公开(公告)号：US10250573B2

公开(公告)日：2019-04-02

申请号：US15712005

申请日：2017-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: H04L29/06 ,  H04L9/32 ,  H04K1/00 ,  H04L9/00

Abstract: A client application cryptographically protects application data using an application-layer cryptographic key. The application-layer cryptographic key is derived from cryptographic material provided by a cryptographically protected network connection. The client exchanges the cryptographically protected application data with a service application via the cryptographically protected network connection. The client and service applications acquire matching application-layer cryptographic keys by leveraging shared secrets negotiated as part of establishing the cryptographically protected network connection. The shared secrets may include information that is negotiated as part of establishing a TLS session such as a pre-master secret, master secret, or session key. The application-layer cryptographic keys may be derived in part by applying a key derivation function, a one-way function or a cryptographic hash function to the shared secret information.

公开(公告)号：US20180026950A1

公开(公告)日：2018-01-25

申请号：US15712005

申请日：2017-09-21

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: H04L29/06

CPC classification number: H04L63/0428 ,  H04L63/0478 ,  H04L63/06 ,  H04L63/061 ,  H04L63/166 ,  H04L63/168

Abstract: A client application cryptographically protects application data using an application-layer cryptographic key. The application-layer cryptographic key is derived from cryptographic material provided by a cryptographically protected network connection. The client exchanges the cryptographically protected application data with a service application via the cryptographically protected network connection. The client and service applications acquire matching application-layer cryptographic keys by leveraging shared secrets negotiated as part of establishing the cryptographically protected network connection. The shared secrets may include information that is negotiated as part of establishing a TLS session such as a pre-master secret, master secret, or session key. The application-layer cryptographic keys may be derived in part by applying a key derivation function, a one-way function or a cryptographic hash function to the shared secret information.

公开(公告)号：US10776498B2

公开(公告)日：2020-09-15

申请号：US16548733

申请日：2019-08-22

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: G06F21/57 ,  H04L29/06 ,  G06F21/62 ,  H04L9/08 ,  G06N20/00

Abstract: An end-to-end request path associated with an application frontend is determined. A change to a service in the end-to-end request path is identified. A weight value to associate with the change is determined based at least in part on the characteristics of the change. The weight value is aggregated with weight values associated with other code changes is obtained from aggregating the weight value with the weight values of other code changes to produce a collective weight of the code changes. A security review is determined to be triggered based at least in part on the collective weight reaching a value relative to a threshold.

公开(公告)号：US10764294B1

公开(公告)日：2020-09-01

申请号：US15067042

申请日：2016-03-10

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: H04L29/06 ,  H04L9/32

Abstract: A service request and a credential are sent from a customer environment to a service provider. The service provider maintains information, such as a credential whitelist, that identifies which credentials may be used with each customer environment. The service provider identifies the particular customer environment from which the service request was submitted using the IP address of the requester (or other environment-identifying information), and retrieves information that restricts the use of the credentials. A request may be approved or rejected based on the presence of the associated credential in a whitelist notwithstanding whether the credential otherwise authorizes the service request. In some examples, the system is used to limit data exfiltration from a customer environment.

公开(公告)号：US10248532B1

公开(公告)日：2019-04-02

申请号：US14855139

申请日：2015-09-15

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Jon Arron McClintock

IPC: G06F17/30 ,  G06F11/34 ,  G06N5/02 ,  G06F17/27

Abstract: Methods, systems, and computer-readable media for implementing sensitive data usage detection using static analysis are disclosed. A specification of one or more operations exposed by a service in a service-oriented system is obtained from a repository. The names of the one or more operations are determined in the specification. The names of one or more parameters of the one or more operations are determined in the specification. The names of the one or more operations and the names of the one or more parameters are checked against a dictionary of sensitive terms. One or more sensitive operations are determined among the one or more operations. One or more consumers of the one or more sensitive operations are determined.

公开(公告)号：US10243957B1

公开(公告)日：2019-03-26

申请号：US14837410

申请日：2015-08-27

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: H04L29/06 ,  H04L29/12

Abstract: Disclosed are various embodiments for preventing the unintended leakage of cookie data between network sites using a shared high-level domain and vice versa. In one embodiment, a browser application stores data from a first network site having a high-level domain in a client computing device. Access to the data is limited to one or more network sites having the high-level domain. A first classification is assigned to the first network site. A second classification is assigned to a second network site having the high-level domain. The data is sent to the second network site in response to determining that the first classification matches the second classification.

公开(公告)号：US20170142097A1

公开(公告)日：2017-05-18

申请号：US15420011

申请日：2017-01-30

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/123 ,  H04L63/1483

Abstract: A service receives from a sender service a digital message and a corresponding trace, which includes an ordered set of digital signatures of one or more services that participated in causing the service to receive the digital message. The trace may further specify an ordering of the one or more services, which may be generated according to the order of participation of these one or more services. The service may compare the received trace to recorded message paths to determine whether the ordering specified within the trace is valid. If the ordering is valid, the service may use one or more digital certificates to further verify the digital signatures included within the trace. If the service determines that these digital signatures are also valid, the service may process the message.

公开(公告)号：US10649903B2

公开(公告)日：2020-05-12

申请号：US16035461

申请日：2018-07-13

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: G06F12/08 ,  G06F12/0866 ,  G06F11/30 ,  G06F11/34

Abstract: Modifications to throughput capacity provisioned at a data store for servicing access requests to the data store may be performed according to cache performance metrics. A cache that services access requests to the data store may be monitored to collected and evaluate cache performance metrics. The cache performance metrics may be evaluated with respect to criteria for triggering different throughput modifications. In response to triggering a throughput modification, the throughput capacity for the data store may be modified according to the triggered throughput modification. In some embodiments, the criteria for detecting throughput modifications may be determined and modified based on cache performance metrics.

公开(公告)号：US10409995B1

公开(公告)日：2019-09-10

申请号：US15589842

申请日：2017-05-08

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Nima Sharifi Mehr

IPC: G06F21/57 ,  H04L29/06 ,  G06F21/62 ,  H04L9/08 ,  G06N20/00

Abstract: A graph of interrelated computer-executable processes is obtained. That a change has occurred to one of the interrelated computer-executable processes in the graph is determined. A weight of the one of the interrelated computer-executable processes is determined based at least in part on the change. A security review of one or more of the interrelated computer-executable processes is determined to be triggered based at least in part on the weight, and the security review is triggered.

公开(公告)号：US20190081944A1

公开(公告)日：2019-03-14

申请号：US16191033

申请日：2018-11-14

Applicant: Amazon Technologies, Inc.

Inventor： Muhammad Wasiq ,  Aleksandrs J. Rudzitis ,  Nima Sharifi Mehr

IPC: H04L29/06

Abstract: Various approaches discussed herein enable validation of an application on a computing device, such as a mobile computing device, prior to that application being invoked by activation of a link in another application. Upon activation of the link in a calling application, the computing device determines a target application to be invoked in response to the activation. Sensitive or confidential data, such as login credentials, may be included in the link to be passed to the target application. By validating either the calling or the target application, the data may be safeguarded by confirming an identity of an application associated with the link.