Abstract: The present document describes a communication session resumption mechanism. A client computer system establishes a communication session to a server computer that is a member of a set of related server computers. As a result of establishing the communication session, the server computer identifies the set of related server computers to the client computer system. The set of related server computers share communication session information with each other, allowing the client computer system to resume the communication session with another server computer belonging to the set of related server computers. The communication session may be specified to the other server computer by the client computer system by providing a session identifier or a session ticket.

Abstract: A network-connected device service receives a request to authenticate a network-connected device. The network-connected device service determines, from a digital certificate identified in the request, a set of parameters of the digital certificate. The network-connected device service utilizes the set of parameters to identify, from a set of digital certificate clusters, a digital certificate cluster associated with the set of parameters. Through an audit of the digital certificate clusters, the network-connected device service determines whether the digital certificate cluster is indicative of the digital certificate being anomalous.

Abstract: Network devices, such as load balancers may be configured to forward client metadata to back-end nodes using defined fields of a security protocol. For example, client metadata may be inserted into an extension field or certificate defined by a security protocol that is used for a secure connection between the load balancer and the back-end node. In some instances, a source IP address based on a received request may be inserted into the extension field or certificate defined by the security protocol before the request is forwarded to the back-end node. The back-end node may extract the client metadata and use the client metadata for any of a number of processes (e.g., billing, tracking, security, logging, etc.).

Abstract: A method for machine learning-based disease diagnosis and treatment of a subject. The method includes obtaining a clinical data set, obtaining a para-clinical data set, detecting a first status by applying a first classifier to the clinical data set, detecting a second status by applying a second classifier to the para-clinical data set, detecting a final status by applying a first ensemble model to the first status and the second status, and determining a treatment plan of the subject based on the final status. The clinical data set is associated with clinical symptoms of the subject. The para-clinical data set includes at least one of a plurality of medical images, a plurality of biomedical signals, and a plurality of para-clinical test results of the subject. Each of the first status, the second status, and the final status representing one of illness or healthiness of the subject.

Abstract: Client application (112) submits request (118) to resource status service (110) for resource status data (“data”) regarding one or more computing resources (108) provided in a service provider network (102). The resource status service submits requests to the resources for the data. The resource status service provides a reply to the client application that includes any data received from the resources within a specified time. If all requested data was not received from the resources within the specified time the resource status service can also provide, in the reply, an identifier (“ID”) that identifies the request and can be utilized to identify and retrieve additional status data received at a later time. The client application can also submit additional requests for the status data, and may include the ID, may wait for additional data to be pushed to it, or may check a queue for the status data.

Abstract: Disclosed are various embodiments for preventing the unintended leakage of cookie data. In one embodiment, a browser application stores cookie data from a first network site having a high-level domain in a client computing device. The cookie data includes a sharing attribute. The cookie data is automatically made accessible to the first network site. A network service is queried to obtain data indicating a classification associated with the first network site. The cookie data is made accessible to a second network site having the same high-level domain based at least in part on the sharing attribute and the classification meeting at least one predetermined criterion.

Abstract: A system can determine a set of users to access an asset of a computing device. User data for a user in the set of users is obtained. The user data can specify organizational information for the user. The system can determine a value usable to regulate access to the asset. The value can be based on the organizational information for the user, and the value can be further based on other user data attributed to another user in the set of users. Based on the determined value, the system can regulate access to the asset.

Abstract: Various embodiments of apparatuses and methods for malware infection detection for edge devices, such as IoT (“Internet of Things”) devices, are described. In some embodiments, a malware infection detection service receives data from a plurality of edge devices of a remote network. It can identify a variety of different detection mechanisms to detect whether an edge device is potentially infected with malware, and determine confidence levels for the different detection mechanisms. Using the detection mechanisms with the received data, it can determine one or more findings that an edge device is potentially infected with malware. It can then determine a confidence level for each finding. It can then determine an accumulated confidence, based on the confidence levels of the detection mechanisms and the findings. The malware infection detection service might then identify one or more of the edge devices as potentially being infected by malware based on the accumulated confidence.

Abstract: Techniques for data source driven expected network policy control are described. A policy enforcement service receives, from a compute instance in a virtual network implemented within a service provider system, a request to access data. The policy enforcement service determines that a virtual network security condition of a policy statement is not satisfied. The policy statement was configured by a user for use in controlling access to the data. The virtual network security condition defines a condition of the virtual network that is to be met. The policy enforcement service performs one or more security actions in response to the determination that the virtual network security condition of the policy statement is not satisfied.

Abstract: A customer of a policy management service may use an interface with a configuration and management service to interact with policies that may be applicable to the customer's one or more resources. The customer may create and/or modify the policies and the configuration and management service may notify one or more other entities of the created and/or modified policies. The one or more other entities may be operated by user authorized to approve the created and/or modified policies. Interactions with the configuration and management service may be the same as the interactions with the policy management service.

