Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

Abstract: A method and apparatus for risk scoring in a graph are disclosed. In the method and apparatus, a graph includes a first node that is connected with a node of a plurality of nodes using a communication link of a plurality of communication links. A plurality of link risk measures are then determined, whereby a link risk measure of the plurality of link risk measures pertains to the communication link of the plurality of communication links. Furthermore, a risk measure associated with the first node is determined based at least in part on the plurality of link risk measures. The risk measure is monitored to determine if one or more conditions placed on the risk measure are met and one or more actions are taken as a result of the one or more conditions being met.

Abstract: Techniques described and suggested herein include systems and methods for optimizing network connections by using attributes of one or more of the connected entities. For example, a routing engine may be implemented to determine, based on various attributes of a client device, its desired destination, and/or the networks capable of connecting the client device and the destination, optimized parameters and routes for the network connection. Such optimization may involve the selection of an optimal network, the negotiation of an optimal connection type, and the like. The optimization may be made for one or more disparate criteria, such as data security, bandwidth, network latency, geographical proximity, and so forth.

Abstract: The current document describes systems and methods that provide access controls in a system of interconnected services such as an online service platform. In various implementations, the system maintains contextual information associated with tokenized data. In additional implementations, data brokers authorize access to detokenized data by comparing the context of the data to the context of the service requesting the data. In yet additional implementations, the system maintains contextual information associated with requests that are processed within the system. When a request is made to a particular service, the particular service can use the identity of the requester, the context of the request, and the context of the data to determine whether the request is authorized. In some implementations, the integrity of contextual information is protected using a digital signature.

Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

Abstract: A system assesses a security configuration proposed for production on a target computer system. The system may receive the security configuration proposed for production and obtain telemetry metrics generated based on security configurations implemented on one or more computer systems of the service provider. The system may assess a security configuration proposed for deployment based on telemetry metrics and generate status information based on the assessment. An authorization recommendation may be provided based whether the status information indicates that the proposed security configuration satisfies one or more conditions.

Abstract: A method and apparatus for path detection are disclosed. In the method and apparatus, a data path may link two path-end nodes in a network. Event data for the network may be received and may be used to determine, for each node resident on the path, proximity measures to each path-end node. The proximity measure of network nodes may be evaluated to determine whether a path exists between the two path-end nodes.

Abstract: Techniques described and suggested herein include various systems and methods for determining risk levels associated with transiting data, and routing portions of the data in accordance with the determined risk levels. For example, a risk analyzer may apply risk classifiers to transiting data to determine overall risk levels of some or all of the transiting data. A traffic router may route transiting data according to determined risk profiles for the data. A sandbox may be implemented to compare, for a given input, expected and observed outputs for a subset of transiting data, so as to determine risk profiles associated with at least the subset.

Abstract: A monitoring service receives, from a variety of hardware components of a set of computer systems, binary signals indicative of operation of these components. The monitoring service determines, based at least in part on these signals, a set of beat frequencies for pairings of hardware components of the set of computer systems. The monitoring service uses this set of beat frequencies, as well as information included in a profile for the set of computer systems, to determine whether there is any indication of anomalous behavior in operation of the set of computer systems. If so, the monitoring service generates one or more alerts indicating the anomalous behavior.

Abstract: Method and apparatus for identifying a flow of data from a first data store to a second data store are disclosed. In the method and apparatus, a service may send the data from the first data store to the second data store, whereby the service may be associated with an access control policy that specifies whether the service is permitted to send or receive the data. The access control policy may be used as a basis for the evaluation of executable instructions of the service, and evaluation of the executable instructions may be used to identify the first data store or the second data store.

Abstract: A delivery verification service receives an electronic message that indicates delivery of an authentication device. In response to receiving the electronic message, the delivery verification service identifies, based at least in part on the electronic message, a set of attributes of a recipient to which the authentication device was delivered. Based at least in part on these attributes of the recipient, the delivery verification service determines whether to activate the authentication device. If the delivery verification service determines that the authentication device can be activated, the delivery verification service causes the authentication device to be enabled.

Abstract: Techniques for detecting access to data classified as sensitive by plugin running on a computer system are described herein. A data event is generated that includes information about the access to the data classified as sensitive as a result of detecting the access to the data. The data event is then transmitted to a logging service over a network.

Abstract: Techniques for detecting access to computer system data by applications running on a computer system are described herein. Data access event log entries are recorded, the log entries including one or more metadata items associated with how the computer system application accessed the computer system data. The log entries are analyzed using correlations with other computer system events and, if improper access is detected, one or more operations relating to the type of data accessed and the type of violation are performed to mitigate the improper data access.

Abstract: Aspects related to the secure transfer and use of secret material are described. In one embodiment, an encrypted secret key and encrypted revocation data are imported into a trusted execution environment and decrypted with private provider and vendor keys. In this manner, a provider of cryptographic processes is not exposed to the secret key or revocation data of a customer, as the secret key and revocation data are decrypted and stored within the trusted execution environment but not accessed in an unencrypted form. In turn, the provider can receive various instructions to perform cryptographic operations on behalf of the customer. Based on the outcome of a revocation check using the revocation data, the instructions can be performed by the trusted execution environment.

Abstract: Methods and systems are provided to enable gradual expiration of credentials. Instead of depriving a user of all his access rights upon expiration of his credential (e.g., password), the user's access rights may be gradually restricted during a grace period after an expected or initial expiration time and/or before a final expiration time. The access right may be determined based on a duration from a time of the access request to the final expiration time or to the initial expiration time.

Abstract: A payment routing and processing platform is configured to collect various attributes for use in identifying an optimal payment processor for a particular payment transaction message. For example, the payment routing and processing platform might identify business attributes, endpoint attributes, customer and transaction attributes, payment method attributes, system attributes, and/or other types of attributes. The payment routing and processing platform might then utilize some or all of the identified attributes to select an endpoint for processing a payment transaction message. The payment routing and processing platform might also utilize some or all of the identified attributes to identify and perform other types of processing of financial transactions. Machine learning techniques might also be utilized to improve the performance of the payment routing and processing platform.

Abstract: Described are techniques for detecting network egress points. A source device on a first network may generate a probe data with loose source route data that includes internal routing data to a designated subnet within the first network. The ultimate destination of the probe data is outside the first network. Once at the designated subnet, the probe data is handled by the egress network devices, such as a router, that services the subnet. Ultimately, the probe data may arrive at a destination device by way of a second network. The destination device determines the egress point from the first network used by the probe data. By comparing the actual route data with known egress points, known egress network devices may be confirmed and unknown egress network devices may be determined.

Abstract: Methods and systems are provided herein to enable secure proxying of network traffic between trusted and untrusted environments. In particular, a secure proxy may be provided that includes a set of policies. The policies may be applicable to various network protocol layers (e.g., an application layer), network traffic types, and/or endpoint resolution. The set of policies may be used to inspect, restrict and/or modify traffic between the trusted and untrusted environment to ensure data and network security. A proxy device may use the set of policies, for example, to obtain current service-related information (such as the list of IP addresses) currently associated with a computing resource requested by an application. Such endpoint information may be used, in turn, to update a white list.

Abstract: A method and apparatus for path detection are disclosed. In the method and apparatus, a data path may link two path-end nodes in a network. Event data for the network may be received and may be used to determine, for each node resident on the path, proximity measures to each path-end node. The proximity measure of network nodes may be evaluated to determine whether a path exists between the two path-end nodes.