System and method to associate a private user identity with a public user identity

US 8,868,765 B1
Filed: 03/15/2013
Issued: 10/21/2014
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for associating a user identity used for accessing a network, comprising:

recognizing an application session between the network and an application via a security gateway;

retrieving an application data field from a data packet transmitted over the application session;

creating an application session record for the application session, wherein the application session record comprises;

the application data field;

an application session time; and

a user identity for using the application session via a host having a host identity, wherein the creating comprises;

sending a query to an identity server, wherein the query comprises the application session time and the host identity;

receiving a response from the identity server to the query, wherein the response comprises a second user identity, wherein the identity server comprises an access session record for an access session between the host and the security gateway, wherein the access session record comprises an access session time, and the receiving comprises;

comparing by the identity server the access session time with the application session time; and

storing the second user identity as the user identity for using the application session in the application session record; and

determining that the application session time is between a starting time and an ending time of the access session record.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The inventive system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user'"'"'s public user identity used to access the public application, the user'"'"'s private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record. If they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.

69 Citations

View as Search Results

18 Claims

1. A method for associating a user identity used for accessing a network, comprising:
- recognizing an application session between the network and an application via a security gateway;
  
  retrieving an application data field from a data packet transmitted over the application session;
  
  creating an application session record for the application session, wherein the application session record comprises;
  
  the application data field;
  
  an application session time; and
  
  a user identity for using the application session via a host having a host identity, wherein the creating comprises;
  
  sending a query to an identity server, wherein the query comprises the application session time and the host identity;
  
  receiving a response from the identity server to the query, wherein the response comprises a second user identity, wherein the identity server comprises an access session record for an access session between the host and the security gateway, wherein the access session record comprises an access session time, and the receiving comprises;
  
  comparing by the identity server the access session time with the application session time; and
  
  storing the second user identity as the user identity for using the application session in the application session record; and
  
  determining that the application session time is between a starting time and an ending time of the access session record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the recognizing comprises:
    - identifying a pattern of the data packet transmitted between the network and the application; and
      
      matching the pattern with an application identifier for the application.
  - 3. The method of claim 2, wherein the retrieving comprises:
    - identifying a second pattern of the data packet transmitted between the network and the application; and
      
      storing the second pattern in the application session record as the application data field.
  - 4. The method of claim 1, wherein the user identity comprises at least one of:
    - a user name;
      
      an employee name;
      
      an employee number;
      
      a telephone number;
      
      a smartphone number;
      
      an email address;
      
      a mail-drop location;
      
      an office number;
      
      a cubicle number;
      
      a cubicle or office location;
      
      or a manager name.
  - 5. The method of claim 1, wherein the host identity comprises at least one of an IP address, a MAC address, and a computing device identity used to access the network.
  - 6. The method of claim 1, wherein the application data field comprises at least one of a public user identity, an email identity, a screen name, a buddy name, a messaging identity, an application command, a family field, a subtype field, a sequence number field, and a piece of information about a company document.
  - 7. The method of claim 1, wherein the application provides at least one of a real-time communication service, an instant messaging service, a messaging or email service, a voice service, a video service, a gaming service, a document exchange service, and a file sharing service.
  - 8. The method of claim 7, wherein the file sharing service uses a file transfer protocol.
  - 9. The method of claim 7, wherein the email service uses Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3).

10. A system, comprising:
- a security gateway comprising a processor and a memory containing instructions which, when executed by the processor, cause the processor to perform a method, comprising;
  
  recognizing an application session between a network and an application via the security gateway;
  
  retrieving an application data field from a data packet transmitted over the application session;
  
  creating an application session record for the application session, wherein the application session record comprises;
  
  the application data field;
  
  an application session time; and
  
  a user identity for using the application session via a host having a host identity, wherein the creating comprises;
  
  sending a query to an identity server, wherein the query comprises the application session time and the host identity;
  
  receiving a response from the identity server to the query, wherein the response comprises a second user identity, wherein the identity server comprises an access session record for an access session between the host and the security gateway, wherein the access session record comprises an access session time, and the receiving comprises;
  
  comparing by the identity server the access session time with the application session time; and
  
  storing the second user identity as the user identity for using the application session in the application session record; and
  
  determining that the application session time is between a starting time and an ending time of the access session record.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the recognizing comprises identifying a pattern of the data packet transmitted between the network and the application, and matching the pattern with an application identifier for the application.
  - 12. The system of claim 11, wherein the retrieving comprises identifying a second pattern of the data packet transmitted between the network and the application, and storing the second pattern in the application session record as the application data field.
  - 13. The system of claim 10, wherein the user identity comprises at least one of a user name, an employee name, an employee number, a telephone number, a smartphone number, an email address, a mail-drop location, an office number, a cubicle number, a cubicle or office location, and a manager name.
  - 14. The system of claim 10, wherein the host identity comprises at least one of an IP address, a MAC address, and a computing device identity used to access the network.
  - 15. The system of claim 10, wherein the application data field comprises at least one of a public user identity, an email identity, a screen name, a buddy name, a messaging identity, an application command, a family field, a subtype field, a sequence number field, and a piece of information about a company document.
  - 16. The system of claim 10, wherein the application provides at least one of a real-time communication service, an instant messaging service, a messaging or email service, a voice service, a video service, a gaming service, a document exchange service, and a file sharing service.
  - 17. The system of claim 16, wherein the file sharing service uses a file transfer protocol.
  - 18. The system of claim 16, wherein the email service uses Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Chiong, John, Wang, Xin
Primary Examiner(s)
SHAW, PETER C

Application Number

US13/841,496
Time in Patent Office

585 Days
Field of Search

709/228
US Class Current

709/228
CPC Class Codes

H04L 12/66   Arrangements for connecting...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 2101/668   Internet protocol [IP] addr...

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/30   for supporting lawful inter...

H04L 63/308   retaining data, e.g. retain...

H04L 65/1069   Session establishment or de...

H04L 65/1101   Session protocols

H04L 65/1104   Session initiation protocol...

H04L 65/401   wherein the services involv...

H04L 67/14   Session management for real...

H04L 67/141   Setup of application sessio...

H04L 67/146   Markers for unambiguous ide...

H04L 9/40   Network security protocols

System and method to associate a private user identity with a public user identity

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to associate a private user identity with a public user identity

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links