The term “computer network” generally refers to a system for enabling communication between or among computers or equivalent computing devices. When configured to include a server providing a directory service, the computer network becomes an integrated distributed computing environment, hereinafter “networked environment”, where authenticated computing devices and users of these devices can utilize network resources, such as by using or sharing data or attached peripherals, or communicate with each other. Communication on a networked environment is commonly achieved by using a “network packet,” or sometimes simply referred to as a “packet.” The term “network traffic” is commonly used to refer to either a single packet or collective group of packets that are traversing on the networked environment at a given moment.
In order to use these network resources, a user, sometimes referred to as a real user, usually logs onto the networked environment that provides access to these network resources. Attempting to log-on to a networked environment initiates an authentication process. During the authentication process, the user will attempt to log-on to networked environment by entering a user name and password on a computing device. The device will request credentials from an authentication service provided by the networked environment.
The computing device sends the request for credentials to the authentication service in the form of an authentication request packet that includes the user name. If the user name is valid, the authentication service will authenticate the user name of the real user by, among other things, replying with an authentication response packet, which may contain a session key encrypted with the password. The session key permits the real user's computing device to use and communicate with network resources on the networked environment. The authentication request packet and authentication response packet are sometimes respectively referred to as an authentication exchange request packet and an authentication exchange response packet under the Kerberos protocol.
However, the above approach has its limitations because it relies on a trusted computing concept. Once a user name, or other network entity, is authenticated, that user name becomes a trusted network entity on the networked environment and has access to network resources, such as data, on the networked environment usually limited by only the security policy defined for that authenticated user name and the lifetime of the session key granted. Consequently, a need exists for monitoring network traffic, and more particularly, for associating certain packets according to a selected category, such as information related to a real user, including user name, group, organizational unit or other category, by using a monitor device.