公开(公告)号：US12210622B1

公开(公告)日：2025-01-28

申请号：US18065481

申请日：2022-12-13

Applicant: Amazon Technologies, Inc.

Inventor： Zhilu Zhang ,  Qian Cui ,  Baris Coskun ,  Wei Ding

IPC: G06F21/55

Abstract: Systems and methods for performing anomalous activity monitoring for a service provider network are disclosed. In response to receiving an activity log, a machine learning-based activity monitor may parse the activity log into segments, generate event objects from a segment of the activity log, encode the event objects, and then reconstruct the event objects based on decoding the encoded event objects. The encoding and decoding may be performed based on a model that was trained using training data with no known malicious activity. The event objects may comprise at least two or more event defining characteristics and an event count. By comparing the reconstructed event objects to corresponding initial versions of the event objects, the machine learning-activity monitor may determine an anomaly score and may provide an indication of events determined to be anomalous based on the score.

公开(公告)号：US11374952B1

公开(公告)日：2022-06-28

申请号：US16586147

申请日：2019-09-27

Applicant: Amazon Technologies, Inc.

Inventor： Baris Coskun ,  Wei Ding ,  Luca Melis

IPC: H04L29/06 ,  H04L9/40 ,  G06N3/04 ,  G06N3/08

Abstract: Techniques for monitoring a computing environment for anomalous activity are presented. An example method includes receiving a request to invoke an action within a computing environment, with the request including a plurality of request attributes and a plurality of contextual attributes. A normalcy score is generated for the received request by encoding the received request into a code in latent space of an autoencoder, reconstructing the request from the code, and generating a probability distribution indicating a likelihood that the reconstructed request attributes exist in a data set of non-anomalous activity. Based on the calculated normalcy score, one or more actions are taken to process the request such that execution of non-anomalous requests is allowed, and execution of potentially anomalous requests may be blocked pending confirmation.

公开(公告)号：US12028362B1

公开(公告)日：2024-07-02

申请号：US17115107

申请日：2020-12-08

Applicant: Amazon Technologies, Inc.

Inventor： Qian Cui ,  Wei Ding ,  Oleg Yurievich Polyakov ,  Baris Coskun

IPC: H04L9/40 ,  G06F18/214 ,  G06N3/045 ,  G06N3/047 ,  G06N3/088 ,  G06V10/75 ,  H04L67/1097

CPC classification number: H04L63/1425 ,  G06F18/2148 ,  G06N3/045 ,  G06N3/047 ,  G06N3/088 ,  G06V10/757 ,  H04L63/1416 ,  H04L67/1097

Abstract: Techniques for enabling the identification of anomalous events associated with an object storage service of a cloud provider network using a variational autoencoder model including a pre-trained embedding for selected features of events are described. A variational autoencoder, for example, encodes data into a latent space and reconstructs approximations of the data from an encoding in the latent space. In this context, for example, anomalous events of interest might represent unauthorized or abusive behavior associated with storage resources provided by an object storage service (or in association with other types of computing resources provided by other services of a cloud provider network). Legitimate (or benign) access patterns to an object storage service can be modeled by utilizing observed data plane events stored by an account activity monitoring service. Once trained, the model can be used to identify anomalous events.