Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

Abstract: A server-side technique to detect and mitigate client-side content filtering, such as ad blocking. In operation, the technique operates on a server-side of a client-server communication path to provide real-time detect the existence of a client filter (e.g., an ad blocker plug-in) through transparent request exchanges, and then to mitigate (defeat) that filter through one or operations designed to modify the HTML response body or otherwise obscure URLs. Preferably, the publisher (the CDN customer) defines one or more criteria of the page resources being served by the overlay (CDN) and that need to be protected against the client-side filtering.

Abstract: A method and apparatus for data collection to facilitate bot detection. According to this approach, and in lieu of conventional user agent-based fingerprinting, a client script is executed to attempt to identify one or more Javascript “landmark” features. In one embodiment, a landmark Javascript feature is a Javascript implementation that exists in a first browser type but not a second browser type distinct from the first browser type, and that also exists in one or more releases of the first browser type, but not in one or more other releases of the first browser type. By testing against landmark Javascript features as opposed to an unconstrained set of API calls and the like, the technique herein provides for much more computationally-efficient client-side operation.

Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

Abstract: A proxy server is augmented with the capability of taking transient possession of a received entity for purposes of serving consuming devices. This capability supplements destination forwarding and/or origin server transactions performed by the proxy server. This capability enables several entity transfer modes, including a rendezvous service, in which the proxy server can (if invoked by a client) fulfill a client's request with an entity that the proxy server receives from a producing device contemporaneous with (or shortly after) the request for that entity. It also enables server-to-server transfers with synchronous or asynchronous destination forwarding behavior. It also enables a mode in which clients can request different representations of entities, e.g., from either the near-channel (e.g., the version stored at the proxy server) or a far-channel (e.g., at origin server).

Abstract: One or more instances in program code that references an identifier of the standard web object model program object property that is prevented by a web browser from being directly reassigned are identified. The one or more instances in the program code that references the identifier of the standard web object model program object property that is prevented by the web browser from being directly reassigned are modified with one or more corresponding replacement references that include a replacement identifier. The replacement identifier id defined in the program code as being associated with a new program object property defined to invoke the standard web object model program object property in addition to being defined to perform additional processing of a resource identifier associated with the invocation of the standard web object model program object property.

Abstract: This patent document describes technology for providing real-time messaging and entity update services in a distributed proxy server network, such as a CDN. Uses include distributing real-time notifications about updates to data stored in and delivered by the network, with both high efficiency and locality of latency. The technology can be integrated into conventional caching proxy servers providing HTTP services, thereby leveraging their existing footprint in the Internet, their existing overlay network topologies and architectures, and their integration with existing traffic management components.

Abstract: A method of delivering dynamic web content by a proxy server is disclosed. A plurality of responses to requests for dynamic web content at a URL (uniform resource locator) is prefetched by a proxy server from an origin server. The plurality of prefetched responses is cached by the proxy server in a one-time cache, wherein each prefetched response cached in the one-time cache is served at most once and then removed from the one-time cache. A request from a client device for the dynamic web content at the URL is received by the proxy server. One of the plurality of prefetched responses cached in the one-time cache is served by the proxy server to the client device, wherein the one of the plurality of prefetched responses is removed from the one-time cache after the one of the plurality of prefetched responses has been served.

Abstract: A resource identifier to be encoded dynamically upon detection of a triggering event is identified. The resource identifier is allowed to remain not encoded prior to detection of the triggering event. The triggering event that will cause the resource identifier to be consumed by a web browser is detected. In response to detecting the triggering event, the resource identifier is encoded, and an encoded version of the resource identifier is provided for consumption by the web browser.

Abstract: This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.

Abstract: This document describes systems, methods and apparatus for locating an object and/or processed versions of that object in a CDN cache system. When a CDN server needs to send a forward request to an origin server to retrieve an object, the CDN server can append a ‘cache hint’ (sometimes referred to herein as a pointer or as ‘reverse cookie’) to its request. The cache hint preferably includes information that will be stored at the origin server and provided to other CDN servers that subsequently ask for the same object. Preferably the information is a pointer that will enable the object to be located within the CDN and/or enable the location of modified version of the object that have already been created and stored within the CDN.

