Monitoring network traffic by using event log information

US 9,584,522 B2
Filed: 04/04/2006
Issued: 02/28/2017
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

receiving, by a first computing device via a first network, an event log from an authentication service that authorizes user access to resources on the first network, the event log including an event authorizing access to the resources on the first network;

receiving, by a second computing device, the event log from the first computing device over a second network, the second network enabling the first computing device and the second computing device to communicate without using the first network;

extracting, by the second computing device, a first user name, a time stamp, and a first network address from an authenticated-related event portion of the event log;

receiving, by the first computing device, network traffic from the first network;

identifying, by the second computing device, at least one packet from the network traffic that contains a second network address matching the first network address;

identifying, by the second computing device, a time stamp within the network packet;

determining that the time stamp within the network packet is equal to or later than the time stamp from the authenticated-related event portion of the event log; and

based on the determining, associating, by the second computing device, the at least one packet with the first user name.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A solution is provided for associating network traffic traversing a networked environment according to a selected category item, such as a user name or other network entity identity-related information. The solution includes a collector and a monitor. The collector extracts a user name and a network address from an event log maintained on the networked environment. The monitor receives the network traffic and identifies at least one packet having a network address that matches the extracted network address. After at least one of the packets is identified, the collector associates the identified packet(s) with the extracted user name.

74 Citations

22 Claims

1. A computer implemented method comprising:
- receiving, by a first computing device via a first network, an event log from an authentication service that authorizes user access to resources on the first network, the event log including an event authorizing access to the resources on the first network;
  
  receiving, by a second computing device, the event log from the first computing device over a second network, the second network enabling the first computing device and the second computing device to communicate without using the first network;
  
  extracting, by the second computing device, a first user name, a time stamp, and a first network address from an authenticated-related event portion of the event log;
  
  receiving, by the first computing device, network traffic from the first network;
  
  identifying, by the second computing device, at least one packet from the network traffic that contains a second network address matching the first network address;
  
  identifying, by the second computing device, a time stamp within the network packet;
  
  determining that the time stamp within the network packet is equal to or later than the time stamp from the authenticated-related event portion of the event log; and
  
  based on the determining, associating, by the second computing device, the at least one packet with the first user name.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the first user name is used to select the at least one packet to determine the network usage of a real user associated with the first user name.
  - 3. The method of claim 1, further comprising using the first user name as a category item in a first set of category items;
    - and wherein the first user name is used for selecting the at least one packet to determine the network usage of a real user associated with the first user name.
  - 4. The method of claim 3, further comprising extracting a second user name and a third network address.
  - 5. The method of claim 4, further comprising:
    - identifying at least one packet from the network traffic that contains a fourth network address matching the third network address; and
      
      associating the at least one packet that contains the fourth network address with the second user name.
  - 6. The method of claim 5, further comprising:
    - using the second user name as a category item in a second set of category items; and
      
      wherein the second user name is used for selecting the at least one packet that contains the fourth network address to determine the network usage of a real user associated with the second user name.
  - 7. The method of claim 1, further comprising obtaining additional category items for the first set of category items from a directory service provided on the networked environment, the additional category items comprising a group id attribute and an organizational unit attribute from a user object having a user name attribute matching the first user name.

8. A system comprising:
- a first network;
  
  a first computing device comprising a monitor configured to receive network traffic from the first network, the monitor coupled to an authentication service by the first network, the authentication service logging network authentication-related events, including network logon and logoff events, in an event log during an occurrence of a network authentication-related event; and
  
  a second computing device comprising a collector in communication with the monitor, the collector being configured to receive an event log from the monitor and extract a first user name, a time stamp, and a first network address from an authenticated-related event portion of the event log received from the monitor;
  
  wherein the monitor is further configured to monitor the received network traffic on the first network;
  
  wherein the collector is further configured to;
  
  identify at least one packet from the network traffic that contains a second network address matching the first network address;
  
