Unsecured asset detection via correlated authentication anomalies

US 20140020077A1
Filed: 07/12/2012
Published: 01/16/2014
Est. Priority Date: 07/12/2012
Status: Active Grant

First Claim

Patent Images

1. A method of detecting an unsecured computing device, comprising:

during a session, receiving a request from the unsecured computing device and made by a user, the request being a federated single sign-on (F-SSO) request to access an identity provider;

invoking a federated single sign-on (F-SSO) to the identity provider on behalf of the user;

receiving results from the invoked F-SSO;

analyzing information returned in the results to detect an authentication anomaly; and

upon detecting an authentication anomaly, initiating an anomaly workflow.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and computer program product for detecting that a computing device may not be secure based on inconsistent identity associations identified during Federated Single Sign-On (F-SSO). A detection proxy detects when a user with a particular session is accessing an identity provider (IdP) that is associated with an account that is not the current user'"'"'s account. When a user performs a login to an F-SSO-enabled IdP, the proxy performs an F-SSO, and the results are compared with known aliases for that particular federation partner. If an anomaly is detected (e.g., the in-line device sees that a user logs into a web site as someone else), a workflow is initiated to perform a given action, such as blocking access, issuing an alert, or the like.

Citations

20 Claims

1. A method of detecting an unsecured computing device, comprising:
- during a session, receiving a request from the unsecured computing device and made by a user, the request being a federated single sign-on (F-SSO) request to access an identity provider;
  
  invoking a federated single sign-on (F-SSO) to the identity provider on behalf of the user;
  
  receiving results from the invoked F-SSO;
  
  analyzing information returned in the results to detect an authentication anomaly; and
  
  upon detecting an authentication anomaly, initiating an anomaly workflow.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the analyzing step comprises:
    - retrieving data associated with one or more known identity provider relationships for an entity associated with the session; and
      
      comparing the retrieved with information returned in the results from the invoked F-SSO.
  - 3. The method as described in claim 2 wherein the analyzing step further comprises:
    - retrieving one or more identity attributes for the entity associated with the session; and
      
      comparing the retrieved one or more identity attributes with information returned in the results from the invoked F-SSO.
  - 4. The method as described in claim 1 wherein the anomaly workflow performs an action.
  - 5. The method as described in claim 4 wherein the action is one of:
    - issuing a notification, sending an alert, blocking the request, quarantining the computing device, and allowing the request to continue to proceed despite the anomaly.
  - 6. The method as described in claim 1 wherein the F-SSO request is an external F-SSO request.
  - 7. The method as described in claim 1 wherein the session is a user session initiated from a client browser.

8. Apparatus to detect an unsecured computing device, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method comprising;
  
  during a session, receiving a request from the unsecured computing device and made by a user, the request being a federated single sign-on (F-SSO) request to access an identity provider;
  
  invoking a federated single sign-on (F-SSO) to the identity provider on behalf of the user;
  
  receiving results from the invoked F-SSO;
  
  analyzing information returned in the results to detect an authentication anomaly; and
  
  upon detecting an authentication anomaly, initiating an anomaly workflow.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the analyzing step comprises:
    - retrieving data associated with one or more known identity provider relationships for an entity associated with the session; and
      
      comparing the retrieved with information returned in the results from the invoked F-SSO.
  - 10. The apparatus as described in claim 9 wherein the analyzing step further comprises:
    - retrieving one or more identity attributes for the entity associated with the session; and
      
      comparing the retrieved one or more identity attributes with information returned in the results from the invoked F-SSO.
  - 11. The apparatus as described in claim 8 wherein the anomaly workflow performs an action.
  - 12. The apparatus as described in claim 11 wherein the action is one of:
    - issuing a notification, sending an alert, blocking the request, quarantining the computing device, and allowing the request to continue to proceed despite the anomaly.
  - 13. The apparatus as described in claim 8 wherein the F-SSO request is an external F-SSO request.
  - 14. The apparatus as described in claim 8 wherein the session is a user session initiated from a client browser.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system to detect an unsecured computing device, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method comprising:
- during a session, receiving a request from the unsecured computing device and made by a user, the request being a federated single sign-on (F-SSO) request to access an identity provider;
  
  invoking a federated single sign-on (F-SSO) to the identity provider on behalf of the user;
  
  receiving results from the invoked F-SSO;
  
  analyzing information returned in the results to detect an authentication anomaly; and
  
  upon detecting an authentication anomaly, initiating an anomaly workflow.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product as described in claim 15 wherein the analyzing step comprises:
    - retrieving data associated with one or more known identity provider relationships for an entity associated with the session; and
      
      comparing the retrieved with information returned in the results from the invoked F-SSO.
  - 17. The computer program product as described in claim 16 wherein the analyzing step further comprises:
    - retrieving one or more identity attributes for the entity associated with the session; and
      
      comparing the retrieved one or more identity attributes with information returned in the results from the invoked F-SSO.
  - 18. The computer program product as described in claim 15 wherein the anomaly workflow performs an action.
  - 19. The computer program product as described in claim 18 wherein the action is one of:
    - issuing a notification, sending an alert, blocking the request, quarantining the computing device, and allowing the request to continue to proceed despite the anomaly.
  - 20. The computer program product as described in claim 15 wherein the F-SSO request is an external F-SSO request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Court, John William, Canning, Simon Gilbert, Weeden, Shane Bradley, Gee, Simon Winston

Granted Patent

US 8,832,857 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/1466 Active attacks involving in...

Unsecured asset detection via correlated authentication anomalies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Unsecured asset detection via correlated authentication anomalies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links