公开(公告)号：US11768937B1

公开(公告)日：2023-09-26

申请号：US17106798

申请日：2020-11-30

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu

IPC: G06F21/52 ,  G06F21/56 ,  G06F16/14 ,  G06F16/13

CPC classification number: G06F21/565 ,  G06F16/137 ,  G06F16/152 ,  G06F2221/034

Abstract: Techniques for hash based flexible scanning are described. A method of hash based flexible scanning may include obtaining a sample from a sample source, determining a size of the sample, generating one or more hashes of one or more blocks of the sample based on the size of the sample, and determining whether the sample is associated with a known threat by comparing the one hashes of the one or more blocks to hashes in a threat database.

公开(公告)号：US11861007B1

公开(公告)日：2024-01-02

申请号：US17213575

申请日：2021-03-26

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu ,  Shlomo Yehezkel ,  Peter Ferrie

IPC: G06F21/56 ,  G06F9/455

CPC classification number: G06F21/566 ,  G06F9/45558 ,  G06F21/567 ,  G06F2009/45579 ,  G06F2009/45587 ,  G06F2009/45591

Abstract: Techniques for detecting container threats are described. A method of detecting container threats includes receiving, by a scanning agent on a scanner container on a host in a provider network, event data from a plurality of collection agents corresponding to a plurality of customer containers on the host, determining, by the scanning agent, the event data matches at least one known threat, and generating, by the scanning agent, event findings associated with the event data.

公开(公告)号：US11372811B1

公开(公告)日：2022-06-28

申请号：US16836203

申请日：2020-03-31

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu ,  Sandeep Kumar ,  Shlomo Yehezkel ,  Chakravarthi Kalyana Valicherla ,  Tal Eidelman ,  Shane Pereira

IPC: G06F16/11 ,  G06F16/17 ,  G06F21/56 ,  G06F16/13 ,  G06F16/182

Abstract: Techniques for optimizing disk volume scanning using snapshot metadata are described. A method of optimizing disk volume scanning using snapshot metadata may include determining, by a scanning service of a provider network, a plurality of changed blocks between a current snapshot of a storage volume in a storage service of the provider network and a reference snapshot of the storage volume, determining one or more files that overlap at least one of the plurality of changed blocks, and scanning the one or more files for threats.

公开(公告)号：US11989161B2

公开(公告)日：2024-05-21

申请号：US17810518

申请日：2022-07-01

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu

IPC: G06F16/174 ,  G06F16/17

CPC classification number: G06F16/1744 ,  G06F16/1734

Abstract: Method and apparatus for compressing raw event logs into smaller readable formats are described. An example includes receiving an uncompressed log file including traces of events executed on a computing system. In the uncompressed log file, a number of consecutive events are identified referencing an action performed with different parameters, and the uncompressed log file is modified by replacing the identified consecutive events with a record indicating that an event has been repeated the number of times. In the modified log file, repeated sequences of events are identified, a compressed log file is generated by replacing, in the modified log file, repeated sequences of events with a record referencing an initial repetition of events and a difference between parameters included in the initial repetition of events and a respective repeated sequence, and the generated compressed log file is output.

公开(公告)号：US11868471B1

公开(公告)日：2024-01-09

申请号：US17159824

申请日：2021-01-27

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu

IPC: G06F21/56 ,  G06F16/2457

CPC classification number: G06F21/564 ,  G06F16/24578 ,  G06F2221/033

Abstract: A method of particle-based threat scanning may include obtaining a sample from a sample source, generating a plurality of particles from the sample, wherein each particle from the plurality of particles is an array of unique bytes generated based on one or more particle properties, and determining whether the sample is associated with a known threat by comparing the plurality of particles to particle threat signatures in a threat database.

公开(公告)号：US11803642B1

公开(公告)日：2023-10-31

申请号：US17219438

申请日：2021-03-31

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu

IPC: G06F21/56 ,  G06F16/22

CPC classification number: G06F21/565 ,  G06F16/2237 ,  G06F21/566 ,  G06F2221/033

Abstract: Techniques for particle-based threat scanning are described. A method of extracting particles from high entropy data may include obtaining a sample from a sample source, identifying an anchor particle in the sample, generating a plurality of particles following the anchor particle based on a particle limit, wherein each particle from the plurality of particles is an array of unique bytes generated based on one or more particle properties, and storing the plurality of particles following the anchor particle in a particle database.

公开(公告)号：US11704408B1

公开(公告)日：2023-07-18

申请号：US17364440

申请日：2021-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu ,  Muhammad Wasiq ,  Shane Anil Pereira

IPC: G06F21/00 ,  G06F21/56 ,  G06F21/57 ,  G06F9/455

CPC classification number: G06F21/565 ,  G06F21/577 ,  G06F9/45558 ,  G06F2009/45587 ,  G06F2221/034

Abstract: Techniques for threat scanning transplanted containers are described. A method of threat scanning transplanted containers may include generating a container map of running containers on a block storage volume mounted to a scanning instance of a threat scanning service, scanning the block storage volume by a scanning engine of the scanning instance, identifying at least one threat on the block storage volume, and identifying at least one container associated with the at least one threat using the container map.

公开(公告)号：US11379421B1

公开(公告)日：2022-07-05

申请号：US16451799

申请日：2019-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Mircea Ciubotariu

IPC: G06F16/174 ,  G06F16/17

Abstract: Method and apparatus for compressing raw event logs into smaller readable formats are described. An example includes receiving an uncompressed log file including traces of events executed on a computing system. In the uncompressed log file, a number of consecutive events are identified referencing an action performed with different parameters, and the uncompressed log file is modified by replacing the identified consecutive events with a record indicating that an event has been repeated the number of times. In the modified log file, repeated sequences of events are identified, a compressed log file is generated by replacing, in the modified log file, repeated sequences of events with a record referencing an initial repetition of events and a difference between parameters included in the initial repetition of events and a respective repeated sequence, and the generated compressed log file is output.