Microsoft Corporation
ROGUE CERTIFICATE DETECTION

Abstract:

Unauthorized use of user credentials in a network implementing an authentication protocol is detected. Authentication certificates that are observed in the network are uniquely identified and monitored. A baseline profile of the authentication certificates is generated. For a new request to access a resource in the network, a unique identifier for the submitted authentication certificate is generated. If the identifier is new: the submitted authentication certificate is compared to the baseline profile and an alert is generated when the difference from the baseline profile exceeds a threshold. If the unique identifier for the submitted authentication certificate has previously been identified and is not included in the baseline profile, an alert is generated when the source computer associated with the unique identifier is not found in a chain of connection to the original source.