Abstract: A policy management service receives a request to evaluate a provisional policy to determine the impact of implementation of the provisional policy. The policy management service evaluates an active policy against a request to access a computing resource to determine an authorization decision. The policy management service then evaluates the provisional policy against the request to access the computing resource to generate an evaluation of the provisional policy. The policy management service provides the evaluation and the authorization decision in response to the request to evaluate the provisional policy.

Abstract: A service provider receives a set of credentials from a customer and a request to access one or more services provided by the service provider. An authentication service of the service provider receives the set of credentials and, based at least in part on the received set of credentials, one or more activities performed by the customer, the customer's user profile, and the system configuration of the customer's computing device, calculates a risk score. The authentication service subsequently utilizes the calculated risk score to determine a credential rotation schedule for the set of credentials. The authentication service updates one or more servers to enforce the new credential rotation schedule and enables the customer to utilize the set of credentials to access the one or more services.

Abstract: A customer of a resource allocation service can register a function to be executed using virtual resources, where the function includes customer code to be executed. Customer events are defined as triggers for a registered function, and a resource instance is allocated to execute the registered function when triggering event is detected. An identity role associated with the triggering function is used to obtain access credentials for any data source which a triggering event might require for processing. An event-specific access credential is generated that provides a subset of these access privileges using a template policy for the registered function that is filled with values specific to the triggering event. The filled template policy and base credential are used to generate an event-specific credential valid only for access needed for the event. This event-specific credential can be passed with the event data for processing by an allocated instance.

Abstract: Various embodiments of apparatuses and methods for distributed threat sensor data collection and data export of a malware threat intelligence system are described. In some embodiments, the system comprises a plurality of threat sensors, deployed at different network addresses and physically located in different geographic regions in a provider network, which detect interactions from sources. In some embodiments, a distributed threat sensor data collection and data export service receives a stream of sensor logs from the plurality of threat sensors. The stream of sensor logs has information about interactions with the threat sensors, including an identifier of the source. The service aggregates the information in the sensor logs by the source, computes significance scores for each source where a significance score quantifies a likelihood that the source is engaging in threatening network communications, and provides the significance scores to other destinations.

Abstract: Disclosed are various embodiments for detecting unknown software vulnerabilities and system compromises. During a learning period in which execution of a software package is monitored, invoked portions of the software package are determined. Also, during learning period, a frequency of use of at least one of the invoked portions of the software package is determined. It is determined that the frequency of use during the learning period is different from a frequency of use after the learning period, and in response, an action is performed.

Abstract: The present document describes systems and methods that provide an envelope including an encrypted message and a data encryption key reference. A message is encrypted with a data encryption key to produce an encrypted message. The data encryption key is further encrypted using a key encrypting key to produce an encrypted data encryption key. An envelope includes the encrypted message and the data encryption key reference is then provided to a recipient.

Abstract: The current document discloses systems and methods that implement access controls for service providers. When a client requests access to a service provider, but does not satisfy the conditions for non-limited access, the service provider provides limited access to the services based at least in part on a limited access policy. The limited access policy establishes a limitation that defines when the limited access to the service provider expires. In some implementations, the service provider issues a signed access token to the client, and the access token includes an expiration value that is updated when service requests are processed. When the access token expires, access to the service is terminated.

Abstract: Systems and methods for processing requests to execute a program code of a user use a message queue service to store requests when there are not enough resources to process the requests. The message queue service determines whether a request to be queued is associated with data that the program code needs in order to process the request. If so, the message queue service locates and retrieves the data and stores the data in a cache storage that provides faster access by the program code to the pre-fetched data. This provides faster execution of asynchronous instances of the program code.

Abstract: Systems for processing requests to execute a program code of a user use a deployment model to select one of multiple virtual computing environments, each implemented on a plurality of server computers, which will produce the optimal program code execution, according to metrics such as latency, cost, and resource availability. The system receives the requests in the form of event messages associated with triggering events occurring on networks across the environments. The system feeds network usage data and event message metadata describing the event, event source, other target resources, and the like, into the deployment model to identify a candidate environment. The system enables the candidate environment to execute the program code, and then routes a subset of the event messages to the candidate environment, monitoring associated performance data. If the request processing is improved, the system continues routing some or all of the event messages to the candidate environment.

Abstract: Systems for processing requests to execute a program code of a user use a message queue service to store requests when there are not enough resources to process the requests. The message queue service distributes the stored requests across multiple queues; each queue is associated with a context of the underlying events that generate the requests. A context describes one or more attributes of the event, such as information identifying the requestor or the event source. Thus, queued messages are divided into different queues based on user ID, event source or location, event type, etc. The message queue service then selects from the queues when requested to deliver a queued request. This provides a balanced delivery of requests from different requestors or groups of requestors.