Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

Abstract: An end-to-end verifiable multi-factor authentication scheme uses an authentication service. An authentication request is received from an organization, the request having been generated at the organization in response to receipt there of an access request from a user. The user has an associated public-private key pair. The organization provides the authentication request together with a first nonce. In response to receiving the authentication request and the first nonce, the authentication service generates a second nonce, and then it send the first and second nonces to the user. Thereafter, the service receives a data string, the data string having been generated by the client applying its private key over the first and second nonces. Using the user's public key, the service attempts to verify that the data string includes the first and second nonces.

Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

Abstract: A method of delivering a media stream in a network having first and second media servers each capable of delivering segmented media content to a requesting media client. The network provides for HTTP-based delivery of segmented media, and the media client is supported on a client-side device. The method begins by associating the media client with the first media server. As the first server receives from the media client request for media content segments, request times for a given number of the most-recent segments requested are used to generate a prediction, by the first server, of when the media client has transitioned from a start-up or buffering state, to a steady state. In response to a new segment request being received, and upon the first server predicting that the media client has completed a transition to steady state, the new segment request is redirected to the second media server.

Abstract: A shared computing infrastructure has associated therewith a portal application through which users access the infrastructure and provision one or more services, such as content storage and delivery. The portal comprises a security policy editor, a web-based configuration tool that is intended for use by customers to generate and apply security policies to their media content. The security policy editor provides the user the ability to create and manage security policies, to assign policies so created to desired media content and/or player components, and to view information regarding all of the customer's current policy assignments. The editor provides a unified interface to configure all media security services that are available to the CDN customer from a single interface, and to enable the configured security features to be promptly propagated and enforced throughout the overlay network infrastructure.

Abstract: Origin offload is a key performance indicator of a content delivery network (CDN). This patent document presents unique methods and systems for measuring origin offload and applying those measurements to improve the offload. The techniques presented herein enable resource-efficient measurement of origin offload by individual servers and aggregation and analysis of such measurements to produce significant insights. The teachings hereof can be used to better identify root causes of suboptimal offload performance, to tune CDN settings and configurations, and to modify network operations, deployment and/or capacity planning. In addition, discussed herein are improved metrics showing offload in relation to the maximum achievable offload for the particular traffic being served.

Abstract: Improved technology for managing the caching of objects that are rarely requested by clients. A cache system can be configured to assess a class of objects (such as objects associated with a particular domain) for cacheability, based on traffic observations. If the maximum possible cache offloading for the class of objects falls below a threshold level, which indicates a high proportion of non-cacheable or “single-hitter” content, then cache admission logic is configured to admit objects only after multiple clients requests during a time period (usually the object's time in cache, or eviction age). Otherwise, the cache admission logic may operate to admit objects to the cache after the first client request, assuming the object meets cacheability criteria. The technological improvements disclosed herein can be used to improve cache utilization, for example by preventing single-hitter objects from pushing out multi-hit objects (the objects that get hits after being added to cache).

Abstract: A method to generate a trusted certificate on an endpoint appliance located in an untrusted network, wherein client devices are configured to trust a first Certificate Authority (CA) that is administered by the untrusted network. In this approach, an overlay network is configured between the endpoint appliance and an origin server associated with the endpoint appliance. The overlay comprises an edge machine located proximate the endpoint appliance, and an associated key management service. A second CA is configured in association with the key management service to receive a second certificate signed by the first CA. A third CA is configured in association with the edge machine to receive a third certificate signed by the second CA. In response to a request from the appliance, a server certificate signed by the third CA is dynamically generated and provided to the appliance.

Abstract: This document relates to a CDN balancing mitigation system. An implementing CDN can deploy systems and techniques to monitor the domains of content provider customers with an active DNS scanner and detect which are using other CDNs on the same domain. This information can be used as an input signal for identifying and implementing adjustments to CDN configuration. Both automated and semi-automated adjustments are possible. The system can issue configuration adjustments or recommendations to the implementing CDN's servers or to its personnel. These might include “above-SLA” treatments intended to divert traffic to the implementing CDN. The effectiveness can be measured with the multi-CDN balance subsequently observed. The scanning and adjustment workflow can be permanent, temporary, or cycled. Treatments may include a variety of things, such as more cache storage, routing to less loaded servers, and so forth.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

Abstract: Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the processing device, at least one of the features against a corresponding portion of a characteristic model to differentiate the human user from the malicious code acting as if it were the human user.

Abstract: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Abstract: An analysis system automates IP address structure discovery by deep analysis of sample IPv6 addresses using a set of computational methods, namely, information-theoretic analysis, machine learning, and statistical modeling. The system receives a sample set of IP addresses, computes entropies, discovers and mines address segments, builds a network model of address segment inter-dependencies, and provides a graphical display with various plots and tools to enable a network analyst to navigate and explore the exposed IPv6 address structure. The structural information is then applied as input to applications that include: (a) identifying homogeneous groups of client addresses, e.g., to assist in mapping clients to content in a CDN; (b) supporting network situational awareness efforts, e.g., in cyber defense; (c) selecting candidate targets for active measurements, e.g.

Abstract: A payment network comprises ledger services, and associated wallet services. To provide wallet services resiliency, multiple active wallet replicas are used to enable the system (i) to rely on collision detection and blockchain idempotency to produce a single correct outcome, and (2) to implement various collision avoidance techniques. Using a ledger services idempotency feature, multiple actors form independent valid intents and know that no more than one intent will get finalized on the ledger. In a variant embodiment, replicas implement processing delays and utilize so-called “intent” messages. By adding the delays, decision logic is biased logic towards one intent. The intent messages are used to intercede before a wallet handles a same original upstream message and forms a different intent. Seeing the replica's intent, the wallet can adopt the same intent and proceed with downstream processing. After adopting intent, preferably a wallet also informs its replicas of its intent.

Abstract: This document describes systems, devices, and methods for testing the integration of a content provider's origin infrastructure with a content delivery network (CDN). In embodiments, the teachings hereof enable a content provider's developer to rapidly and flexibly create test environments that send test traffic through the same CDN hardware and software that handle (or at least have the ability to handle) production traffic, but in isolation from that production traffic and from each other. Furthermore, in embodiments, the teachings hereof enable the content provider to specify an arbitrary test origin behind its corporate firewall with which the CDN should communicate.

Abstract: A messaging channel is embedded directly into a media stream. Messages delivered via the embedded messaging channel are extracted at a client media player. According to a variant embodiment, and in lieu of embedding all of the message data in the media stream, only a coordination index is injected, and the message data is sent separately and merged into the media stream downstream (at the client media player) based on the coordination index. In one example embodiment, multiple data streams (each potentially with different content intended for a particular “type” or class of user) are transmitted alongside the video stream in which the coordination index (e.g., a sequence number) has been injected into a video frame. Based on a user's service level, a particular one of the multiple data streams is released when the sequence number appears in the video frame, and the data in that stream is associated with the media.

Abstract: A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g.

Abstract: A server in a content delivery network (CDN) can examine API traffic and extract therefrom content that can be optimized before it is served to a client. The server can apply content location instructions to a given API message to find such content therein. Upon finding an instance of such content, the server can verify the identity of the content by applying a set of content verification instructions. If verification succeeds, the server can retrieve an optimized version of the identified content and swap it into the API message for the original version. If an optimized version is not available, the server can initiate an optimization process so that next time the optimized version will be available. In some embodiments, an analysis service can assist by observing traffic from an API endpoint over time, detecting the format of API messages and producing the content location and verification instructions.

Abstract: This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.

Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.