the computer system, the network identity to one or more of the first network address or the second network address based on the information in the logs; identifying, by the computer system, a relationship between the network identity, the first network address, and the second network address responsive to mapping the first network address to the second network address and mapping the network identity to the first network address or the second network address; and generating, by the computer system, an alert responsive to identifying the relationship between the network identity, the first network address, and the second network address. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification