1. Field of the Invention
The present invention relates, in general, to data communication network management, and, more particularly, to software, systems and methods for resolving the identity of a user of a network attached computer when multiple users have access to the network attached computer.
2. Relevant Background
Various network management tasks would benefit from being able to associate particular network activities and events with specific users. Examples include access control, auditing, bandwidth management, network blocking, network filtering, usage policy management, troubleshooting, quality of service management, prioritization of service, and the like. However, network communication packets are associated only with a network address, such as an internet protocol (IP) address, assigned to each network connection when a machine attaches to a network. In most networks each machine uses a single connection that is shared by all users and all software processes that access the network. In other systems, called “multi-homed”, a network connected device may have multiple connections, however, these connections may also be shared amongst multiple users and software processes.
A network connection is shared by multiple software processes executing on a machine. So that network packets are directed to the correct software process the transmission control protocol (TCP) typically used with IP packets uses a port number in combination with the IP address to uniquely identify each process. In a typical system a port number may range from 0 to 65535. Port numbers below 1024 are reserved as “well-known” or otherwise registered for use with particular applications.
It is common for network-connected devices to require some form of user log-in to gain access in which the user identifies himself or herself and provides some form of credentials (e.g., a password, certificate and the like) to authenticate their identity. An authentication authority, such as a domain controller, authenticates a user and establishes a session, usually having a defined lifetime, for that user. In some cases a user must log in to each network resource that is being used, while in other cases a user logs in one time and is granted access to all network-connected resources. Increasingly, domain-based access control is becoming prevalent in which a network administrator defines domains comprising a collection of network resources that allow users to log into an entire domain with a single authentication. In each of these cases, once a user logs in subsequent network activity rarely requires that the user provide authentication credentials again. Once authenticated, the network coupled devices operate as if the original user that logged in remains logged in until a log out operation occurs or the user's session times out. Significantly, the session is logically independent of the machine address assigned to a network connection used by a device.
Hence, network activities as represented by the communication packets are able to use a network address to identify the machine involved in the activity and/or the port number to identify a software process using the network connection, but neither of these techniques are able to resolve the user associated with a network packet. Associating a user identification with a network packet is made even more complex by the common use of dynamic addressing in which network addresses are automatically assigned to connections such that the mapping between machines and network addresses is frequently changing.
In the case of single user devices (e.g., a workstation) the network address is usually correlated with the single user that is the authenticated user for the device. Essentially, very little if any network traffic occurs unless the single authorized user is logged into and authenticated on the device. Hence, by correlating the network address with a particular machine to which that address is assigned one can assume that the single authorized user is associated with each packet.
In multi-user environments, however, the problem of associating a particular user with an in-transit or stored packet is much more difficult. A multi-user device allows for multiple users to use the same computer at the same time and/or different times. A multi user device might include, for example, a workstation that implements multiple user accounts such as Linux, Unix, Windows 2000 and Windows XP, among others, as well as remote access technologies such as Microsoft Windows Terminal Services, Citrix MetaFrame Services and the like. In addition to work-station, remote access, and home computer type devices, multi-user devices might also include a variety of appliances such as cash registers, office equipment, set top boxes, home automation controls, and the like in which multiple people or software processes are authorized to use the machine at the same time or at different times.
It is possible to use a script invoked by a mandatory client-side agent to capture information when user logs onto a workstation. This mechanism is generally effective so long as all machines that couple to a network can be forced to execute the script. However, logins of local (non-domain) users who do not run login scripts are not recorded. Also, network addresses can change. A workstation's IP address can change, even with an interactive user currently logged in. While this is a rare occurrence for traditional fixed-location desktop workstations, portable and mobile computing devices change network addresses when roaming to different wireless networks in a building, suspending and resuming, physically connecting to different networks in different conference rooms, and the like. Also, when logging into a virtual private network (VPN) or remote access server (RAS), login scripts are often not invoked. Another limitation of script-based solutions is that while a script can, with exceptions such as those noted above, be relied on to capture a logon event, capturing logoff events is more difficult. As a result, it is possible to incorrectly attribute network traffic to a user that has in fact already logged off.
In a Windows 2000 environment, there are objects in the active directory that map computer names to IP addresses, and even purport to give the name of the current interactive user for a machine. Unfortunately, the loose consistency model of Active Directory makes it difficult if not impossible to rely on its data for real-time mapping of IP addresses to computers and there to users. Multiple replicas of each domain's data exist on various domain controllers in the organization, and there may, in extreme cases, be spans of several hours during which one domain controller will have out of date data.
Similar problems occur when Windows 2000 domain name service (DNS) servers are being used, and they are configured to store zone information in Active Directory. In this case, zone data is replicated between master and slave name servers in a manner dictated by Active Directory replication semantics. Again, this can result in a DNS server in one site having different hostname-to-IP mappings then that of another DNS server in another zone.
Another alternative for legacy networks that are still using NetBIOS is to use commands such as NBTSTAT to determine the user logged in at a particular time. A drawback to this approach is that corporations are phasing out NetBIOS and there is no time stamp associated with NetBIOS so it is possible to query the wrong user/machine name for a particular event.
As a result, devices such as network management tools that monitor and manage network traffic are not able to resolve a user identification from a particular packet. These devices are only able to resolve machine identification (e.g., an IP address) from the packet. When actual user identification is required the packets must be painstakingly correlated with information logged by other machines and services (e.g., network and/or domain controller logs) when such information is available.
Hence, there remains a need for methods and systems that provide improved name resolution in multi-user systems such that particular individual users can be identified with improved accuracy and resolution from information contained in packet communications.