Abstract: An anomaly detection service of a provider network may be used to efficiently monitor for metric anomalies across a large number of IoT devices using mandatory and optional values for metrics. A client may configure any number of mandatory and optional values for a metric to be collected from IoT devices of a fleet. The client may also configure one or more criteria to by used for evaluating the mandatory values (e.g., a threshold percentage such as 99%). When the service receives metric values for the metric, the service determines whether the values satisfy the criteria for the mandatory value. If not, then the service indicates an anomaly. The service may also determine if any values other than the mandatory and optional values are present. If not, then the service indicates an anomaly.

Abstract: Systems and methods are described for implementing a device isolation service. A device isolation service creates and administers per-device virtual networks for individual computing devices, thereby isolating the computing devices from each other and limiting device-to-device communication. The device isolation service may further provide a monitored and access-controlled network that facilitates access to the isolated devices, thereby allowing “administrator” devices to access and administer devices while preventing a compromised device from seeing, probing, or compromising other devices on the network. The device isolation service may group devices by category or function, and may put devices that communicate with each other on the same virtual network while isolating other devices to different virtual networks.

Abstract: Systems and methods are described for implementing a device isolation service. A device isolation service creates and administers per-device virtual networks for individual computing devices, thereby isolating the computing devices from each other and limiting device-to-device communication. The device isolation service may further provide a monitored and access-controlled network that facilitates access to the isolated devices, thereby allowing “administrator” devices to access and administer devices while preventing a compromised device from seeing, probing, or compromising other devices on the network. The device isolation service may group devices by category or function, and may put devices that communicate with each other on the same virtual network while isolating other devices to different virtual networks.

Abstract: The present disclosure generally relates to enabling efficient implementation of honeypot devices in a honeypot service environment. Each honeypot device can be implemented as a virtualized device, executing software modified from a production version of a device such that interactions with the honeypot device closely match interactions with a production device. By using virtualization, each honeypot device can be reset to a known good state when a potential security breach occurs. Because network-based attacks are often wide-spread, the honeypot service environment can deduplicate attacks that occur at a large number of devices, discarding duplicate attack traffic to reduce overall load on the environment. While deduplication can be inappropriate for production environments (given the corresponding data loss), deduplication in a honeypot environment can reduce load while still enabling detection of a network attack.

Abstract: Automatic detection of software that performs unauthorized privilege escalation is disclosed. Examples disclosed herein include detecting, in an event log, a first event associated with a start of execution of a process, the first event to identify a first privilege level associated with the process, and storing the first privilege level in a data structure associated with the process. Disclosed examples also include detecting, in the event log by executing an instruction with the at least one processor, a subsequent second event associated with the execution of the process, the second event to identify a second privilege level associated with the process. Disclosed examples further include at least one of terminating, pausing or suspending the process in response to the second privilege level being higher than the first privilege level.

Abstract: Automatic detection of software that performs unauthorized privilege escalation is disclosed. The techniques cause a programmable device to obtain a trace event of a program from an event logger, parse the trace event to determine a privilege level for an event, compare the privilege level for the event to an expected privilege level, and block execution of the program based on the comparison.

Abstract: Automatic detection of software that performs unauthorized privilege escalation is disclosed. The techniques cause a programmable device to obtain a trace event of a program from an event logger, parse the trace event to determine a privilege level for an event, compare the privilege level for the event to an expected privilege level, and block execution of the program based on the comparison.