公开(公告)号：US09442752B1

公开(公告)日：2016-09-13

申请号：US14476520

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: G06F21/00 ,  G06F9/455 ,  G06F21/53

CPC classification number: G06F9/45558 ,  G06F21/53 ,  G06F2009/45587

Abstract: A method and system for running an additional execution environment associated with a primary execution environment, receiving a request from the primary execution environment to create the additional execution environment, and, in response to the request, creating the additional execution environment such that entities other than the primary execution environment have insufficient privileges to access the additional execution environment.

Abstract translation: 用于运行与主执行环境相关联的附加执行环境的方法和系统，从主执行环境接收请求以创建附加执行环境，以及响应于所述请求，创建附加执行环境，使得除 主执行环境具有访问附加执行环境的权限不足。

公开(公告)号：US09231963B2

公开(公告)日：2016-01-05

申请号：US14551819

申请日：2014-11-24

Applicant: Amazon Technologies, Inc.

Inventor： Aaron Douglas Dokey ,  Ian Roger Searle ,  Eric Jason Brandwine

IPC: G06F21/32 ,  H04L29/06 ,  G06F21/50 ,  G06F21/55

CPC classification number: H04L63/1408 ,  G06F21/50 ,  G06F21/554

Abstract: The behavior of a group of resources, such as a fleet of servers, can be monitored to attempt to determine a baseline of acceptable behaviors. When a behavior is observed, the baseline can be consulted to determine whether the behavior is indicated to be acceptable. If not, the rate or extent at which the newly observed behavior is observed on groupings of similar resources can be monitored. This information can be used to determine whether the behavior is acceptable in which case information for the observed behavior can be used to automatically update the baseline such that the baseline is representative of current acceptable behavior within the group of resources.

公开(公告)号：US10079681B1

公开(公告)日：2018-09-18

申请号：US14476533

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/32 ,  H04L29/08 ,  H04L12/911 ,  H04L29/06

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

公开(公告)号：US09946869B1

公开(公告)日：2018-04-17

申请号：US14476593

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: G06F21/00 ,  G06F21/50 ,  H04L29/08 ,  H04L29/06 ,  G06F9/455

CPC classification number: G06F21/50 ,  G06F9/4401 ,  G06F9/45558 ,  G06F2009/45591 ,  H04L63/10 ,  H04L63/12 ,  H04L67/10

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

公开(公告)号：US09942041B1

公开(公告)日：2018-04-10

申请号：US14476533

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L9/32 ,  H04L29/08 ,  H04L12/911 ,  H04L29/06

CPC classification number: H04L9/32 ,  H04L9/3263 ,  H04L47/70 ,  H04L63/061 ,  H04L67/10

Abstract: Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

公开(公告)号：US20170262300A1

公开(公告)日：2017-09-14

申请号：US15430957

申请日：2017-02-13

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Aaron Douglas Dokey ,  Ajith Jayamohan ,  Ian Roger Searle

IPC: G06F9/455 ,  G06F12/14 ,  H04L12/26 ,  H04L29/06 ,  H04L12/851

CPC classification number: G06F9/455 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/14 ,  G06F2009/45591 ,  G06F2009/45595 ,  H04L29/06877 ,  H04L43/026 ,  H04L43/028 ,  H04L43/04 ,  H04L43/045 ,  H04L43/16 ,  H04L47/2441 ,  H04L63/0227 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1458

Abstract: Approaches are described for collecting and/or utilizing network traffic information, such as network flow data, within a virtualized computing environment. The network traffic information can be collected on one or more host computing devices that host virtual machines. The collected network traffic information can include virtualized computing environment specific information, such as a user account identifier (ID), virtual machine identifier (ID), session termination information and the like. The collected network traffic information can also be presented to the user of the virtualized computing environment.

公开(公告)号：US09521140B2

公开(公告)日：2016-12-13

申请号：US15001175

申请日：2016-01-19

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/56 ,  G06F21/53 ,  G06F21/57

CPC classification number: H04L63/0823 ,  G06F21/53 ,  G06F21/56 ,  G06F21/575 ,  H04L9/3268 ,  H04L63/062 ,  H04L63/123

Abstract: Techniques for managing secure execution environments provided as a service to computing resource service provider customers are described herein. A request to launch a secure execution environment is received from a customer and fulfilled by launching a secure execution environment on a selected computer system. The secure execution environment is then validated and upon a successful validation, one or more applications are provided to the secure execution environment to be executed within the secure execution environment. As additional requests relating to managing the secure execution environment are received, operations are performed based on the requests.

公开(公告)号：US10341355B1

公开(公告)日：2019-07-02

申请号：US14747988

申请日：2015-06-23

Applicant: Amazon Technologies, Inc.

Inventor： Albert Park Niemoller ,  Eric Jason Brandwine ,  Keith Allen Bergen ,  Aaron Douglas Dokey

IPC: H04L29/06 ,  H04L29/08 ,  G06N20/00 ,  G06F21/55

Abstract: A multi-tenant provider network may implement confidential data capture and analysis for virtual computing resources. Network traffic for virtual compute instances may be evaluated to identify possible malicious behavior of the virtual compute instances. In some embodiments, a stream of raw metering data for individual network communications to the virtual compute instances may be evaluated. A confidential analysis may be performed for identified virtual compute instances, evaluating confidential data utilized by the virtual compute instances for malicious software. Results of the confidential analysis may be generated according to an access policy that restricts access to the confidential data. The results may be provided to a client that is restricted from accessing the confidential data according to the access policy.

公开(公告)号：US10318336B2

公开(公告)日：2019-06-11

申请号：US15953322

申请日：2018-04-13

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: G06F21/50 ,  H04L29/06 ,  G06F9/455 ,  H04L29/08 ,  G06F9/4401 ,  G06F21/53 ,  G06F21/57

Abstract: Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

公开(公告)号：US10133591B2

公开(公告)日：2018-11-20

申请号：US15430957

申请日：2017-02-13

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Aaron Douglas Dokey ,  Ajith Jayamohan ,  Ian Roger Searle

IPC: G06F9/455 ,  G06F12/14 ,  H04L12/26 ,  H04L29/06 ,  H04L12/851

Abstract: Approaches are described for collecting and/or utilizing network traffic information, such as network flow data, within a virtualized computing environment. The network traffic information can be collected on one or more host computing devices that host virtual machines. The collected network traffic information can include virtualized computing environment specific information, such as a user account identifier (ID), virtual machine identifier (ID), session termination information and the like. The collected network traffic information can also be presented to the user of the virtualized computing environment.