公开(公告)号：US10027694B1

公开(公告)日：2018-07-17

申请号：US15083183

申请日：2016-03-28

申请人： Amazon Technologies, Inc.

发明人： Piyush Gupta ,  Amit J. Mhatre ,  William Alexander Stevenson ,  Atulya S. Beheray

IPC分类号： H04L29/06

摘要： Systems and methods are described to enable detection of network attacks in communication networks. An attack detection system receives information regarding network traffic occurring at nodes of a communication network, and analyzes the information for anomalous traffic patterns. The attack detection system can use multiple, parallel metric evaluation units programmed to detect specific types of anomalies within traffic patterns. In one instance, a metric evaluation unit is programmed to detect changes in entropy for the traffic, as distributed according to a characteristic such as source address, protocol, or country of origin. Where the entropy of a set of traffic differs from historical averages by a large amount, such as by many standard deviations, the attack detection system may flag the traffic as indicative of an attack, even when the absolute volume of traffic has not changed.

公开(公告)号：US11552946B2

公开(公告)日：2023-01-10

申请号：US16852220

申请日：2020-04-17

申请人： Amazon Technologies, Inc.

发明人： Ramkishore Bhattacharyya ,  Amit J. Mhatre ,  Ashutosh Thakur ,  Atulya S. Beheray ,  Rameez Loladia

IPC分类号： G06F7/04 ,  H04L9/32 ,  H04L29/06 ,  H04L9/40 ,  H04L9/14 ,  H04L9/30

摘要： A network protocol provides mutual authentication of network-connected devices that are parties to a communication channel in environments where the amount of memory and processing power available to the network-connected devices is constrained. When a new device is added to a network, the device contacts a registration service and provides authentication information that proves the authenticity of the device. After verifying the authenticity of the device, the registration service generates a token that can be used to by the device to authenticate with other network entities, and provides the token to the device. The registration service publishes the token using a directory service. When the device connects to another network entity, the device provides the token to the other network entity, and the other network entity authenticates the device by verifying the token using the directory service.

公开(公告)号：US10516694B1

公开(公告)日：2019-12-24

申请号：US15084354

申请日：2016-03-29

申请人： Amazon Technologies, Inc.

发明人： Piyush Gupta ,  Stephen Andrew Stroud Saville ,  Andrew John Kiggins ,  Atulya S. Beheray

IPC分类号： H04L29/06

摘要： Systems and methods are described to enable mitigation of network attacks in communication networks. When a network attack is detected, packets within the communication network are routed through a hierarchical mitigation system, which includes at least two tiers of mitigation devices configured to apply mitigation techniques to the packets. Outer tiers of the hierarchical mitigation system (e.g., closer to an edge of the communication network) can apply simple mitigation techniques that are efficient even when distributed, and which provide early mitigation for attack packets while not requiring large amounts of computing resources. Inner tiers of the hierarchical mitigation system (e.g., closer to a destination device) can apply more complex mitigation systems that may require centralized application, and which provide more robust mitigation at a potentially higher computing resource cost.

公开(公告)号：US20230142978A1

公开(公告)日：2023-05-11

申请号：US18094096

申请日：2023-01-06

申请人： Amazon Technologies, Inc.

发明人： Ramkishore Bhattacharyya ,  Amit J. Mhatre ,  Ashutosh Thakur ,  Atulya S. Beheray ,  Rameez Loladia

IPC分类号： H04L9/40 ,  H04L9/14 ,  H04L9/30 ,  H04L9/32

CPC分类号： H04L63/0869 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/061

摘要： A network protocol provides mutual authentication of network-connected devices that are parties to a communication channel in environments where the amount of memory and processing power available to the network-connected devices is constrained. When a new device is added to a network, the device contacts a registration service and provides authentication information that proves the authenticity of the device. After verifying the authenticity of the device, the registration service generates a token that can be used to by the device to authenticate with other network entities, and provides the token to the device. The registration service publishes the token using a directory service. When the device connects to another network entity, the device provides the token to the other network entity, and the other network entity authenticates the device by verifying the token using the directory service.

公开(公告)号：US10554636B2

公开(公告)日：2020-02-04

申请号：US16186425

申请日：2018-11-09

申请人： Amazon Technologies, Inc.

发明人： Ramkishore Bhattacharyya ,  Amit J. Mhatre ,  Ashutosh Thakur ,  Atulya S. Beheray ,  Rameez Loladia

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/14

摘要： A lightweight network protocol provides mutual authentication and encryption of a communication channel in environments where the amount of computing resources available to the networked devices is constrained. When a new device is added to a network, the device contacts a registration service and provides information that is published via a device directory. The network entity locates the device via information provided by the device directory, and establishes an encrypted network connection with the device. A shared secret is established between the device and the network entity using a key-exchange protocol. Consecutive messages that are sent or received are encrypted or decrypted with a sequence of cryptographic keys generated based at least in part on the shared secret. Key-exchange parameters are added to message exchanges between the device and the network entity to facilitate regenerating the shared secret.

