1. Technical Field
The invention relates to network monitoring. More particularly, the invention relates to the collection, distribution, and correlation of user identities with network addresses for use in connection with passive monitoring of network traffic pursuant to a corporate policy.
2. Description of the Prior Art
As the Internet expands into all aspects of business, companies must implement their business rules as policies on their internal network. Companies also incur risks to their business from intruders, both internal and external, who use the networks as a medium of attack. Existing security tools are able to monitor network activity and determine certain kinds of attacks against company infrastructure. Others can examine traffic passively and describe how it varies from company policies/controls, in near real time or by examining system logs and other forensic data. However, existing tools differ from corporate policies in a very important way, i.e. the tools describe machine behavior in terms of network address, and the policies describe user behavior in terms of user names, user groups, and user roles. Unfortunately, the network address provides a limited level functionality with regard to such user names, user groups, and user roles. It would therefore be advantageous to provide a method and apparatus that allowed correlation of user identity with network address, for example, in connection with the enforcement of a corporate policy, in a way that permits the tool to make decisions about network traffic in near real time, based on these identities.
In the identity management area, prior art from Microsoft® [NAP] and Cisco [NAC] associate user identity with network attachment. These technologies use an integration of an authentication protocol, such as 802.1x [802.1x], with the network switch to determine which user is connected to which switch port. A policy for admission to the network is then applied to the user name. These characteristics overlap this invention. However, the policy is limited to admission only. The user's activity is not tracked after connection, and a behavioral policy is not associated with the user. The invention extends protection provided by the prior art by monitoring and correlating the non-authenticated network behavior of users with their previously established identities for the duration of their network presence. The invention also provides this protection without need to upgrade network infrastructure, e.g. switches and authentication systems, to include new capabilities.
Security Event Management (SEM) systems aggregate security log information into a centralized database and search it on demand. These systems are able to associate user identity with network address, such as IP address. These techniques overlap some embodiments of the invention by using security event log information to user and network address information. Unlike the invention, SEM systems do not monitor network behavior; do not uniformly apply policy to network behavior, and are not able to synthesize logout information.
Prior policy languages [SPL] and policy development software [PDSTUDIO] provide mechanisms for describing network behavior based on IP address. This invention builds on this characteristic to extend policy monitoring to user and group identities.