Monitoring network traffic by using event log information
First Claim
Patent Images
1. A computer implemented method comprising:
- receiving, by a first computing device via a first network, an event log from an authentication service that authorizes user access to resources on the first network, the event log including an event authorizing access to the resources on the first network;
receiving, by a second computing device, the event log from the first computing device over a second network, the second network enabling the first computing device and the second computing device to communicate without using the first network;
extracting, by the second computing device, a first user name, a time stamp, and a first network address from an authenticated-related event portion of the event log;
receiving, by the first computing device, network traffic from the first network;
identifying, by the second computing device, at least one packet from the network traffic that contains a second network address matching the first network address;
identifying, by the second computing device, a time stamp within the network packet;
determining that the time stamp within the network packet is equal to or later than the time stamp from the authenticated-related event portion of the event log; and
based on the determining, associating, by the second computing device, the at least one packet with the first user name.
7 Assignments
0 Petitions
Accused Products
Abstract
A solution is provided for associating network traffic traversing a networked environment according to a selected category item, such as a user name or other network entity identity-related information. The solution includes a collector and a monitor. The collector extracts a user name and a network address from an event log maintained on the networked environment. The monitor receives the network traffic and identifies at least one packet having a network address that matches the extracted network address. After at least one of the packets is identified, the collector associates the identified packet(s) with the extracted user name.
74 Citations
22 Claims
-
1. A computer implemented method comprising:
-
receiving, by a first computing device via a first network, an event log from an authentication service that authorizes user access to resources on the first network, the event log including an event authorizing access to the resources on the first network; receiving, by a second computing device, the event log from the first computing device over a second network, the second network enabling the first computing device and the second computing device to communicate without using the first network; extracting, by the second computing device, a first user name, a time stamp, and a first network address from an authenticated-related event portion of the event log; receiving, by the first computing device, network traffic from the first network; identifying, by the second computing device, at least one packet from the network traffic that contains a second network address matching the first network address; identifying, by the second computing device, a time stamp within the network packet; determining that the time stamp within the network packet is equal to or later than the time stamp from the authenticated-related event portion of the event log; and based on the determining, associating, by the second computing device, the at least one packet with the first user name. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
a first network; a first computing device comprising a monitor configured to receive network traffic from the first network, the monitor coupled to an authentication service by the first network, the authentication service logging network authentication-related events, including network logon and logoff events, in an event log during an occurrence of a network authentication-related event; and a second computing device comprising a collector in communication with the monitor, the collector being configured to receive an event log from the monitor and extract a first user name, a time stamp, and a first network address from an authenticated-related event portion of the event log received from the monitor; wherein the monitor is further configured to monitor the received network traffic on the first network; wherein the collector is further configured to; identify at least one packet from the network traffic that contains a second network address matching the first network address; identify a time stamp within the network packet; determine that the time stamp within the network packet is equal to or later than the time stamp from the authenticated-related event portion of the event log; and based on the determining, associate the at least one packet with the first user name. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer program embodied on at least one nontransitory computer-readable medium for executing a method, the method comprising:
-
receiving, by a monitor module, via a first network, an event log from an authentication service that authorizes user access to resources on the first network, the event log including an event authorizing access to the resources on the first network; receiving, by a collector module, the event log from the monitor module over a second network, the second network enabling the collector module and the monitor module to communicate without using the first network; extracting, by the collector module, a first user name, a time stamp, and a first network address from the event log; receiving, by the monitor module, network traffic from the first network; identifying, by the collector module, at least one packet from the network traffic that contains a second network address matching the first network address; identifying, by the collector module, a time stamp within the network packet; determining, by the collector module, that the time stamp within the network packet is equal to or later than the time stamp from the event log; and based on the determining, associating, by the collector module, the at least one packet with the first user name. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification