Amazon Web Services is all about scale. The cloud services giant runs more than 100 data centers spread over 31 regions and 245 countries and territories to go with more than 400 edge locations. AWS sits atop a global cloud infrastructure services space, account for 32% of a market that in the second quarter pulled in $79 billion, according to Synergy Research Group.

That scale also gives AWS the ability to pull in and analyze massive amounts of threat intelligence from around the world to help develop and inform both internal security systems and customer-facing cloud services aimed at protecting the huge amounts of data that it holds for organizations around the world.

The cloud company is publicly detailing some of the internal systems it has in place to detect and mitigate the myriad cyberthreats to its sprawling infrastructure and the data inside. In September it was MadPot for discovering and monitoring threat activities and disrupting them. This week, AWS detailed Mithra, a huge neural network graph model that runs on its internal systems and identifies malicious domains and then ranks domains’ trustworthiness.

The system includes 3.5 billion node and 48 billion edges, according to Amazon CISO C.J. Moses. Mithra – named after a mythological rising sun – uses algorithms for threat intelligence, detecting an average of 182,000 new malicious domains every day.

Ranking Malicious Domains

“Mithra’s reputation scoring system is tailored to identify malicious domains that customers come in contact with, so the domains can be ranked accordingly,” Moses wrote in a blog post. “By assigning a reputation score that ranks every domain name queried within AWS on a daily basis, Mithra’s algorithms help AWS rely less on third parties for detecting emerging threats, and instead generate better knowledge, produced more quickly than would be possible if we used a third party.”

The graph model also can not only accurately detect malicious domains with fewer false positives than other tools, but also can predict such domains days, weeks, or months before they appear on threat intelligence feeds from third-party vendors.

Threat groups use malicious domains to launch phishing campaigns, distribute malware, URL obfuscation to hide the true destination of a malicious link, and other attacks. They can also be made to spoof well-known brands by slightly misspelling the names to entice victims to disclose sensitive information like usernames, passwords, or payment card data.

Spreading the Information Wealth

Mithra’s domain rankings can be used to create a list of previously unknown malicious domains that can be fed into security services like Amazon’s GuardDuty, a service that automatically detects threats for millions of accounts on AWS. It also lets customers block malicious domains and receive alerts for potential threats.

The malicious domain information also can be used for services to use third-party threat feeds to reduce false positives, Moses wrote.

In addition, AWS shares the threat intelligence from Mirtha and other AWS systems with other organizations that may be targeted or compromised by bad actors, he wrote, adding that “in certain circumstances when we receive signals that suggest a third-party (non-customer) organization may be compromised by a threat actor, we also notify them because doing so can help head off further exploitation, which promotes a safer internet at large.”

The Advantage of Scale

The cloud provider’s scale allows it to create threat intelligence initiatives that other organizations couldn’t, according to Moses.

“With the largest public network footprint of any cloud provider, AWS has unparalleled insight into certain activities on the internet, in real time,” he wrote. “For threat intelligence to have meaningful impact on security, large amounts of raw data from across the internet must be gathered and quickly analyzed. In addition, false positives must be purged.

Creating threat intelligence is time-consuming and requires large amounts of resources, both human and digital. Technologies like AI and machine are useful but need to use information from across the internet.

“Even for organizations that are able to gather actionable threat intelligence on their own, without the reach of global-scale cloud infrastructure, it’s difficult or impossible for time-sensitive information to be collectively shared with others at a meaningful scale,” the CISO wrote. “The AWS infrastructure radically transforms threat intelligence because we can significantly boost threat intelligence accuracy – what we refer to as high fidelity – because of the sheer number of intelligence signals (notifications generated by our security tools) we can observe.”