Abstract: A first computing system establishes a cryptographically protected communication session with a second computing system by proposing a hybrid cryptographic scheme. In response to the proposed hybrid cryptographic scheme, a second computing system transmits cryptographic materials to the first computing system, and the first computing system transmits cryptographic materials to the second computing system. Using the cryptographic materials, two or more cryptographic keys are derived. One cryptographic key is used to perform an inner cryptographic operation on one or more data items, and another cryptographic key is used to perform an outer cryptographic operation on the one or more data items that have been cryptographically protected by the inner cryptographic operation.

Abstract: A connection-based service impersonates request-based security for requests from clients that do not include credentials for the requests (e.g., data plane requests made via a connection-oriented security). A connection between a client and a connection-based service is established based on connection credentials that are based on security credentials from a request-based security service. The credentials are sent by a security component of the service to a local agent of the remote security service to be authenticated by the security service. An impersonation token is returned by the security service and cached by the local agent. Requests from the client to perform operations do not include credentials. For each request, the service passes an identifier for the client and the operation to a local authorization component that calls the agent for authorization of the requested operation. The agent uses the impersonation token to obtain authorization for the requested operation.

Abstract: Techniques to reduce the latency of data transfer notifications in a computing system are disclosed. The techniques can include receiving, at a memory, a first access request of a set of access requests associated with a data transfer. The first access request has a token and an access count indicating the number of access requests in the set of access requests. A counter is initiated to count the number of received access requests having the token. When additional access requests belonging to the set of access requests are received, the counter is incremented for each of the additional access requests being received. A notification is transmitted to an integrated circuit component in response to receiving the last access request of the set of access requests having the token to notify the integrated circuit component that the memory is ready for access.

Abstract: Techniques are described for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack.

Abstract: Systems and methods are provided to reduce the latency in accessing an input/output (I/O) hardware register by software executing on a central processing unit (CPU). The hardware register is located in a controller coupled to the CPU via an I/O bus. The CPU software can send a command to the controller for execution. The controller can execute the command and update the hardware register to indicate that the command has been executed. The controller can write contents of the hardware register to a specified address in a CPU memory that is assigned by the CPU software. The CPU software can read the specified address to determine that the command has been executed instead of reading the hardware register on the I/O bus.

Abstract: Systems and methods for providing cryptographic services. A cryptography service obtains a request to provision a computing device to perform cryptographic operations. The cryptography service generates executable code for a protected execution environment. The computing device obtains and executes the executable code. The computing device fulfills requests for cryptographic operations in the protected execution environment.

Abstract: The reliability of an application is improved by analyzing and implementing changes to application infrastructure that is represented, in some examples, as Infrastructure as Code (“IAC”). The system performs various tests on the infrastructure to determine how the infrastructure responds to failures and whether recovery procedures and monitoring services in place are effective and functioning properly. Various examples provide a measure of infrastructure resiliency that can be used to evaluate potential changes to application infrastructure.

Abstract: Systems and methods utilize network destination identifiers, such as IP addresses, that are simultaneously advertised from multiple locations. The network destination identifiers may be announced in multiple geographic regions. Network traffic routed to devices advertising the network destination identifiers may be routed to appropriate endpoints. When a device receives such traffic, it may send the traffic to an endpoint in a network served by the device. In some instances, such as when such an endpoint is not available, the network traffic may be sent to another network that is served by another device that advertises the network destination identifiers.

Abstract: Methods and systems for facilitating communications between shared electronic devices are described herein. In some embodiments, a group account may be assigned to a shared electronic device. The group account may include one or more user accounts, where individuals associated with those user accounts may interact with the shared electronic device, and also may form a part of the group account. When a message is sent from one shared electronic device to another personal device or shared electronic device, the message may be indicated as being sent from the group account, as if the shared electronic device corresponds to its own separate account. In some embodiments, speaker identification processing may be employed to determine a speaker of the message and, if the speaker is able to be identified, the message may be sent from the corresponding speaker's user account instead of the shared electronic device's corresponding group account.

Abstract: Devices and techniques are generally described for anomalous computer activity detection. In various examples, first computer activity data associated with a first account may be determined. A first linear detection event that corresponds to the first computer activity data may be determined. In some examples, a set of gradient-based data associated with the first linear detection event may be determined. The set of gradient-based data may represent comparative analysis of the first computer activity data with computer activity data of other accounts. In some examples, first data representing the first linear detection event and the set of gradient-based data may be generated. In various cases, network access for the first account may be disabled based on the first data.

