公开(公告)号：US12197578B1

公开(公告)日：2025-01-14

申请号：US17548274

申请日：2021-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: G06F21/56 ,  G06F3/06 ,  G06F21/55

Abstract: Techniques are described for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack.

公开(公告)号：US12175266B1

公开(公告)日：2024-12-24

申请号：US18500905

申请日：2023-11-02

Applicant: Amazon Technologies, Inc.

Inventor： Marvin M. Theimer ,  Peter DeSantis ,  Eric Jason Brandwine

IPC: G06F9/455 ,  G06F9/50 ,  H04L41/0806 ,  H04L41/5051

Abstract: Virtual resources may be provisioned in a manner that is aware of, and respects, underlying implementation resource boundaries. A customer of the virtual resource provider may specify that particular virtual resources are to be implemented with implementation resources that are dedicated to the customer. Dedicating an implementation resource to a particular customer of a virtual resource provider may establish one or more information barriers between the particular customer and other customers of the virtual resource provider. Implementation resources may require transition procedures, including custom transition procedures, to enter and exit dedicated implementation resource pools. Costs corresponding to active and inactive implementation resources in a dedicated pools associated with a particular customer may be accounted for, and presented to, the customer in a variety of ways including explicit, adjusted per customer and adjusted per type of virtual resource and/or implementation resource.

公开(公告)号：US12058169B1

公开(公告)日：2024-08-06

申请号：US17548285

申请日：2021-12-10

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine

IPC: H04L9/40

CPC classification number: H04L63/1441

Abstract: Techniques are described for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack.

公开(公告)号：US12058037B1

公开(公告)日：2024-08-06

申请号：US17450230

申请日：2021-10-07

Applicant: Amazon Technologies, Inc.

Inventor： Andrew B. Dickinson ,  Eric Jason Brandwine

IPC: G06F15/16 ,  G06F9/50 ,  H04L45/302 ,  H04L67/1021

CPC classification number: H04L45/306 ,  G06F9/5061 ,  H04L67/1021 ,  G06F2209/502

Abstract: Systems and methods utilize network destination identifiers, such as IP addresses, that are simultaneously advertised from multiple locations. The network destination identifiers may be announced in multiple geographic regions. Network traffic routed to devices advertising the network destination identifiers may be routed to appropriate endpoints. When a device receives such traffic, it may send the traffic to an endpoint in a network served by the device. In some instances, such as when such an endpoint is not available, the network traffic may be sent to another network that is served by another device that advertises the network destination identifiers.

公开(公告)号：US12045264B2

公开(公告)日：2024-07-23

申请号：US18055324

申请日：2022-11-14

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Calvin Yue-Ren Kuo

IPC: G06F16/28 ,  G06F3/06 ,  G06F18/24 ,  G06N20/00

CPC classification number: G06F16/285 ,  G06F3/0604 ,  G06F18/24 ,  G06N20/00

Abstract: A connected device at a client network implements a local data classification service for classifying data based on a data classification service of a remote provider network. The local data classification service receives a request to classify data at one or more data sources of the client network. The request is initiated from a client device of the client network according to a management interface for a data classification service of a remote provider network (e.g., using the same API request used by the remote classification service). The local data classification service obtains at least some of the data from the one or more data sources of the client network. The local data classification service classifies the obtained data according to different types of sensitivity using the data classification engine in the execution environment without the data being exposed outside of a data isolation boundary of the client network.

公开(公告)号：US20240243966A1

公开(公告)日：2024-07-18

申请号：US18407162

申请日：2024-01-08

Applicant: Amazon Technologies, Inc.

Inventor： Daniel Todd Cohn ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L41/0803 ,  G06F9/455 ,  G06F9/50 ,  H04L12/46 ,  H04L41/0806 ,  H04L41/0893 ,  H04L41/12 ,  H04L45/00 ,  H04L45/02 ,  H04L61/10 ,  H04L67/10 ,  H04L41/0213

CPC classification number: H04L41/0803 ,  G06F9/45558 ,  G06F9/5077 ,  H04L12/4641 ,  H04L41/0806 ,  H04L41/0893 ,  H04L41/12 ,  H04L45/00 ,  H04L45/02 ,  H04L61/10 ,  H04L67/10 ,  G06F2009/45595 ,  G06F2209/5011 ,  H04L41/0213

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

公开(公告)号：US12003380B2

公开(公告)日：2024-06-04

申请号：US17663289

申请日：2022-05-13

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Kevin Christopher Miller ,  Andrew J. Doane

