Cloud computing giant AWS says it is using a massive neural network graph model with 3.5 billion nodes and 48 billion edges to speed up the detection of malicious domains crawling around its infrastructure.
The homebrewed system, codenamed Mithra after a mythological rising sun, uses algorithms for threat intelligence and provides AWS with a reputation scoring system designed to identify malicious domains floating around its sprawling infrastructure.
“We observe a significant number of DNS requests per day — up to 200 trillion in a single AWS Region alone — and Mithra detects an average of 182,000 new malicious domains daily,” the technology giant said in a note describing the tool.
“By assigning a reputation score that ranks every domain name queried within AWS on a daily basis, Mithra’s algorithms help AWS rely less on third parties for detecting emerging threats, and instead generate better knowledge, produced more quickly than would be possible if we used a third party,” said Amazon CISO CJ Moses.
Moses said the Mithra supergraph system is also capable of predicting malicious domains days, weeks, and sometimes even months before they show up on threat intel feeds from third parties.
By scoring domain names, AWS said Mithra generates a high-confidence list of previously unknown malicious domain names that can be used in security services like GuardDuty to help protect AWS cloud customers.
The Mithra capabilities is being promoted alongside an internal threat intel decoy system called MadPot that has been used by AWS to successfully to trap malicious activity, including nation state-backed APTs like Volt Typhoon and Sandworm.
MadPot, the brainchild of AWS software engineer Nima Sharifi Mehr, is described as “a sophisticated system of monitoring sensors and automated response capabilities” that entraps malicious actors, watches their movements, and generates protection data for multiple AWS security products.
AWS said the honeypot system is designed to look like a huge number of plausible innocent targets to pinpoint and stop DDoS botnets and proactively block high-end threat actors like Sandworm from compromising AWS customers.
Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets
Related: Chinese APT Caught Hiding in Cisco Router Firmware
Related: Chinese .Gov Hackers Targeting US Critical Infrastructure
Related: Russian APT Caught Infecgting Ukrainian Military Android Devices