Techniques for data routing and management using risk classification and data sampling

US 9,661,011 B1
Filed: 12/17/2014
Issued: 05/23/2017
Est. Priority Date: 12/17/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one computing device configured to implement one or more services, wherein the one or more services are configured to;

receive risk profiles associated with traffic flows; and

route, based on the risk profiles, the traffic flows by at least;

if a first subset of the risk profiles indicate that a first associated subset of the traffic flows is below or equal to a predetermined first risk level, routing the first associated subset of the traffic flows via a first path;

if a second subset of the risk profiles indicate that a second associated subset of the traffic flows is above the predetermined first risk level and below or equal to a predetermined second risk level, routing the second associated subset of the traffic flows via a second path that is isolated from at least a subset of a population of hosts used by the first path, the subset of the population hosts storing data designated by the system as sensitive; and

if a third subset of the risk profiles indicate that a third associated subset of the traffic flows is above the predetermined second risk level, routing the third associated subset of the traffic flows via a third path that is isolated from the population of hosts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

109 Citations

20 Claims

1. A system, comprising:
- at least one computing device configured to implement one or more services, wherein the one or more services are configured to;
  
  receive risk profiles associated with traffic flows; and
  
  route, based on the risk profiles, the traffic flows by at least;
  
  if a first subset of the risk profiles indicate that a first associated subset of the traffic flows is below or equal to a predetermined first risk level, routing the first associated subset of the traffic flows via a first path;
  
  if a second subset of the risk profiles indicate that a second associated subset of the traffic flows is above the predetermined first risk level and below or equal to a predetermined second risk level, routing the second associated subset of the traffic flows via a second path that is isolated from at least a subset of a population of hosts used by the first path, the subset of the population hosts storing data designated by the system as sensitive; and
  
  if a third subset of the risk profiles indicate that a third associated subset of the traffic flows is above the predetermined second risk level, routing the third associated subset of the traffic flows via a third path that is isolated from the population of hosts.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein:
    - the risk profiles are received from a risk analyzer connected to the system; and
      
      the risk analyzer groups a plurality of network traffic packets into the traffic flows based on the risk profiles.
  - 3. The system of claim 2, wherein the risk analyzer applies risk classifiers to data in the traffic flows so as to determine the risk profiles.
  - 4. The system of claim 1, wherein the one or more quarantined hosts implement mitigation measures specific to the third subset of risk profiles.
  - 5. The system of claim 1, wherein the one or more services are configured to isolate the second path from the subset of the population of hosts used by the first path by increasing a network distance between the subset of the population of hosts and a second subset of the population of hosts used by the second subset.
  - 6. The system of claim 1, wherein:
    - the population of hosts calculate observed risk profiles of the traffic flows routed thereto; and
      
      the services are further configured to receive the observed risk profiles so as to adjust at least one of the predetermined first risk level or the predetermined second risk level.
  - 7. The system of claim 1, wherein the data designated as sensitive includes data designated as confidential by a customer of the system.

8. A computer-implemented method, comprising:
- processing, by a computer system, a plurality of traffic flows to generate risk profiles associated with at least a subset of the plurality of traffic flows, the risk profiles including a risk level quantifying a relative level of risk associated with the subset of the plurality of traffic flows; and
  
  causing, by the computer system, routing of the plurality of traffic flows to be routed according to the generated risk profiles, such that;
  
  if a first subset of the risk profiles indicate that a first associated subset of the plurality of traffic flows has a risk level below or equal to a predetermined first risk level, the first associated subset of the traffic flows is routed via a first path;
  
  if a second subset of the risk profiles indicate that a second associated subset of the traffic flows has a risk level above the predetermined first risk level and below or equal to a predetermined second risk level, the second associated subset of the traffic flows is routed via a second path excluding at least a subset of a population of hosts used by the first path, the subset of the population of hosts storing data designated as sensitive; and
  
  if a third subset of the risk profiles indicate that a third associated subset of the traffic flows has a risk level above the predetermined second risk level, the third associated subset of the traffic flows is routed via a third path that excludes the population of hosts.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, further comprising processing a plurality of network traffic packets into at least one traffic flow of the plurality of traffic flows based at least in part on at least one of the generated risk profiles.
  - 10. The computer-implemented method of claim 9, further comprising applying risk classifiers to data in the plurality of traffic flows so as to generate the risk profiles.
  - 11. The computer-implemented method of claim 8, wherein hosts associated with the third path implement mitigation measures specific to the third subset of risk profiles.
  - 12. The computer-implemented method of claim 8, wherein the risk profiles are generated based at least in part on one or more attributes associated with the traffic flows.
  - 13. The computer implemented method of claim 12, wherein the one or more attributes include at least one of packet integrity, source reputation, network protocol, destination status, or packet content.
  - 14. The computer-implemented method of claim 8, wherein the data designated as sensitive includes data designated as confidential by a user associated with the data.

15. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- segregate, based at least in part on risk profiles associated with a plurality of traffic flows, the plurality of traffic flows by at least;
  
  if a first subset of the risk profiles indicate that a first associated subset of the traffic flows is below or equal to a predetermined first risk level, routing the first associated subset of the traffic flows via a first path;
  
  if a second subset of the risk profiles indicate that a second associated subset of the traffic flows is above the predetermined first risk level and below or equal to a predetermined second risk level, routing the second associated subset of the traffic flows via a second path that is isolated from at least a subset of a population of hosts used by the first path; and
  
  if a third subset of the risk profiles indicate that a third associated subset of the traffic flows is above the predetermined second risk level, routing the third associated subset of the traffic flows via a third path that is isolated from the population of hosts.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions, when executed by one or more processors of a computer system, further cause the computer system to at least generate the traffic flows from a plurality of network traffic packets received by the computer system, based at least in part on analysis of the network traffic packets received from a risk analyzer connected to the computer system.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the risk analyzer applies risk classifiers to the network traffic packets so as to determine the risk profiles.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein one or more hosts associated with the third path include mitigation routines specific to the third subset of risk profiles.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the third path includes a sandbox that replicates the third subset of traffic flows to further analyze one or more behaviors associated with the third subset of traffic flows.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein one or more hosts of the third path quarantines at least a portion of the third subset of traffic flows based at least in part on the one or more behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McClintock, Jon Arron, Sethi, Tushaar, Van Horenbeeck, Maarten, Anderson, Christopher Michael, Harrison, Katharine Nicole, Jezorek, Matthew Ryan
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/574,306
Time in Patent Office

888 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 45/70   Routing based on monitoring...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Techniques for data routing and management using risk classification and data sampling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for data routing and management using risk classification and data sampling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links