IPC: H04L12/28 ,  G06F9/455 ,  H04L41/0816 ,  H04L41/12 ,  H04L45/02 ,  H04L45/586 ,  H04L45/64 ,  H04L67/00 ,  H04J1/16 ,  H04L41/50

CPC classification number: H04L41/12 ,  G06F9/45558 ,  H04L41/0816 ,  H04L45/02 ,  H04L45/586 ,  H04L45/64 ,  H04L67/34 ,  G06F2009/45595 ,  H04L41/5096

Abstract: Techniques are described for providing virtual networking functionality for managed computer networks. In some situations, a user may configure or otherwise specify a logical network topology for a managed computer network with multiple computing nodes that includes one or more virtual networking devices each associated with a specified group of the multiple computing nodes. Corresponding networking functionality may be provided for communications between the multiple computing nodes by emulating functionality that would be provided by the networking devices if they were physically present and configured to support the specified network topology. In some situations, the managed computer network is a virtual computer network overlaid on a substrate network, and the networking device functionality emulating includes receiving routing communications directed to the networking devices and using included routing information to update the specified network topology for the managed computer network.

公开(公告)号：US11941639B1

公开(公告)日：2024-03-26

申请号：US16895789

申请日：2020-06-08

Applicant: Amazon Technologies, Inc.

Inventor： Mahendra M. Chheda ,  Shawn E. Heidel ,  Robert J. Jaye ,  Justin K Brindley-Koonce ,  Eric Jason Brandwine

IPC: G06Q30/00

CPC classification number: G06Q30/00

Abstract: Embodiments of the present disclosure are directed to, among other things, providing resource allocation advice, configuration recommendations, and/or migration advice regarding data storage, access, placement, and/or related web services. In some examples, a web service may utilize or otherwise control a client instance to control, access, or otherwise manage resources of a distributed system. Based at least in part on one or more resource usage checks and/or configuration checks, resource usage information and/or configuration information of an account utilizing a web service, and/or user preferences and/or settings, resource allocation advice, system configuration recommendations, and/or migration advice may be provided to a user of an account. Additionally, in some examples, one or more remediation operations may be performed automatically.

公开(公告)号：US11909586B2

公开(公告)日：2024-02-20

申请号：US18047239

申请日：2022-10-17

Applicant: Amazon Technologies, Inc.

Inventor： Daniel Todd Cohn ,  Eric Jason Brandwine ,  Andrew J. Doane

IPC: H04L41/0803 ,  H04L45/02 ,  H04L41/0806 ,  H04L41/12 ,  H04L45/00 ,  H04L61/10 ,  G06F9/455 ,  H04L67/10 ,  H04L12/46 ,  G06F9/50 ,  H04L41/0893 ,  H04L41/0213

CPC classification number: H04L41/0803 ,  G06F9/45558 ,  G06F9/5077 ,  H04L12/4641 ,  H04L41/0806 ,  H04L41/0893 ,  H04L41/12 ,  H04L45/00 ,  H04L45/02 ,  H04L61/10 ,  H04L67/10 ,  G06F2009/45595 ,  G06F2209/5011 ,  H04L41/0213

Abstract: Techniques are described for providing logical networking functionality for managed computer networks, such as for virtual computer networks provided on behalf of users or other entities. In some situations, a user may configure or otherwise specify a network topology for a virtual computer network, such as a logical network topology that separates multiple computing nodes of the virtual computer network into multiple logical sub-networks and/or that specifies one or more logical networking devices for the virtual computer network. After a network topology is specified for a virtual computer network, logical networking functionality corresponding to the network topology may be provided in various manners, such as without physically implementing the network topology for the virtual computer network. In some situations, the computing nodes may include virtual machine nodes hosted on one or more physical computing machines or systems, such as by or on behalf of one or more users.

公开(公告)号：US20230291556A1

公开(公告)日：2023-09-14

申请号：US18196750

申请日：2023-05-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: H04L9/08 ,  H04L9/32 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30

CPC classification number: H04L9/088 ,  H04L9/0891 ,  H04L9/321 ,  H04L9/3247 ,  H04L9/0618 ,  H04L9/0643 ,  H04L9/14 ,  H04L9/30

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system. Requests to decrypt data may be processed to ensure that a certain amount of time passes before access to the decrypted data is provided, thereby providing an opportunity to cancel such requests and/or otherwise mitigate potential security breaches.