US 12,149,559 B1
Reputation and confidence scoring for network identifiers based on network telemetry
Wayne Alan Fullen, Falls Church, VA (US); Patrick Collard, Arlington, VA (US); William Kupersanin, Pasadena, MD (US); Michael Lowney, Arlington, VA (US); Jared Sylvester, Ellicott City, MD (US); Catherine Watkins, Baltimore, MD (US); Stephen Goodman, Owings Mills, MD (US); Ravi Karnam, Novi, MI (US); Jacob Nguyen, Annandale, VA (US); Luke Kenneth Schubert, Edgewater, MD (US); Elisabeth Margaret Nagy, Dover, MA (US); Evripidis Paraskevas, Washington, DC (US); John Paul Schweitzer, Virginia Beach, VA (US); and Sai Srinivas Vemula, Frederick, MD (US)
Assigned to Amazon Technologies, Inc., Seattle, WA (US)
Filed by Amazon Technologies, Inc., Seattle, WA (US)
Filed on Jun. 27, 2022, as Appl. No. 17/850,934.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/145 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1491 (2013.01); H04L 63/166 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method, comprising:
obtaining a first plurality of network telemetry information associated with a plurality of client devices accessing a networked computing platform, wherein the first plurality of network telemetry information includes a first plurality of authentication information, a first plurality of outbound traffic information, a first plurality of web activity information, a first plurality of honeypot activity information, a first plurality of network classification information, and a first plurality of third-party threat intelligence information;
storing the first plurality of network telemetry information in one or more datastores;
obtaining a network identifier associated with a first client device of the plurality of client devices;
obtaining a second plurality of network telemetry information of the first plurality of network telemetry information, wherein the second plurality of network telemetry information is associated with the network identifier and includes a second plurality of authentication information of the first plurality of authentication information, a second plurality of outbound traffic information of the first plurality of outbound traffic information, a second plurality of web activity information of the first plurality of web activity information, a second plurality of honeypot activity information of the first plurality of honeypot activity information, a second plurality of network classification information of the first plurality of network classification information, and a second plurality of third-party threat intelligence information of the first plurality of third-party threat intelligence information; and
processing, using a confidence scoring model, at least one of the second plurality of authentication information, the second plurality of outbound traffic information, the second plurality of web activity information, the second plurality of honeypot activity information, the second plurality of network classification information, or the second plurality of third-party threat intelligence information to generate at least one of a reputation score or a confidence score associated with the network identifier.