Abstract: Systems and methods are provided to implement a fast recovery process in a partitioned replicated data store. In some embodiments, the data store is configured to store an object in a plurality of partitions and replicate data in each partition in a group of replica nodes to satisfy a durability model. In response to a replica failure, the data store performs a split operation to create a plurality of new partitions. The partition's data is split into subsets corresponding to the new partitions. The subsets are transmitted, in parallel, from the surviving replica nodes of the partition to new replica nodes in the new partitions. The new partitions then replicate respective subsets of data in their respective replication groups using a chained replication technique. The recovery process allows the data store to return into compliance with the durability model more quickly, by parallelizing the copying of data.

Abstract: Techniques are described and relate to anisotropic pooling for contextual embedding of a protein sequence. In an example, a system receives a first biological sequence and determines a sequence arrangement that comprises a component of the first biological sequence and a second biological sequence of components. By using an artificial intelligence (AI) model, the system determines a third sequence that comprises a contextual embedding vector corresponding to the component of the first biological sequence. The AI model generates the third sequence based at least in part on the sequence arrangement and by at least using a convolution and anisotropic pooling.

Abstract: Techniques for a distributed data processing application service in a cloud provider network are described. A virtual machine bundle is obtained, the virtual machine bundle including a copy of a memory and one or more registers of a paused virtual machine executing a distributed data processing application runtime. A request to launch a virtual machine to execute a distributed data processing application runtime is received, the request to launch the virtual machine including a bundle identifier that identifies the virtual machine bundle. The virtual machine is launched based at least in part on the virtual machine bundle. The virtual machine sends a message to register the virtual machine with a cluster of virtual machines.

Abstract: Techniques for distributed data processing application service networking in a cloud provider network are described. A first request to launch a virtual machine is received, the first request including a session network identifier to identify a network of a distributed data processing application cluster hosted by the provider network. The first virtual machine is launched. An internet protocol (IP) address of the first virtual machine is set, and the IP address of the first virtual machine is formed at least in part by combining an IP subnet assigned to the computer system with the session network identifier. A firewall controlling network traffic to and from the first virtual machine is configured to allow packets having a source or destination address that matches a portion of the IP address of the first virtual machine that includes the session network identifier.

Abstract: A system for utilizing media content reference point information to perform media content encoding, and supplemental content stitching and/or insertion. Media content can be encoded and packaged based on boundaries of the media content. The boundaries can be received from a third-party and/or generated via an automated process. Target boundaries can be selected based on accuracy levels associated with the received and/or generated boundaries. Supplemental content can be stitched and/or inserted into packaged media content based on audio and video content of the packaged media content being aligned.

Abstract: Respective statistical distributions of a target variable within a proposed training data set and a proposed test data set for a machine learning model are obtained. A metric indicative of the difference between the two statistical distributions is computed. The difference metric is used to determine whether the proposed test data set is acceptable to evaluate the machine learning model.

Abstract: Techniques for an objection detection feature are described herein. Images of an object captured by a camera may be received along with information that includes a first timestamp. A presence of the object and a type of the object may be determined based on a computer vision model that uses the images. First RFID data may be received from an RFID sensor from an RFID tag associated with the object. The first RFID data may include a second timestamp and an identifier for the RFID tag. A determination that the object has entered the area may be determined based on the presence of the object within the images, the first RFID data, the first timestamp, and the second timestamp. A threshold for the object may be determined based on the first timestamp, the second timestamp, and one or more policies for the area.

Abstract: Dynamic transcoding can be used to provide supplemental content, selected to be played during breaks in a stream of primary content, that has the same format as the primary content. It can be desirable to provide supplemental content that is personalized. This may include additional content or advertising that may be of interest or relevance to a viewer. In many instances, the supplemental content will come from a different source and thus can be in a different format. Approaches in accordance with various embodiments can take advantage of dynamic transcoding of the supplemental content to provide properly formatted supplemental content through the same stream as the primary content. A custom manifest can be provided to the media player that points to the transcoded supplemental content. At an appropriate break in the playback, the media player can use the manifest to obtain the formatted supplemental content.

Abstract: Systems and techniques for updating floor plans for use by autonomous mobile devices. The techniques include accessing a first floor plan with associated spatial metadata. An updated occupancy map is received with additional geographic updates over the first floor plan. A transformation of the first floor plan is determined to match the new occupancy map. The spatial data and the first floor plan are transformed and the transformed spatial metadata is associated with the new occupancy map to form a second floor plan.

Abstract: Disclosed are systems and methods that detect segments of video, such as HDR video, that include content, such as edges and details in dark scenes, that cannot be presented on some displays. Output models for different display types, such as edge-lit LCD, backlit LCD, etc., may be created and used to process video with respect to those different display types to determine if segments of the video cannot be presented on the display type at the pixel brightness values indicated in the video. In some implementations, HDR video may also or alternatively be compared to SDR video to determine segments of the video that are of interest, especially in low light scenes.