公开(公告)号：US11593639B1

公开(公告)日：2023-02-28

申请号：US16559393

申请日：2019-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Pranav Garg ,  Baris Coskun

IPC: G06N3/00 ,  G06N3/08 ,  G06N3/04 ,  G06F21/31 ,  G06K9/62 ,  G06F17/16

Abstract: Techniques for monitoring a computing environment for anomalous activity are presented. An example method includes receiving a request to invoke an action within the computing environment. An anomaly score is generated for the received request by applying a probabilistic model to properties of the request. The anomaly score generally indicates a likelihood that the properties of the request correspond to historical activity within the computing environment for a user associated with the request. The probabilistic model generally comprises a model having been trained using historical activity within the computing environment for a plurality of users, the historical activity including information identifying an action performed in the computing environment and contextual information about a historical request. Based on the generated anomaly score, one or more actions are taken to process the request such that execution of requests having anomaly scores indicative of unexpected activity may be blocked pending confirmation.

公开(公告)号：US11537902B1

公开(公告)日：2022-12-27

申请号：US16912527

申请日：2020-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Sergul Aydore ,  Baris Coskun ,  Luca Melis

IPC: G06F16/245 ,  G06N3/08 ,  G06N3/04

Abstract: Systems, devices, and methods are provided for detecting anomalous events from categorical data using autoencoders. A system may receive a data set associated with actions requested within the computing environment, wherein the data set includes first categorical data indicative of anomalous activity in the computing environment. The system may train an autoencoder to reconstruct approximations of requests associated with the computing environment based on the received data set, wherein training the autoencoder includes using a beta divergence and a maximum mean discrepancy divergence. The trained system may receive a request to invoke an action within the computing environment, may generate a reconstruction of the request to invoke the action using the trained autoencoder, may determine a normalcy score based on a probability that the reconstruction of the request exists in the training data set, and, based on the calculated normalcy score, may determine whether requests indicate anomalous data.

公开(公告)号：US12028362B1

公开(公告)日：2024-07-02

申请号：US17115107

申请日：2020-12-08

Applicant: Amazon Technologies, Inc.

Inventor： Qian Cui ,  Wei Ding ,  Oleg Yurievich Polyakov ,  Baris Coskun

IPC: H04L9/40 ,  G06F18/214 ,  G06N3/045 ,  G06N3/047 ,  G06N3/088 ,  G06V10/75 ,  H04L67/1097

CPC classification number: H04L63/1425 ,  G06F18/2148 ,  G06N3/045 ,  G06N3/047 ,  G06N3/088 ,  G06V10/757 ,  H04L63/1416 ,  H04L67/1097

Abstract: Techniques for enabling the identification of anomalous events associated with an object storage service of a cloud provider network using a variational autoencoder model including a pre-trained embedding for selected features of events are described. A variational autoencoder, for example, encodes data into a latent space and reconstructs approximations of the data from an encoding in the latent space. In this context, for example, anomalous events of interest might represent unauthorized or abusive behavior associated with storage resources provided by an object storage service (or in association with other types of computing resources provided by other services of a cloud provider network). Legitimate (or benign) access patterns to an object storage service can be modeled by utilizing observed data plane events stored by an account activity monitoring service. Once trained, the model can be used to identify anomalous events.

公开(公告)号：US11743282B1

公开(公告)日：2023-08-29

申请号：US17031776

申请日：2020-09-24

Applicant: Amazon Technologies, Inc.

Inventor： MohamadAli Torkamani ,  Baris Coskun ,  Jeffrey Earl Bickford ,  Shane Anil Pereira

IPC: H04L9/40 ,  G06N20/00 ,  H04L61/4511 ,  H04L67/1001 ,  G06F18/211 ,  G06N5/01

CPC classification number: H04L63/1433 ,  G06F18/211 ,  G06N5/01 ,  G06N20/00 ,  H04L61/4511 ,  H04L63/0227 ,  H04L63/1441 ,  H04L67/1001

Abstract: Devices, systems, and methods are provided for cloud-based entity reputation scoring. A method may include determining, based on domain name service (DNS) data associated with entities of the cloud-based environment, a k-partite graph with nodes and edges, a node including a first elastic computing instance. The method may include generating features associated with the first elastic computing instance. The method may include determining, based on the features, a minimum value, a maximum value, and an average value, and generating a feature vector comprising the minimum value, the maximum value, and the average value. The method may include determining, based on the feature vector, a reputation score associated with the first elastic computing instance. The method may include communicating based on the reputation score.

公开(公告)号：US12210622B1

公开(公告)日：2025-01-28

申请号：US18065481

申请日：2022-12-13

Applicant: Amazon Technologies, Inc.

Inventor： Zhilu Zhang ,  Qian Cui ,  Baris Coskun ,  Wei Ding

IPC: G06F21/55

Abstract: Systems and methods for performing anomalous activity monitoring for a service provider network are disclosed. In response to receiving an activity log, a machine learning-based activity monitor may parse the activity log into segments, generate event objects from a segment of the activity log, encode the event objects, and then reconstruct the event objects based on decoding the encoded event objects. The encoding and decoding may be performed based on a model that was trained using training data with no known malicious activity. The event objects may comprise at least two or more event defining characteristics and an event count. By comparing the reconstructed event objects to corresponding initial versions of the event objects, the machine learning-activity monitor may determine an anomaly score and may provide an indication of events determined to be anomalous based on the score.

公开(公告)号：US12204645B1

公开(公告)日：2025-01-21

申请号：US17528019

申请日：2021-11-16

Applicant: Amazon Technologies, Inc.

Inventor： MohamadAli Torkamani ,  Bhavna Soman ,  Jeffrey Earl Bickford ,  Baris Coskun

IPC: G06F21/56 ,  G06F21/57 ,  G06N20/20

Abstract: Disclosed are systems and methods to compare two or more machine learning models to determine the comparative performance of those models. Markers may be assigned to data items and data item marker scores generated for those data items, independent of the machine learning models. Each of the machine learning models to be compared may then process the data items and generate respective model scores for those data items. A sub-set of the data items may then be generated for each machine learning model based on the model scores assigned to the data items by the respective model. A model marker score may then be computed for each machine learning model based on the marker scores assigned to each of the data items of the sub-set of data items determined for each model. Finally, the model marker scores may be compared to determine which machine learning model has the highest performance.

公开(公告)号：US11374952B1

公开(公告)日：2022-06-28

申请号：US16586147

申请日：2019-09-27

Applicant: Amazon Technologies, Inc.

Inventor： Baris Coskun ,  Wei Ding ,  Luca Melis

IPC: H04L29/06 ,  H04L9/40 ,  G06N3/04 ,  G06N3/08

Abstract: Techniques for monitoring a computing environment for anomalous activity are presented. An example method includes receiving a request to invoke an action within a computing environment, with the request including a plurality of request attributes and a plurality of contextual attributes. A normalcy score is generated for the received request by encoding the received request into a code in latent space of an autoencoder, reconstructing the request from the code, and generating a probability distribution indicating a likelihood that the reconstructed request attributes exist in a data set of non-anomalous activity. Based on the calculated normalcy score, one or more actions are taken to process the request such that execution of non-anomalous requests is allowed, and execution of potentially anomalous requests may be blocked pending confirmation.