Correlating threat information across sources of distributed computing systems
First Claim
Patent Images
1. A computer-implemented method, comprising:
- obtaining access to a set of logs generated by a set of computing resources associated with a customer, the set of computing resources maintained by a computing resource service provider and connected by a network operated by the computing resource service provider;
generating threat information by at least correlating at least a first portion of the set of logs and a second portion of the set of logs based at least in part on a first computing resource of the set of computing resources responsible for generating the first portion of the set of logs and a second computing resource of the set of computing resources responsible for generating the second portion of the set of logs;
correlating the generated threat information with at least some other threat information obtained from an additional service of the computing resource service provider to generate correlated threat information, the other threat information comprises a different set of logs based at least in part on the additional service responsible for generating the different set of logs;
providing the correlated threat information to the customer andwherein, generating the threat information further comprises anonymizing the first portion of the set of logs and the second portion of the set of logs by at least removing operational information referencing the customer.
1 Assignment
0 Petitions
Accused Products
Abstract
Customers of a computing resource service provider may operate one or more computing resources provided by the computing resource service provider. In addition, the customers may implement security applications and/or devices using the one or more computing resources provided by the computing resource service provider. Operational information from customer operated computing resources may be correlated with operational information from computing resources operated by the computing resource service provider or other entities and correlated threat information may be generated. Anomalous activity may be detected based at least in part on the correlated threat information.
120 Citations
20 Claims
-
1. A computer-implemented method, comprising:
obtaining access to a set of logs generated by a set of computing resources associated with a customer, the set of computing resources maintained by a computing resource service provider and connected by a network operated by the computing resource service provider; generating threat information by at least correlating at least a first portion of the set of logs and a second portion of the set of logs based at least in part on a first computing resource of the set of computing resources responsible for generating the first portion of the set of logs and a second computing resource of the set of computing resources responsible for generating the second portion of the set of logs; correlating the generated threat information with at least some other threat information obtained from an additional service of the computing resource service provider to generate correlated threat information, the other threat information comprises a different set of logs based at least in part on the additional service responsible for generating the different set of logs; providing the correlated threat information to the customer and wherein, generating the threat information further comprises anonymizing the first portion of the set of logs and the second portion of the set of logs by at least removing operational information referencing the customer. - View Dependent Claims (2, 3, 4)
-
5. A system, comprising:
-
one or more processors; and memory that includes instructions that, as a result of execution by the one or more processors, cause the system to; generate threat information by at least; obtaining first operational information from a first set of computing resources operated by a customer; obtaining second operational information from a second set of computing resources maintained by a computing resource service provider; anonymizing the first operational information and the second operational information based at least in part on removing information referencing the customer from the first and second operational information; obtaining one or more events included in the anonymized first operational information and anonymized second operational information; and correlating the one or more events included in the anonymized first operational information and anonymized second operational information; correlate the generated threat information with additional threat information, where the additional threat information is determined based at least in part on correlating additional operational information obtained from another system; and provide the threat information to at least one other system. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
obtain a first set of operational information from a first set of computing resources operated by a customer; obtain a second set of operational information from a second set of computing resources, the first set of computing resources and the second set of computing resources provided by a computing resource service provider and connected by a network operated by the computing resource service provider; anonymize the first set of operational information and the second set of operational information, based at least in part on removing information referencing the customer from the first and second sets of operational information; correlate the anonymized first set of operational information and the anonymized second set of operational information; detect anomalous activity based at least in part on a result of correlating the anonymized first set of operational information and the anonymized second set of operational information; obtain a third set of operational information from a third set of computing resources; and correlate the third set of operational information and the result of correlating the anonymized first set of operational information and the anonymized second set of operational information. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification