Techniques for data routing and management using risk classification and data sampling

US 10,511,619 B2
Filed: 05/10/2017
Issued: 12/17/2019
Est. Priority Date: 12/17/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

selecting, by a computer system connected via a network, a traffic sample of data traversing the network;

processing, by the computer system, the traffic sample using a plurality of risk classifiers, by;

determining a plurality of attributes of the traffic sample;

identifying a corresponding subset of the plurality of risk classifiers for the plurality of attributes;

generating, based at least in part on the corresponding subset of risk classifiers, the plurality of attributes, and the traffic sample, a plurality of risk level components that are dependent on outcomes associated with other risk level components generated from other risk classifiers of the plurality of risk classifiers; and

combining the plurality of risk level components to generate an overall risk level for the traffic sample; and

causing, by the computer system, routing on the network of the data based at least in part on the overall risk level.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

Citations

19 Claims

1. A computer-implemented method, comprising:
- selecting, by a computer system connected via a network, a traffic sample of data traversing the network;
  
  processing, by the computer system, the traffic sample using a plurality of risk classifiers, by;
  
  determining a plurality of attributes of the traffic sample;
  
  identifying a corresponding subset of the plurality of risk classifiers for the plurality of attributes;
  
  generating, based at least in part on the corresponding subset of risk classifiers, the plurality of attributes, and the traffic sample, a plurality of risk level components that are dependent on outcomes associated with other risk level components generated from other risk classifiers of the plurality of risk classifiers; and
  
  combining the plurality of risk level components to generate an overall risk level for the traffic sample; and
  
  causing, by the computer system, routing on the network of the data based at least in part on the overall risk level.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the computer system processes a plurality of traffic samples of the data, the plurality of traffic samples including the traffic sample, to generate a plurality of overall risk levels that includes the overall risk level.
  - 3. The computer-implemented method of claim 2, wherein the routing is caused based at least in part on the plurality of overall risk levels.
  - 4. The computer-implemented method of claim 1, wherein the plurality of attributes include at least one of a packet integrity, source reputation, network protocol, destination status, packet content, or a combination thereof.
  - 5. The computer-implemented method of claim 1, wherein the traffic sample is a network packet of the data.
  - 6. The computer-implemented method of claim 1, wherein at least one of the plurality of risk classifiers is associated with another risk classifier in a graph.
  - 7. The computer-implemented method of claim 1, wherein the computer system causes a separate network router to route the data.

8. A system, comprising:
- at least one computing device that implements one or more services that at least;
  
  generate a traffic sample from data traversing a network associated with the at least one computing device;
  
  select a plurality of attributes of the traffic sample;
  
  associate a corresponding plurality of risk classifiers with the plurality of attributes;
  
  process the traffic sample using at least a subset of the plurality of risk classifiers to generate a corresponding plurality of risk level components that are dependent on outcomes associated with other risk level components generated from other risk classifiers of the plurality of risk classifiers; and
  
  determine an overall risk level for the traffic sample based at least in part on the risk level components.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the one or more services further cause routing the data on the network based at least in part on the overall risk level.
  - 10. The system of claim 9, wherein the one or more services further cause a separate network router on the network to route the data.
  - 11. The system of claim 8, wherein at least some of the plurality of risk classifiers are interconnected in a graph.
  - 12. The system of claim 8, wherein the one or more services further omit, based at least in part on a risk level component indicating that the traffic sample is malicious, a risk classifier of the plurality of risk classifiers outside of the subset of the plurality of risk classifiers.
  - 13. The system of claim 8, wherein the data is transacted using at least a link layer protocol.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, upon execution by one or more processors of a computer system, cause the computer system to at least:
- select a plurality of attributes of a traffic sample;
  
  associate a corresponding plurality of risk classifiers with the plurality of attributes;
  
  process the traffic sample using at least a subset of the plurality of risk classifiers to generate a corresponding plurality of risk level components that are dependent on outcomes associated with other risk level components generated from other risk classifiers of the plurality of risk classifiers; and
  
  determine a risk level for the traffic sample based at least in part on the risk level components.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further cause the computer system to provide, to a separate risk analyzer, a comparison of an expected behavior of the traffic sample and an observed behavior of the traffic sample, so as to train one or more of the plurality of risk classifiers.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the instructions further cause the computer system to generate the observed behavior by at least providing an input to the traffic sample using the plurality of attributes.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further cause the computer system to adjust a size of the traffic sample relative to a quantity of data based on a risk profile associated with the data.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further cause the computer system to process the traffic sample in an environment isolated from a destination associated with the traffic sample.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further cause the computer system to process the traffic sample to determine a specific threat associated with the traffic sample.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Van Horenbeeck, Maarten, Anderson, Christopher Michael, Harrison, Katharine Nicole, Jezorek, Matthew Ryan, McClintock, Jon Arron, Sethi, Tushaar
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US15/592,058
Publication Number

US 20170244739A1
Time in Patent Office

951 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 45/70   Routing based on monitoring...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Techniques for data routing and management using risk classification and data sampling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for data routing and management using risk classification and data sampling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links