Method and device for responding to a query
US-2019082305-A1 · Mar 14, 2019 · US
Master ledger and local host log extension detection and mitigation of forged authentication attacks
US12580898B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12580898-B2 |
| Application number | US-202318361825-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 29, 2023 |
| Priority date | Oct 28, 2015 |
| Publication date | Mar 17, 2026 |
| Grant date | Mar 17, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system and method for implementation of zero trust computer network security combined with stateful authentication object tracking, authentication object manipulation and forgery detection, and assessment of authentication and identity attack surface. The methodology involves gathering all authentication objects issued by a network, storing the authentication objects in a master ledger for use in stateful deterministic authentication object tracking, and running detection functions that compare authentication objects presented for access to network resources with the master ledger. In an embodiment, an authentication object agent is installed at the domain controller level. In another embodiment, a log extension utility is installed at the local host computer level to provide additional log data for additional cyberattack detections.
First claim
Opening claim text (preview).
What is claimed is: 1 . A system for computer detection of forged authentication object cybersecurity attacks, comprising: a computing device comprising a memory, a processor, and a non-volatile data storage device; an authentication object master ledger stored on the non-volatile data storage device, the authentication object master ledger comprising authentication objects captured from one or more domain controllers of a computer network; an authentication object agent installed on and operating on the one or more domain controllers of the computer network, the authentication object agent configured to capture each authentication object received by each of the domain controllers from a key distribution center and send it to an authentication object security system; the authentication object security system comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to: receive the authentication objects from the authentication object agent installed on and operating on the one or more domain controllers; and store each received authentication object or a unique identifier associated with each authentication object in the authentication object master ledger; receive a first authentication object presented to a first domain controller of the one or more domain controllers from a first authentication object agent installed on and operating on the first domain controller, the first authentication object being presented to the first domain controller for access to a resource of the computer network or a federated service associated with the computer network; compare the first authentication object or a unique identifier associated with the first authentication object with the master ledger to determine whether an identical authentication object or unique identifier already exists in the master ledger; and where the first authentication object or a unique identifier associated with the first authentication object is not contained in the master ledger, instruct the first authentication object agent to send a destroy ticket command from the first domain controller to the key distribution center. 2 . The system of claim 1 , wherein the computing device is part of the computer network. 3 . The system of claim 1 , wherein the computing device is part of a cloud-based service. 4 . The system of claim 1 , wherein the unique identifier stored for each received authentication object is a cryptographic hash of each authentication object, and the unique identifier for the first authentication object is a cryptographic hash of the first authentication object. 5 . The system of claim 1 , wherein the authentication objects are tickets issued by a ticket granting service of the key distribution center. 6 . The system of claim 1 , further comprising: an authentication object log extension database stored on the non-volatile data storage device, the authentication object log extension database comprising additional log data for authentication objects issued by the key distribution center, the additional log data comprising a start time, an end time, and a renewal time for each authentication object issued by the key distribution center; and the authentication object log extension utility installed on and operating on one or more local host computers of the computer network, the authentication object log extension utility configured to perform the following for the local host computer on which it is installed: enumerate every logon session on the local host computer; query the local ticket cache of the local host computer to obtain a log data stream for each logon session; generate the additional log data to supplement the log data stream for each logon session; and store the additional log data as part of the log data stream for the logon session; wherein the authentication object security system is further configured to cause the computing device to: receive the additional log data generated by the authentication object log extension utility for each local host computer of the one or more local host computers; monitor access requests by a client operating on a first local host computer of the one or more local host computers for access to resources on the computer network; identify a first authentication object presented by a first local host computer for access to a network resource of the computer network, the first authentication object comprising a client name; retrieve a user session name from the first local host computer associated with the attempted access using the first authentication object; compare the client name with the user session name; and where there is a mismatch between the client name and user session name, send a destroy ticket command to the key distribution service. 7 . The system of claim 6 , wherein the computing device is the local host computer, and the authentication object security system is operating on the local host computer. 8 . The system of claim 6 , wherein the computing device is part of a cloud-based service. 9 . A method for computer detection of forged authentication object cybersecurity attacks, comprising the steps of: storing an authentication object master ledger stored on a non-volatile data storage device of a computing device comprising a memory, a processor, and the non-volatile data storage device, the authentication object master ledger comprising authentication objects captured from one or more domain controllers of a computer network; installing an authentication object agent on the one or more domain controllers of the computer network, the authentication object agent configured to capture each authentication object received by each of the domain controllers from a key distribution center and send it to an authentication object security system; using the authentication object security system stored in the memory and operating on the processor of the computing device to: receive the authentication objects from the authentication object agent installed on and operating on the one or more domain controllers; and store each received authentication object or a unique identifier associated with each authentication object for each received authentication object in the authentication object master ledger; receive a first authentication object presented to a first domain controller of the one or more domain controllers from a first authentication object agent installed on and operating on the first domain controller, the first authentication object being presented to the first domain controller for access to a resource of the computer network or a federated service associated with the computer network; compare the first authentication object or a unique identifier associated with the first authentication object with the master ledger to determine whether an identical authentication object or unique identifier already exists in the master ledger; and where the first authentication object or a unique identifier associated with the first authentication object is not contained in the master ledger, instruct the first authentication object agent to send a destroy ticket command from the first domain controller to the key distribution center. 10 . The method of claim 9 , wherein the computing device is part of the computer network. 11 . The method of claim 9 , wherein the computing device is part of a cloud-based service. 12 . The method of claim 9 , wherein the unique identifier stored for each received authentication object is a cryptographic hash of each authentication object, and the unique identifier for the fir
Assignees
Inventors
Classifications
using hash chains, e.g. blockchains or hash trees · CPC title
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Countermeasures against attacks on cryptographic mechanisms (network architectures or network communication protocols for protection against malicious traffic H04L63/1441) · CPC title
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
providing single-sign-on or federations · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12580898B2 cover?
- A system and method for implementation of zero trust computer network security combined with stateful authentication object tracking, authentication object manipulation and forgery detection, and assessment of authentication and identity attack surface. The methodology involves gathering all authentication objects issued by a network, storing the authentication objects in a master ledger for us…
- Who is the assignee on this patent?
- Qomplx Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 17 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).