  identify a time stamp within the network packet;
  
  determine that the time stamp within the network packet is equal to or later than the time stamp from the authenticated-related event portion of the event log; and
  
  based on the determining, associate the at least one packet with the first user name.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the collector is further configured to use the first user name to select the at least one packet to determine the network usage of a real user associated with the first user name.
  - 10. The system of claim 8, wherein the collector is further configured to use the first user name as a category item in a first set of category items, and the collector is further configured to use the first user name to select the at least one packet to determine the network usage of a real user associated with the first user name.
  - 11. The system of claim 10, wherein the collector is further configured to extract a second user name and a third network address.
  - 12. The system of claim 10, wherein the collector is further configured to obtain additional category items for the first set of category items from a directory service provided on the networked environment, the additional category items including a group id attribute and an organizational unit attribute from a user object having a user name attribute matching the first user name.
  - 13. The system of claim 10, further comprising a database for storing the first set of category items.
  - 14. The system of claim 13 further comprising a hypertext transfer protocol (HTTP) server for enabling queries to be performed on the database from a HTTP-enabled browser application executing on a computer.
  - 15. The system of claim 8, wherein the monitor comprises a packet processing engine and a network interface;
    - and wherein the packet processing engine and network interface are coupled to the networked environment.

16. A computer program embodied on at least one nontransitory computer-readable medium for executing a method, the method comprising:
- receiving, by a monitor module, via a first network, an event log from an authentication service that authorizes user access to resources on the first network, the event log including an event authorizing access to the resources on the first network;
  
  receiving, by a collector module, the event log from the monitor module over a second network, the second network enabling the collector module and the monitor module to communicate without using the first network;
  
  extracting, by the collector module, a first user name, a time stamp, and a first network address from the event log;
  
  receiving, by the monitor module, network traffic from the first network;
  
  identifying, by the collector module, at least one packet from the network traffic that contains a second network address matching the first network address;
  
  identifying, by the collector module, a time stamp within the network packet;
  
  determining, by the collector module, that the time stamp within the network packet is equal to or later than the time stamp from the event log; and
  
  based on the determining, associating, by the collector module, the at least one packet with the first user name.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer-readable medium of claim 16, wherein the method further comprises using the first user name to select the at least one packet to determine the network usage of a real user associated with the first user name.
  - 18. The computer-readable medium of claim 16, the method further comprising using the first user name as a category item in a first set of category items;
    - and wherein the first user name is used for selecting the at least one packet to determine the network usage of a real user associated with the first user name.
  - 19. The computer-readable medium of claim 18, the method further comprising extracting a second user name and a third network address.
  - 20. The computer-readable medium of claim 19, the method further comprising:
    - identifying at least one packet from the network traffic that contains a fourth network address matching the third network address; and
      
      associating the at least one packet that contains the fourth network address with the second user name.
  - 21. The computer-readable medium of claim 20, the method further comprising using the second user name as a category item in a second set of category items;
    - and wherein the second user name is used for selecting the at least one packet that contains the fourth network address to determine the network usage of a real user associated with the second user name.
  - 22. The computer-readable medium of claim 16, the method further comprising storing the first user name, the time stamp, and the first network address associated with the event log separately from the time stamp and second network address associated with the at least one packet for later access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
John, Pramod, Wang, Yingxian, Marti, Ramachandran V., Erlund, Maxine R.
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
Ma, Wing

Application Number

US11/398,013
Publication Number

US 20060179140A1
Time in Patent Office

3,983 Days
Field of Search

709/203, 709/223, 709/224, 715/3, 726/22
US Class Current

1/1
CPC Class Codes

G06F 11/30   Monitoring

H04L 43/028   by filtering

H04L 43/04   Processing captured monitor...

H04L 61/4523   using lightweight directory...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/02   based on web technology, e....

H04L 67/535   Tracking the activity of th...

Monitoring network traffic by using event log information

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring network traffic by using event log information

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links