公开(公告)号：US09954902B1

公开(公告)日：2018-04-24

申请号：US15592158

申请日：2017-05-10

Applicant: Amazon Technologies, Inc.

Inventor： Tushaar Sethi

IPC: G06F7/04 ,  G06F15/16 ,  H04L29/06 ,  H04L9/32 ,  H04L29/08 ,  H04L29/12

CPC classification number: H04L63/20 ,  H04L61/1511 ,  H04L61/2007 ,  H04L63/0227 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/101 ,  H04L67/141

Abstract: Methods and systems are provided herein to enable secure proxying of network traffic between trusted and untrusted environments. In particular, a secure proxy may be provided that includes a set of policies. The policies may be applicable to various network protocol layers (e.g., an application layer), network traffic types, and/or endpoint resolution. The set of policies may be used to inspect, restrict and/or modify traffic between the trusted and untrusted environment to ensure data and network security. A proxy device may use the set of policies, for example, to obtain current service-related information (such as the list of IP addresses) currently associated with a computing resource requested by an application. Such endpoint information may be used, in turn, to update a white list.

公开(公告)号：US09923927B1

公开(公告)日：2018-03-20

申请号：US14869344

申请日：2015-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Jon Arron McClintock ,  Yogesh Vilas Golwalkar ,  Bharath Kumar Bhimanaik ,  Darin Keith McAdams ,  Tushaar Sethi

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0846 ,  H04L63/105 ,  H04L63/108

Abstract: Methods and systems are provided to enable access control based on credential properties. Besides authenticating a credential, an authentication service can provide additional credential-related information with respect to a credential such as last updated time. An entity receiving such additional credential-related information can implement access control policies based on the credential-related information. For instance, a user's access rights may be gradually restricted after an initial expiration time and towards a final expiration time. In an example, such access control may be implemented by a client application or client website of the authentication service. Alternatively or additionally, such access control may be implemented by an authorization service used by the client application or client website.

公开(公告)号：US09660998B1

公开(公告)日：2017-05-23

申请号：US14874022

申请日：2015-10-02

Applicant: Amazon Technologies, Inc.

Inventor： Tushaar Sethi

IPC: G06F7/04 ,  G06F15/16 ,  H04L29/06 ,  H04L9/32 ,  H04L29/12

CPC classification number: H04L63/20 ,  H04L61/1511 ,  H04L61/2007 ,  H04L63/0227 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/101 ,  H04L67/141

Abstract: Methods and systems are provided herein to enable secure proxying of network traffic between trusted and untrusted environments. In particular, a secure proxy may be provided that includes a set of policies. The policies may be applicable to various network protocol layers (e.g., an application layer), network traffic types, and/or endpoint resolution. The set of policies may be used to inspect, restrict and/or modify traffic between the trusted and untrusted environment to ensure data and network security. A proxy device may use the set of policies, for example, to obtain current service-related information (such as the list of IP addresses) currently associated with a computing resource requested by an application. Such endpoint information may be used, in turn, to update a white list.

公开(公告)号：US10511619B2

公开(公告)日：2019-12-17

申请号：US15592058

申请日：2017-05-10

Applicant: Amazon Technologies, Inc.

Inventor： Maarten Van Horenbeeck ,  Christopher Michael Anderson ,  Katharine Nicole Harrison ,  Matthew Ryan Jezorek ,  Jon Arron McClintock ,  Tushaar Sethi

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/721

Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

公开(公告)号：US10114960B1

公开(公告)日：2018-10-30

申请号：US14220880

申请日：2014-03-20

Applicant: Amazon Technologies, Inc.

Inventor： Jon Arron McClintock ,  Tushaar Sethi ,  Maarten Van Horenbeeck

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/62 ,  G06F21/55

Abstract: Techniques for detecting access to computer system data by applications running on a computer system are described herein. Data access event log entries are recorded, the log entries including one or more metadata items associated with how the computer system application accessed the computer system data. The log entries are analyzed using correlations with other computer system events and, if improper access is detected, one or more operations relating to the type of data accessed and the type of violation are performed to mitigate the improper data access.

公开(公告)号：US10002348B1

公开(公告)日：2018-06-19

申请号：US13950045

申请日：2013-07-24

Applicant: Amazon Technologies, Inc.