公开(公告)号：US10129223B1

公开(公告)日：2018-11-13

申请号：US15360862

申请日：2016-11-23

申请人： Amazon Technologies, Inc.

发明人： Ramkishore Bhattacharyya ,  Amit Mhatre ,  Ashutosh Thakur ,  Atulya S. Beheray ,  Rameez Loladia

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/30 ,  H04L9/14 ,  H04L9/06

摘要： A lightweight network protocol provides mutual authentication and encryption of a communication channel in environments where the amount of computing resources available to the networked devices is constrained. When a new device is added to a network, the device contacts a registration service and provides information that is published via a device directory. The network entity locates the device via information provided by the device directory, and establishes an encrypted network connection with the device. A shared secret is established between the device and the network entity using a key-exchange protocol. Consecutive messages that are sent or received are encrypted or decrypted with a sequence of cryptographic keys generated based at least in part on the shared secret. Key-exchange parameters are added to message exchanges between the device and the network entity to facilitate regenerating the shared secret.

公开(公告)号：US11128612B1

公开(公告)日：2021-09-21

申请号：US16582653

申请日：2019-09-25

申请人： Amazon Technologies, Inc.

发明人： Rameez Loladia ,  Ramkishore Bhattacharyya ,  Ashutosh Thakur ,  Atulya S. Beheray

IPC分类号： H04L29/06

摘要： Techniques are disclosed for provisioning device-specific credentials to an Internet of Things device that accesses a cloud-based IoT service. The IoT service receives, from the IoT device, a request for device-specific credentials. The request comprises a provisioning certificate including information identifying a group of devices associated with the IoT device. The provisioning certificate is authenticated by evaluating the information with expected information. The device-specific credentials are generated based, at least in part, on the information provided in the provisioning certificate. The device-specific credentials are sent to the IoT device, and the IoT device installs and activates the device-specific credentials. The device-specific credentials are associated with the IoT device in a registry of the IoT service.

公开(公告)号：US20200252396A1

公开(公告)日：2020-08-06

申请号：US16852220

申请日：2020-04-17

申请人： Amazon Technologies, Inc.

发明人： Ramkishore Bhattacharyya ,  Amit J. Mhatre ,  Ashutosh Thakur ,  Atulya S. Beheray ,  Rameez Loladia

IPC分类号： H04L29/06 ,  H04L9/32 ,  H04L9/30 ,  H04L9/14

摘要： A network protocol provides mutual authentication of network-connected devices that are parties to a communication channel in environments where the amount of memory and processing power available to the network-connected devices is constrained. When a new device is added to a network, the device contacts a registration service and provides authentication information that proves the authenticity of the device. After verifying the authenticity of the device, the registration service generates a token that can be used to by the device to authenticate with other network entities, and provides the token to the device. The registration service publishes the token using a directory service. When the device connects to another network entity, the device provides the token to the other network entity, and the other network entity authenticates the device by verifying the token using the directory service.

公开(公告)号：US10447683B1

公开(公告)日：2019-10-15

申请号：US15354869

申请日：2016-11-17

申请人： Amazon Technologies, Inc.

发明人： Rameez Loladia ,  Ramkishore Bhattacharyya ,  Ashutosh Thakur ,  Atulya S. Beheray

IPC分类号： H04L29/06

摘要： Techniques are disclosed for provisioning device-specific credentials to an Internet of Things device that accesses a cloud-based IoT service. The IoT service receives, from the IoT device, a request for device-specific credentials. The request comprises a provisioning certificate including information identifying a group of devices associated with the IoT device. The provisioning certificate is authenticated by evaluating the information with expected information. The device-specific credentials are generated based, at least in part, on the information provided in the provisioning certificate. The device-specific credentials are sent to the IoT device, and the IoT device installs and activates the device-specific credentials. The device-specific credentials are associated with the IoT device in a registry of the IoT service.

公开(公告)号：US20190097982A1

公开(公告)日：2019-03-28

申请号：US16186425

申请日：2018-11-09

申请人： Amazon Technologies, Inc.

发明人： Ramkishore Bhattacharyya ,  Amit J. Mhatre ,  Ashutosh Thakur ,  Atulya S. Beheray ,  Rameez Loladia

IPC分类号： H04L29/06 ,  H04L9/08 ,  H04L9/14 ,  H04L9/06 ,  H04L9/30

CPC分类号： H04L63/0435 ,  H04L9/0841 ,  H04L9/0861 ,  H04L9/14 ,  H04L9/321 ,  H04L63/061 ,  H04L63/0869 ,  H04L2463/061

摘要： A lightweight network protocol provides mutual authentication and encryption of a communication channel in environments where the amount of computing resources available to the networked devices is constrained. When a new device is added to a network, the device contacts a registration service and provides information that is published via a device directory. The network entity locates the device via information provided by the device directory, and establishes an encrypted network connection with the device. A shared secret is established between the device and the network entity using a key-exchange protocol. Consecutive messages that are sent or received are encrypted or decrypted with a sequence of cryptographic keys generated based at least in part on the shared secret. Key-exchange parameters are added to message exchanges between the device and the network entity to facilitate regenerating the shared secret.