Computer threat analysis service

US 10,521,584 B1
Filed: 08/28/2017
Issued: 12/31/2019
Est. Priority Date: 08/28/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

collecting diagnostic information from a plurality of customer computing resources;

generating event records from the diagnostic information, each event record describing a set of attributes of a corresponding event produced by a customer computing resource;

generating a graph of correlated event records where individual event records are represented by individual nodes of the graph and each edge of the graph links a pair of event records by a matching attribute;

using the graph to identify a link between event records associated with different customer computing resources of different service types; and

detecting a security event in the plurality of computing resources based at least in part on the link between the event records.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system acquires diagnostic information from event logs, trace files, and other diagnostic sources to reduce a set of event records. The event records are arranged in a graph based on correlations between individual event records. Correlations may be based on time, account, credentials, tags, instance identifiers, or other characteristics. The system analyzes the graph to identify anomalies such as data exfiltration anomalies, system compromises, or security events. In some implementations, the system deploys decoy resources within a customer computing environment. Interactions with the decoy resources are captured as event records and added to the graph.

56 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- collecting diagnostic information from a plurality of customer computing resources;
  
  generating event records from the diagnostic information, each event record describing a set of attributes of a corresponding event produced by a customer computing resource;
  
  generating a graph of correlated event records where individual event records are represented by individual nodes of the graph and each edge of the graph links a pair of event records by a matching attribute;
  
  using the graph to identify a link between event records associated with different customer computing resources of different service types; and
  
  detecting a security event in the plurality of computing resources based at least in part on the link between the event records.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein collecting the diagnostic information is accomplished at least in part by retrieving log entries from a log file, acquiring event records from an event logging service, or reading a trace file produced by a computer system.
  - 3. The computer-implemented method of claim 1, further comprising deploying a decoy computing resource into a customer computing environment that includes the customer computing resources.
  - 4. The computer-implemented method of claim 3, further comprising:
    - configuring a virtual machine instance based at least in part on the configuration of the customer computing resources;
      
      connecting the virtual machine instance to a computer network connected to the customer computing resources; and
      
      generating additional event records using diagnostic information generated by the virtual machine instance.

5. A system, comprising:
- one or more processors; and
  
  memory storing computer-executable instructions that, if executed by the one or more processors, cause the system to;
  
  generate a graph of event records, the event records describing events in a computing system, individual event records represented by individual nodes of the graph, and each edge of the graph links a pair of event records by a matching attribute;
  
  identify a path between a pair of records in the graph, the path including one or more links in the graph, the pair of records associated with events produced by different service types;
  
  identify an anomaly in operation of the computing system based at least in part on the path between the pair of records in the graph; and
  
  indicate the anomaly.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein:
    - the graph of event records is stored as a data structure in data memory accessible to the one or more processors;
      
      the graph identifies at least one event record as representing a compromise of the computing system; and
      
      the graph identifies at least one event record as representing an action that is potentially harmful to the computing system.
  - 7. The system of claim 5, wherein identifying an anomaly is accomplished at least in part by:
    - determining that the graph includes a first event record that represents a compromise of the computing system;
      
      determining that the graph includes a second event record that represents potential harm; and
      
      determining, based at least in part on information in the graph of event records, that there is a path between the first event record and the second event record.
  - 8. The system of claim 5, wherein the computer-executable instructions further cause the system to:
    - deploy a decoy resource into an environment shared with the computing system;
      
      unsecure the decoy resource;
      
      generate a new event record as a result of detecting an interaction with the decoy resource; and
      
      add the new event record to the graph.
  - 9. The system of claim 8, wherein:
    - the decoy resource is a decoy computer system that retains a credential; and
      
      the interaction is an attempted use of the credential.
  - 10. The system of claim 8, wherein:
    - the decoy resource is a file on a customer file system maintained by the computing system; and
      
      the interaction is an attempted access of the file.
  - 11. The system of claim 8, wherein:
    - the decoy resource is a virtual network generated by the system; and
      
      the interaction is an attempt to establish a connection to an entity within the virtual network.
  - 12. The system of claim 8, wherein:
    - the decoy resource is a data record on a customer database used by the computing system; and
      
      the interaction is the execution of a database command that attempts to access the data record.

13. A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- generate a graph of event records, the event records describing events in a customer computer system, the graph including links between event records with a matching characteristic;
  
  identify a correlation between a first record in the graph and a second record in the graph, the correlation represented by a set of links in the graph, the first record and the second record associated with events produced by different service types; and
  
  identify an anomaly in operation of the customer computer system based at least in part on the correlation.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the graph includes a first graph portion that includes a first set of records that share a first characteristic;
      
      the graph includes a second graph portion that includes a second set of records that share a second characteristic;
      
      the first record in the first set of records and a second record in the second set of records share a third characteristic; and
      
      the first graph portion and the second graph portion are linked by the first record and the second record.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the event records are acquired by the computer system from a plurality of customer computing systems connected to a customer network; and
      
      the event records describe events that are generated by the plurality of computing systems.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the matching characteristic of the event records is a user credential used to generate events corresponding to the event records.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein:
    - the matching characteristic of the event records is a time span during which the events corresponding to the event records occurred; and
      
      the time span including a range that indicates that the events corresponding to the event records are correlated.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - create a decoy resource that is accessible to the customer computer system;
      
      detect an interaction with the decoy resource;
      
      generate a new event record as a result of the interaction; and
      
      add the new event record to the graph, the event record indicating a compromise of the customer computer system.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein:
    - the decoy resource is a storage volume deployed on a network-connected storage device; and
      
      the interaction is an attempt to access the storage volume.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to:
    - deploy a cryptographic key on a key management server;
      
      determine that the cryptographic key has been used based at least in part on encrypted data or a digital signature created using the cryptographic key; and
      
      generate a new event record that indicates that the key management server has been compromised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Sharifi Mehr, Nima
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/688,811
Time in Patent Office

855 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Computer threat analysis service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer threat analysis service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links