Abstract: Systems and methods are disclosed herein for enforcing digital signature on a token useable by a network-addressable device to invoke service calls on services of a service provider. A device platform service of the service provider may receive service calls from the network-addressable device and cause one or more operations to be performed by other services of the service provider in response to receiving a notification that the request is authentic. An authentication service analyses a fingerprint associated with a request submitted by the device and determines whether it is a match to a fingerprint generated from cryptographic authentication information provided by the user in connection with registering the network-addressable device.

Abstract: Systems and methods are disclosed herein for enforcing digital signature on a token useable by a network-addressable device to invoke service calls on services of a service provider. A device platform service of the service provider may receive service calls from the network-addressable device and cause one or more operations to be performed by other services of the service provider in response to receiving a notification that the request is authentic. An authentication service analyses a fingerprint associated with a request submitted by the device and determines whether it is a match to a fingerprint generated from cryptographic authentication information provided by the user in connection with registering the network-addressable device.

Abstract: Systems and methods are described to enable mitigation of network attacks in communication networks. When a network attack is detected, packets within the communication network are routed through a hierarchical mitigation system, which includes at least two tiers of mitigation devices configured to apply mitigation techniques to the packets. Outer tiers of the hierarchical mitigation system (e.g., closer to an edge of the communication network) can apply simple mitigation techniques that are efficient even when distributed, and which provide early mitigation for attack packets while not requiring large amounts of computing resources. Inner tiers of the hierarchical mitigation system (e.g., closer to a destination device) can apply more complex mitigation systems that may require centralized application, and which provide more robust mitigation at a potentially higher computing resource cost.

Abstract: This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

Abstract: This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

Abstract: A pattern recognition security system (“PRSS”) generates a packet signature from network traffic, including attack packets. The PRSS can utilize a statistical pattern recognition based approach to generate attack traffic signatures, such as for DDoS or DoS attacks. In some embodiments, the PRSS dynamically creates training sets from actual captured data, allowing the PRSS to adapt to changes in network attacks. For example, more sophisticated DDoS attacks commonly rotate through different attacking computers to vary the packet attributes of attack packets sent to a target system. However, as the PRSS can determine packet signatures based on the actual captured data packets, the PRSS can adapt to the changes in the attack. In some embodiments, the PRSS may determine packet signatures in real-time or near real time during an attack, allowing the PRSS to quickly react to changes in attack traffic.