Search

US-12621329-B1 - Ssh lineage table-based tracking of user login sessions

US12621329B1US 12621329 B1US12621329 B1US 12621329B1US-12621329-B1

Abstract

An illustrative system includes a processor configured to: determine that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions; link first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user; and identify, at least in part by using an ssh lineage table, an original login session associated with a subsequent chain of login sessions; and a memory coupled to the processor and configured to provide the processor with instructions.

Inventors

  • Murat Bog
  • Vikram Kapoor
  • Samuel Joseph Pullara, III
  • Yijou Chen
  • Harish Kumar Bharat Singh

Assignees

  • FORTINET, INC.

Dates

Publication Date
20260505
Application Date
20240610

Claims (20)

  1. 1 . A system comprising: a processor configured to: determine that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions; link first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user; and identify, at least in part by using an ssh lineage table, an original login session associated with a subsequent chain of login sessions; and a memory coupled to the processor and configured to provide the processor with instructions.
  2. 2 . The system of claim 1 , wherein: the processor is further configured to receive first information associated with the first user login activity and second information associated with the second user login activity; and the determining is based on the first information and the second information.
  3. 3 . The system of claim 2 , wherein the first information and the second information are received, respectively, from a first agent on a first host and a second agent on a second host.
  4. 4 . The system of claim 3 , wherein the first host and second host are different.
  5. 5 . The system of claim 3 , wherein the first host and second host are the same.
  6. 6 . The system of claim 2 , wherein the first information is obtained in response to identifying one or more ssh connection records occurring within a first time period.
  7. 7 . The system of claim 1 , wherein the determining that the first user login session and second user login session have the parent-child relationship includes matching a pair of ssh connection records occurring within a first time period, wherein a first member of a matched pair corresponds to a source of a connection and wherein a second member of the matched pair corresponds to a destination of the connection.
  8. 8 . The system of claim 1 , wherein the determining that the first user login session and second user login session have the parent-child relationship includes matching a pair of ssh connection records in which a first member of a matched pair occurs within a first time period and wherein a second member of the matched pair occurs outside the first time period.
  9. 9 . The system of claim 1 , wherein the determining that the first user login session and the second user login session have the parent-child relationship includes matching a pair of ssh connection records, and wherein, in response to a determination that multiple matches are possible, a pair having a smallest delta between respective start times is selected.
  10. 10 . The system of claim 1 , wherein the determining that the first user login session and the second user login session have the parent-child relationship includes matching a pair of ssh connection records using a GUID included by a client in a connection request.
  11. 11 . The system of claim 1 , wherein the linking the first user login activity and the second user login activity includes joining an ssh connection record and a new login record.
  12. 12 . The system of claim 1 , wherein at least one of the first login session and the second login session is included in the subsequent chain of login sessions.
  13. 13 . The system of claim 1 , wherein the original login session occurs on a first machine and wherein at least one session included in the subsequent chain of login sessions occurs on a second machine that is different from the first machine.
  14. 14 . The system of claim 1 , wherein the processor is configured to identify the original login session by recursively determining adjacency relationships between login sessions.
  15. 15 . The system of claim 1 , wherein the linking the first user login activity and the second user login activity includes associating a process to a child process using a process hierarchy.
  16. 16 . A method comprising: determining that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions; linking first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user; and identifying, at least in part by using an ssh lineage table, an original login session associated with a subsequent chain of login sessions.
  17. 17 . The method of claim 16 , further comprising: receiving first information associated with the first user login activity and second information associated with the second user login activity; wherein the determining is based on the first information and the second information.
  18. 18 . The method of claim 17 , wherein the first information and the second information are received, respectively, from a first agent on a first host and a second agent on a second host.
  19. 19 . A non-transitory computer readable storage medium comprising computer instructions stored thereon that, when executed by a processor, cause the processor to: determining that a first user login session and a second user login session have a parent-child relationship that indicates that a particular user is associated with both the first and second user login sessions; linking first user login activity performed during the first user login session and second user login activity performed during the second user login session to the user; and identifying, at least in part by using an ssh lineage table, an original login session associated with a subsequent chain of login sessions.
  20. 20 . The non-transitory computer readable storage medium of claim 19 , wherein the computer instructions, when executed by the processor, are further to: receiving first information associated with the first user login activity and second information associated with the second user login activity; wherein the determining is based on the first information and the second information.

