PAT address user identification: methods?

[Bill Cotter <bcotter () POP UKY EDU>]

Here at the University of Kentucky we are slowly moving towards
PAT'ing more and more of our class-B addresses, in an effort to
ease the continuous expansion of our network. One of the problems
that comes with this architectural direction is the loss of
positive identification of interior users (private address) on the
pAT'ed addresses, as viewed from outside (public address).

With one-to-one addressing (ie: 128.163.x.x = 128.163.x.x) or
NAT'ing (128.163.x.x = 10.10.x.x and 1hr lease), our network
security team is able to identify a user from an external complaint
where the 128.x.x.x address and timestamp are supplied.

On the other hand, when we receive a complaint from an external
source referencing one of our PAT addresses, unless the complaint
is received while the activity persists (ie: Spamming, scanning,
etc), the identity is lost.

For example: A DMCA complaint is received for a user at 128.163.x.x
at 10:37am (no source address given) for sharing a copyrighted
file. The address 128.163.x.x is the PAT address for 6,000 resnet
users on a private range of 10.x.x.x. A syslog server that records
PAT transactions lists 235 possible private addresses that had that
translation for 10:37am. With no source address given, who is the
bad guy?

For those of you who use PAT'ing extensively and log transactions,
what methods/technologies have you employed to track user identity,
AND provide an accurate results?

Thanks,

Bill Cotter
UK IT Security