Abstract: Among other things, this document describes systems, methods and devices for performance testing and dynamic placement of computing tasks in a distributed computing environment. In embodiments, a given client request is forwarded up a hierarchy of nodes, or across tiers in the hierarchy. A particular computing node in the system self-determines to perform a computing task to generate (or help generate) particular content for a response to the client. The computing node injects its identifier into the response indicating that it performed those tasks; the identifier is transmitted to the client with particular content. The client runs code that assesses the performance of the system from the client's perspective, e.g., in servicing the request, and beacons this performance data, along with the aforementioned identifier, to a system intelligence component. The performance information may be used to dynamically place and improve the placement of the computing task(s).

Abstract: This document describes, among other things, security hardening techniques that guard against certain client-side attack vectors. These techniques generally involve the use of an intermediary that detects and handles identity service transactions on behalf of a client. In one embodiment, the intermediary establishes a resource domain session with the client in order to provide the client with desired resource domain content or services from a resource domain host. The intermediary detects when the resource domain host invokes a federated identity service as a condition of client access. The intermediary handles the identity transaction in the identity domain on behalf of the client within the client's resource domain session. Upon successful authentication and/or authorization with an IdP, the intermediary connects the results of the identity services domain transaction to the resource domain.

Abstract: Among other things, this document describes systems, devices, and methods for executing rules in an application layer firewall, including in particular a web application firewall (WAF). An application layer firewall engine employs symbolic execution techniques that result in improved performance and efficiency. In preferred embodiments, an arbitrary firewall rule can be pre-processed to discover and define a set of one or more properties that an input must have in order for the input to have the potential to trigger the rule. By quickly examining an input for these properties, then application layer firewall can conclude that the input cannot trigger and therefore skip full execution of the rule against the input. This can be repeated for many if not all rules in a firewall ruleset. When a high proportion of the inputs have the required properties for rule-skipping, performance can be dramatically improved.

Abstract: A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g.

Abstract: Radix trees and other trees use memory inefficiently when storing key-value associations with ‘or’ conditions. Their function can be optimized by using multiple key field trees, each corresponding to a key field, which is typically a character (or group thereof) in a string input key. The tree for the final key field has nodes with the output values, and these are annotated to identify, for each output value, the valid key field values from prior key fields. To execute a lookup, each key field tree is traversed to find a matching key field value. The final key field tree is traversed to reach one or more output values; then the previously determined key field values are compared against the valid key field values to determine if there is a match for a particular output value. The matched and valid key field values can be expressed in encoded form.

Abstract: Described in this document, among other things, is an overload protection system that can protect data sinks from overload by controlling the volume of data sent to those data sinks in a fine-grained manner. The protection system preferably sits in between edge servers, or other producers of data, and data sinks that will receive some or all of the data. Preferably, each data sink owner defines a policy to control how and when overload protection will be applied. Each policy can include definitions of how to monitor the stream of data for overload and specify one or more conditions upon which throttling actions are necessary. In embodiments, a policy can contain a multi-part specification to identify the class(es) of traffic to monitor to see if the conditions have been triggered.

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.

Abstract: Generally, aspects of the invention involve creating a data structure (a map) that reflects routing of Internet traffic to Anycast prefixes. Assume, for example, that each Anycast prefix is associated with two or more deployments (Points of Presence or PoPs) that can provide a service such as DNS, content delivery (e.g., via proxy servers, as in a CDN), distributed network storage, compute, or otherwise. The map is built in such a way as to identify portions of the Internet (e.g., in IP address space) that are consistently routed with one another, i.e., always to the same PoP as one another, regardless of how the Anycast prefixes are deployed. Aspects of the invention also involve the use of this map, once created. The map can be applied in a variety of ways to assist and/or improve the operation of Anycast deployments and thus represents an improvement to computer networking technology.

Abstract: A method of bot detection in a computer network leverages a machine learning system. The machine learning system receives a fingerprint derived at a server, the server having extracted a set of transport layer security parameters received from a client and processed the set parameters into the fingerprint. Based at least in part on the fingerprint, the learning system determines whether the client is likely to be a bot as opposed to a human user. The system generates and returns to the server as score having a first value when the fingerprint is determined to be associated with a good client, and having a second value when the fingerprint is determined to be associated with a bot. Based on the score received from the machine learning system, the server takes a configured action with respect to the client.