DETAILED ACTION

Claims 1-3 and 7-9 are allowed. Claims 4-6 have been cancelled.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The Information Disclosure Statement(s) submitted by applicant on 01/29/2021 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.
	
EXAMINER’S AMENDMENT

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Brian S. Boon on 08/26/2022.
This listing of claims will replace all prior versions and listings of claims in the application:
IN THE CLAIMS:

1. A system for detecting and mitigating golden Security Assertion Markup Language (SAML) attacks against federated services, comprising:
a computing device comprising a memory and a processor;
an authentication object inspector comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to:
receive network traffic comprising a plurality of network packets, the plurality of network packets comprising for a user of a federated service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with [[the federated service;
store a record of the first authentication object, with attached metadata comprising first authentication object was received, in a time-series database;
generate a security cookie for the first authentication object using a hashing engine;
provide the security cookie to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user;
receive a request for access to the federated service by the user accompanied by a second authentication object comprising a second identification string and the security cookie;
compare a value of the second identification string of the second authentication object against a value of [[the second identification string of the stored record of the first authentication object;
check the second authentication object for the security cookie;
generate an authentication failure if the security cookie is missing or invalid; and
a hashing engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programmable instructions, when operating on the processor, cause the computing device to: 
receive authentication objects from the authentication object inspector; 
calculate [[s for s received by performing 
return the security cookies for s received to the authentication object inspector.

2. The system of claim 1, wherein the authentication object inspector is operated by the identity provider.

3. The system of claim 1, wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.

4.-6. (Canceled)

7. (New) A method for detecting and mitigating golden Security Assertion Markup Language (SAML) attacks against federated services, comprising:
using an authentication object inspector operating on a computing device comprising a memory and a processor to:
receive network traffic comprising a plurality of network packets, the plurality of network packets comprising a first authentication object for a user of a federated service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with the federated service;
store a record of the first authentication object, with attached metadata comprising a timestamp of when the first authentication object was received, in a time-series database;
generate a security cookie for the first authentication object using a hashing engine;
provide the security cookie to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user;
receive a request for access to the federated service by the user accompanied by a second authentication object comprising a second identification string and the security cookie;
compare a value of the second identification string of the second authentication object against a value of the second identification string of the stored record of the first authentication object;
check the second authentication object for the security cookie;
generate an authentication failure if the security cookie is missing or invalid; and
using the hashing engine to: 
receive authentication objects from the authentication object inspector; 
calculate security cookies for authentication objects received by performing a plurality of calculations and transformations on each authentication object received; and 
return the security cookies for authentication objects received to the authentication object inspector.

8. (New) The method of claim 7, wherein the authentication object inspector is operated by the identity provider.

9. (New) The method of claim 7, wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.


Allowable Subject Matter

Claims 1-3 and 7-9 are allowed over the prior art made of record.
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure [see USPTO Notice of References Cited Form 892]:
Jhonson et al. (US Patent Application No. 20180248701) discloses Identity Protection and Compromise Detection, The GSI system uses a hash-tree based mechanism for integrity protection. If the private key used to sign an OCSP response is compromised, the response becomes unreliable and therefore the validity of the associated signature becomes questionable (para 152).
Doyle et al. (US Patent Application No. 2009/0182672) discloses integrity check of two hash values by comparing with the stored hash value with newly generated hash (para 25).

The following is an examiner's statement of reasons for allowance:
Interpreting the claims in light of the specification, Examiner finds the claimed invention is patentably distinct from the prior art of record, which sets forth in the following:
The prior art of record does not teach the combination of claimed elements including and under the broadest reasonable interpretation of the claimed limitation consistence with the Applicant's Specification. The prior art cited above fails to teach all of the Applicant’s claimed limitation. In particularly, the claimed invention advantageously provides a finer level of detail that includes “A system for detecting and mitigating golden Security Assertion Markup Language (SAML) attacks against federated services, comprising steps of receive network traffic comprising a plurality of network packets, the plurality of network packets comprising at least a first authentication object for a user of a federated service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with the federated service, storing a record of the first authentication object, with attached metadata comprising at least a timestamp of when the first authentication object was received, in a time-series database, generate a security cookie for the first authentication object using a hashing engine, provide the security cookie to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user. Receiving a request for access to the federated service by the user accompanied by a second authentication object comprising a second identification string and the security cookie, and comparing a value of an ID the second identification string within of the second authentication object against a value of the corresponding ID second identification string within of the stored record of the first authentication object and checks the second authentication object for a valid the security cookie. Generating an authentication failure if the security cookie is missing or invalid and a hashing engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programmable instructions, when operating on the processor, cause the computing device to receive authentication objects from the authentication object inspector; calculate security cookies for each authentication objects received by performing at least a plurality of calculations and transformations on each authentication object received and return the security cookies for each authentication objects received to the authentication object inspector.”, in combination with the other limitations of the claims, was not disclosed by, would not have been obvious over, nor would have been fairly suggested by the prior art of record in context to the claims and the specification.
The dependent claims, being further limiting to the independent claims, definite and enabled by the Specification are also allowed.
The Examiner asserts that the claims overcome the prior art of record as describes above when the limitations are read in combination with the respective claimed limitations in their entirety. Thus, prior art of record neither render obvious nor anticipates the combination of claimed elements in light of the specification.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion

Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493