Correlating threat information across sources of distributed computing systems

US 10,333,962 B1
Filed: 03/30/2016
Issued: 06/25/2019
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining access to a set of logs generated by a set of computing resources associated with a customer, the set of computing resources maintained by a computing resource service provider and connected by a network operated by the computing resource service provider;

generating threat information by at least correlating at least a first portion of the set of logs and a second portion of the set of logs based at least in part on a first computing resource of the set of computing resources responsible for generating the first portion of the set of logs and a second computing resource of the set of computing resources responsible for generating the second portion of the set of logs;

correlating the generated threat information with at least some other threat information obtained from an additional service of the computing resource service provider to generate correlated threat information, the other threat information comprises a different set of logs based at least in part on the additional service responsible for generating the different set of logs;

providing the correlated threat information to the customer andwherein, generating the threat information further comprises anonymizing the first portion of the set of logs and the second portion of the set of logs by at least removing operational information referencing the customer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Customers of a computing resource service provider may operate one or more computing resources provided by the computing resource service provider. In addition, the customers may implement security applications and/or devices using the one or more computing resources provided by the computing resource service provider. Operational information from customer operated computing resources may be correlated with operational information from computing resources operated by the computing resource service provider or other entities and correlated threat information may be generated. Anomalous activity may be detected based at least in part on the correlated threat information.

120 Citations

20 Claims

1. A computer-implemented method, comprising:
- obtaining access to a set of logs generated by a set of computing resources associated with a customer, the set of computing resources maintained by a computing resource service provider and connected by a network operated by the computing resource service provider;
  
  generating threat information by at least correlating at least a first portion of the set of logs and a second portion of the set of logs based at least in part on a first computing resource of the set of computing resources responsible for generating the first portion of the set of logs and a second computing resource of the set of computing resources responsible for generating the second portion of the set of logs;
  
  correlating the generated threat information with at least some other threat information obtained from an additional service of the computing resource service provider to generate correlated threat information, the other threat information comprises a different set of logs based at least in part on the additional service responsible for generating the different set of logs;
  
  providing the correlated threat information to the customer andwherein, generating the threat information further comprises anonymizing the first portion of the set of logs and the second portion of the set of logs by at least removing operational information referencing the customer.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein correlating the threat information with the at least some other threat information further comprises correlating the threat information with other threat information obtained from one or more other customers of the computing resource service provider, the other threat information generated by at least correlating a set of additional logs generated by a set of additional computing resources operated by the one or more other customers.
  - 3. The computer-implemented method of claim 1, wherein the anonymizing comprises removing metadata corresponding to the customer.
  - 4. The computer-implemented method of claim 3, wherein correlating the threat information with the at least some other threat information further comprises correlating the threat information with other threat information obtained from the computing resource service provider, the other threat information generated by at least correlating information obtained from computing resources operated by the computing resource service provider.

5. A system, comprising:
- one or more processors; and
  
  memory that includes instructions that, as a result of execution by the one or more processors, cause the system to;
  
  generate threat information by at least;
  
  obtaining first operational information from a first set of computing resources operated by a customer;
  
  obtaining second operational information from a second set of computing resources maintained by a computing resource service provider;
  
  anonymizing the first operational information and the second operational information based at least in part on removing information referencing the customer from the first and second operational information;
  
  obtaining one or more events included in the anonymized first operational information and anonymized second operational information; and
  
  correlating the one or more events included in the anonymized first operational information and anonymized second operational information;
  
  correlate the generated threat information with additional threat information, where the additional threat information is determined based at least in part on correlating additional operational information obtained from another system; and
  
  provide the threat information to at least one other system.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein obtaining first operational information further comprises obtaining configuration information associated with the first set of computing resources, where the configuration information includes one or more settings provided by the customer.
  - 7. The system of claim 6, wherein the configuration information further comprises a configuration file associated with an application executed by the first set of computing resources.
  - 8. The system of claim 6, wherein the configuration information further comprises settings for a virtual machine instance included in the first set of computing resources.
  - 9. The system of claim 5, wherein providing the threat information to at least one other system further comprises providing the customer with a suggestion, the suggestion determined based at least in part on the threat information.
  - 10. The system of claim 9, wherein the memory further comprises instructions that, as a result of execution by the one or more processors, cause the system to detect anomalous activity based at least in part on the threat information.
  - 11. The system of claim 5, wherein the other system is operated by a second customer.
  - 12. The system of claim 11, the memory further comprises instructions that, as a result of execution by the one or more processors, cause the system to transmit an alarm to the customer and the second customer as a result of detecting anomalous activity by at least correlating the threat information with additional threat information.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a first set of operational information from a first set of computing resources operated by a customer;
  
  obtain a second set of operational information from a second set of computing resources, the first set of computing resources and the second set of computing resources provided by a computing resource service provider and connected by a network operated by the computing resource service provider;
  
  anonymize the first set of operational information and the second set of operational information, based at least in part on removing information referencing the customer from the first and second sets of operational information;
  
  correlate the anonymized first set of operational information and the anonymized second set of operational information;
  
  detect anomalous activity based at least in part on a result of correlating the anonymized first set of operational information and the anonymized second set of operational information;
  
  obtain a third set of operational information from a third set of computing resources; and
  
  correlate the third set of operational information and the result of correlating the anonymized first set of operational information and the anonymized second set of operational information.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the computer system to obtain the anonymized first set of operational information further include instructions that cause the computer system to:
    - obtain the anonymized first set of operational information for plurality of computing resources distributed within a second network associated with the customer; and
      
      correlate a first portion of the first set of operational information with a second portion of the first set of operational information based at least in part on a first computing resource of the plurality of computing resources associated with the first portion of the first set of operational information and a second computing resource of the plurality of computing resources associated with the second portion of the first set of operational information.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the third set of computing resources is operated by another customer.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the third set of computing resources is operated by the computing resource service provider.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to receive, from the customer, a request to update security settings associated with the first set of computing resources as a result of detecting anomalous activity.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to modify security settings associated with the first set of computing resources as a result of detecting anomalous activity without a corresponding customer request to modify the security settings.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the instructions that cause the computer system to correlate the first set of operational information and the second set of operational information further include instructions that cause the computer system to correlate the first set of operational information and the second set of operational information using a machine learning algorithm.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to mitigate the anomalous activity as a result of detecting the anomalous activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Lucas, Alexander Robin Gordon, Fitzgerald, Robert Eric
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US15/085,554
Time in Patent Office

1,182 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Correlating threat information across sources of distributed computing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

120 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Correlating threat information across sources of distributed computing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links