Description

CROSS REFERENCE TO OTHER APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 17/466,718, filed Sep. 3, 2021, which is a continuation of U.S. patent application Ser. No. 16/519,519, filed Jul. 23, 2019, now U.S. Pat. No. 11,134,093, which is a continuation of U.S. patent application Ser. No. 16/134,798, filed Sep. 18, 2018, now U.S. Pat. No. 10,425,437, which claims priority to U.S. Provisional Patent Application No. 62/590,986, filed Nov. 27, 2017, and to U.S. Provisional Patent Application No. 62/650,971, filed Mar. 30, 2018, each of which is incorporated herein by reference in its entirety. BACKGROUND OF THE INVENTION Individuals such as system administrators and application developers often make use of multiple accounts to perform their roles. For example, an administrator, Joe, may have a personal account on a system (username=Joe.Smith) and may also have access to an administrator account (username=administrator) on the same system. The administrator account may be shared by multiple individuals (e.g., with another user, Fred, having a personal account of Fred. Jones and also having access to the administrator account). As another example, Joe may have access to accounts on multiple systems (e.g., access to one or more accounts on a database server and one or more accounts on an application server). Suppose Joe is a nefarious individual (or, in the alternate, that Joe is an honest individual whose personal account has been compromised by a nefarious individual). Joe's authorization to use certain resources (e.g., log into a system as an administrator) can be leveraged to take unauthorized actions. Unfortunately, detecting such unauthorized behaviors can be difficult, particularly in network environments that make use of virtualized resources (e.g., cloud-based datacenters). BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 illustrates an example of an environment in which activities that occur within datacenters are modeled. FIG. 2 illustrates an example of a process, used by an agent, to collect and report information about a client. FIG. 3A illustrates an example of static information collected by an agent. FIG. 3B illustrates an example of variable information collected by an agent. FIG. 3C illustrates an example of histogram data. FIG. 3D illustrates an example of histogram data. FIG. 4 illustrates a 5-tuple of data collected by an agent, physically and logically. FIG. 5 illustrates a portion of a polygraph. FIG. 6 illustrates a portion of a polygraph. FIG. 7 illustrates an example of a communication polygraph. FIG. 8 illustrates an example of a polygraph. FIG. 9 illustrates an example of a polygraph as rendered in an interface. FIG. 10 illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 11 illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 12 illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 13 illustrates an example of a portion of a polygraph as rendered in an interface. FIG. 14 illustrates an example of an insider behavior graph as rendered in an interface. FIG. 15 illustrates an example of a privilege change graph as rendered in an interface. FIG. 16 illustrates an example of a user login graph as rendered in an interface. FIG. 17 illustrates an example of a machine server graph as rendered in an interface. FIG. 18 illustrates an example of a process for detecting anomalies in a network environment. FIG. 19A depicts a set of example processes communicating with other processes. FIG. 19B depicts a set of example processes communicating with other processes. FIG. 19C depicts a set of example processes communicating with other processes. FIG. 19D depicts two pairs of clusters. FIG. 20 is a representation of a user logging into a first machine, then into a second machine from the first machine, and then making an external connection. FIG. 21 is an alternate representation of actions occurring in FIG. 20. FIG. 22 illustrates an example of a process for performing extended user tracking. FIG. 23 is a representation of a user logging into a first machine, then into a second machine from the first machine, and then making an external connection. FIG. 24 illustrates an example of a process for performing extended user tracking. FIG. 25A illustrates example records. FIG. 25B illustrates example output from performing an ssh connection match. FIG. 25C illustrates example records. FIG. 25D illustrates example records. FIG. 25E illustrates example records. FIG. 25F illustrates example records. FIG. 25G illustrates an adjacency relationship between two login sessions. FIG. 25H illustrates example records. FIG. 26 illustrates an example of a process for detecting anomalies. FIG. 27A illustrates a representation of an embodiment of an insider behavior graph. FIG. 27B i