Inventor： Dennis Scott Doctor ,  Chelsea Celest Krueger ,  Tushaar Sethi

IPC: G06Q20/12 ,  G06Q30/06 ,  G06Q99/00 ,  G06Q20/10 ,  G06Q40/02 ,  G06Q20/20

CPC classification number: G06Q20/204 ,  G06Q20/02 ,  G06Q20/10 ,  G06Q20/401 ,  G06Q20/405 ,  G06Q30/0645 ,  G06Q40/025 ,  G06Q99/00 ,  Y10S902/00

Abstract: A payment routing and processing platform is configured to collect various attributes for use in identifying an optimal payment processor for a particular payment transaction message. For example, the payment routing and processing platform might identify business attributes, endpoint attributes, customer and transaction attributes, payment method attributes, system attributes, and/or other types of attributes. The payment routing and processing platform might then utilize some or all of the identified attributes to select an endpoint for processing a payment transaction message. The payment routing and processing platform might also utilize some or all of the identified attributes to identify and perform other types of processing of financial transactions. Machine learning techniques might also be utilized to improve the performance of the payment routing and processing platform.

公开(公告)号：US20180007020A1

公开(公告)日：2018-01-04

申请号：US15688255

申请日：2017-08-28

Applicant: Amazon Technologies, Inc.

Inventor： Daniel Wade Hitchcock ,  Darren Ernest Canavor ,  Tushaar Sethi

IPC: H04L29/06 ,  G06F21/62 ,  G06F21/10 ,  H04L9/08 ,  H04L9/32 ,  H04L9/14

CPC classification number: H04L63/0435 ,  G06F21/10 ,  G06F21/62 ,  H04L9/0825 ,  H04L9/0877 ,  H04L9/0891 ,  H04L9/0897 ,  H04L9/14 ,  H04L9/3234 ,  H04L9/3268 ,  H04L63/0823

Abstract: Aspects related to the secure transfer and use of secret material are described. In one embodiment, an encrypted secret key and encrypted revocation data are imported into a trusted execution environment and decrypted with private provider and vendor keys. In this manner, a provider of cryptographic processes is not exposed to the secret key or revocation data of a customer, as the secret key and revocation data are decrypted and stored within the trusted execution environment but not accessed in an unencrypted form. In turn, the provider can receive various instructions to perform cryptographic operations on behalf of the customer. Based on the outcome of a revocation check using the revocation data, the instructions can be performed by the trusted execution environment.

公开(公告)号：US09838260B1

公开(公告)日：2017-12-05

申请号：US14224544

申请日：2014-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Jon Arron McClintock ,  Dominique Imjya Brezinski ,  Tushaar Sethi ,  Maarten Van Horenbeeck

IPC: H04L12/24 ,  H04L12/733

CPC classification number: H04L41/12 ,  H04L45/122

Abstract: A method and apparatus for path detection are disclosed. In the method and apparatus, a data path may link two path-end nodes in a network. Event data for the network may be received and may be used to determine, for each node resident on the path, proximity measures to each path-end node. The proximity measure of network nodes may be evaluated to determine whether a path exists between the two path-end nodes.

公开(公告)号：US09774573B2

公开(公告)日：2017-09-26

申请号：US14831341

申请日：2015-08-20

Applicant: Amazon Technologies, Inc.

Inventor： Daniel W. Hitchcock ,  Darren Ernest Canavor ,  Tushaar Sethi

IPC: H04L29/06 ,  G06F21/10 ,  H04L9/14 ,  H04L9/08 ,  G06F21/62 ,  H04L9/32

CPC classification number: H04L63/0435 ,  G06F21/10 ,  G06F21/62 ,  H04L9/0825 ,  H04L9/0877 ,  H04L9/0891 ,  H04L9/0897 ,  H04L9/14 ,  H04L9/3234 ,  H04L9/3268 ,  H04L63/0823

Abstract: Aspects related to the secure transfer and use of secret material are described. In one embodiment, public vendor and provider keys are provided to a customer and encrypted secret material is received in return. The encrypted secret material may include a customer secret material encrypted by the public vendor and provider keys. The encrypted secret material is imported into a trusted execution environment and decrypted with private provider and vendor keys. In this manner, a provider of cryptographic processes is not exposed to the secret material of the customer, as the customer secret material is decrypted and stored within the trusted execution environment but is not accessed by the provider in an unencrypted form. In turn, the provider may receive various instructions to perform cryptographic operations on behalf of the customer, and those instructions may be performed by the trusted execution environment.

公开(公告)号：US09661011B1

公开(公告)日：2017-05-23

申请号：US14574306

申请日：2014-12-17

Applicant: Amazon Technologies, Inc.

Inventor： Maarten Van Horenbeeck ,  Christopher Michael Anderson ,  Katharine Nicole Harrison ,  Matthew Ryan Jezorek ,  Jon Arron McClintock ,  Tushaar Sethi

IPC: H04L29/06 ,  H04L12/721

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L45/70 ,  H04L63/1433

Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.