US 12,438,851 B2
Detecting and mitigating forged authentication object attacks in multi-cloud environments with attestation
Jason Crabtree, Vienna, VA (US); and Richard Kelley, Woodbridge, VA (US)
Assigned to QOMPLX LLC, Reston, VA (US)
Filed by QOMPLX LLC, Reston, VA (US)
Filed on Jul. 29, 2023, as Appl. No. 18/361,830.
Application 18/361,830 is a continuation in part of application No. 17/361,715, filed on Jun. 29, 2021, granted, now 11,757,849.
Application 17/361,715 is a continuation in part of application No. 17/245,162, filed on Apr. 30, 2021, granted, now 11,582,207, issued on Feb. 14, 2023.
Application 17/245,162 is a continuation of application No. 15/837,845, filed on Dec. 11, 2017, granted, now 11,005,824, issued on May 11, 2021.
Application 15/837,845 is a continuation in part of application No. 15/825,350, filed on Nov. 29, 2017, granted, now 10,594,714, issued on Mar. 17, 2020.
Application 15/825,350 is a continuation in part of application No. 15/725,274, filed on Oct. 4, 2017, granted, now 10,609,079, issued on Mar. 31, 2020.
Application 15/725,274 is a continuation in part of application No. 15/655,113, filed on Jul. 20, 2017, granted, now 10,735,456, issued on Aug. 4, 2020.
Application 15/655,113 is a continuation in part of application No. 15/616,427, filed on Jun. 7, 2017, abandoned.
Application 15/655,113 is a continuation in part of application No. 15/237,625, filed on Aug. 15, 2016, granted, now 10,248,910, issued on Apr. 2, 2019.
Application 15/616,427 is a continuation in part of application No. 15/206,195, filed on Jul. 8, 2016, abandoned.
Application 15/206,195 is a continuation in part of application No. 15/186,453, filed on Jun. 18, 2016, abandoned.
Application 15/186,453 is a continuation in part of application No. 15/166,158, filed on May 26, 2016, abandoned.
Application 15/166,158 is a continuation in part of application No. 15/141,752, filed on Apr. 28, 2016, granted, now 10,860,962, issued on Dec. 8, 2020.
Application 15/141,752 is a continuation in part of application No. 15/091,563, filed on Apr. 5, 2016, granted, now 10,204,147, issued on Feb. 12, 2019.
Application 15/141,752 is a continuation in part of application No. 14/986,536, filed on Dec. 31, 2015, granted, now 10,210,255, issued on Feb. 19, 2019.
Application 15/141,752 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Application 15/616,427 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015.
Claims priority of provisional application 62/596,105, filed on Dec. 7, 2017.
Prior Publication US 2023/0388278 A1, Nov. 30, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 9/32 (2006.01)
CPC H04L 63/0428 (2013.01) [H04L 9/3236 (2013.01); H04L 9/3239 (2013.01); H04L 63/0807 (2013.01); H04L 63/0815 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/145 (2013.01)] 12 Claims
OG exemplary drawing
 
1. A cloud-based system for detecting and mitigating forged authentication object attacks in federated environments using attestation, comprising:
a plurality of virtual machines comprising at least a processor and at least a memory;
an authentication object inspector comprising a first plurality of programming instructions stored in the memory of, and operating on a processor of, a virtual machine of the plurality of virtual machines, wherein the first plurality of programmable instructions, when operating on the processor, cause the virtual machine to:
receive an authentication object known to be generated by an identity provider;
calculate a cryptographic hash of the authentication object using a hashing engine;
store the cryptographic hash in the authentication object;
forward the authentication object to the service provider; and
where the hash of the authentication object does not exist in the authentication object received by the service provider, generate a notification that the authentication object may be forged; and
an event inspector comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the virtual machine of the plurality of virtual machines, wherein the second plurality of programmable instructions, when operating on the processor, cause the virtual machine to:
monitor a plurality of service provider logs for a successful login event or a certificate export event;
identify one or more entities associated with the successful login event or a certificate export event;
search a plurality of security event logs from the one or more associated entities for corresponding events to determine if the successful login event is legitimate; and
trigger the execution of one or more commands as dictated in a plurality of predefined rules upon detection of an illegitimate login event or a certificate export event.