Monitoring the life cycle of a computer network connection

摘要

Monitoring of a life cycle of a connection of a network client device to a network via monitoring time synchronization traffic flowing between one or more network client devices and a time server in a network is provided. A system for monitoring a life cycle of a connection of a network client device to a network includes a security device operable to identify a true identity of the one or more network client devices, identify a network client device's connections to and disconnections from the network, determine which network client devices have been associated with a particular internet protocol (IP) address, and generate an output of connection and disconnection information associated with a network client device. In some examples, the security device is operable to detect anomalies and malicious patterns in the network.

主权项

1. A computer-implemented method for monitoring a life cycle of a network client device on a computer network, comprising executing on a processor the steps of:
monitoring time synchronization protocol messages associated with the computer network; receiving a time synchronization protocol request message sent by a network client device intended for a time server; determining whether the time synchronization protocol request message is associated with an initial connection event of the network client device; in response to making a positive determination, determining the network client device is connected to the computer network; determining a true identity of the network client device connecting to the computer network, wherein determining the true identity of the network client device comprises parsing the time synchronization protocol request message and extracting from the time synchronization protocol request message data corresponding to: a unique identifier that identifies the network client device; and the unique identifier identifies the network client device, wherein: the unique identifier identifies a relative identifier for the network client device; the unique identifier identifies a domain security identifier for a domain in which the network client device is grouped; and wherein the unique identifier identifies the true identity of the network client device; associating the true identity of the network client device with an internet protocol (IP) address; determining when the network client disconnects from the computer network based on the time synchronization protocol messages; and generating a report identifying the life cycle of the network client device associated with the IP address based on connection and disconnection data associated with the network client device.