Abstract: Techniques for preventing rendering content from content delivery network (CDN) to unauthorized users are described herein. In accordance with various embodiments, a CDN includes one or more processors and a non-transitory memory. The CDN receives a request from a client device for a media content item, where the request indicates an identifier of a client. The CDN further provisions an encrypted media content item corresponding to the media content item for the client, where at least a portion of the encrypted media content item is encrypted using at least one personalized key assigned to the client. The CDN also facilitates obtaining a manifest corresponding to the encrypted media content item, where the manifest specifies encryption metadata for retrieving the at least one personalized key by the client. The CDN additionally sends the encrypted media content item and the manifest to the client device.

Abstract: Techniques for zero-trust cloud deployment are described herein. In accordance with various embodiments, a device including a processor and a non-transitory memory derives a key from deployment metadata of a virtual machine, where the deployment metadata change with each deployment of the virtual machine. The device then encrypts secrets using the key to bind the key to the virtual machine. The device further deploys the virtual machine in a cloud using the deployment metadata, including loading the encrypted secrets to the deployed virtual machine in the cloud.

Abstract: Techniques for preventing rendering content from content delivery network (CDN) to unauthorized users are described herein. In accordance with various embodiments, a CDN includes one or more processors and a non-transitory memory. The CDN receives a request from a client device for a media content item, where the request indicates an identifier of a client. The CDN further provisions an encrypted media content item corresponding to the media content item for the client, where at least a portion of the encrypted media content item is encrypted using at least one personalized key assigned to the client. The CDN also facilitates obtaining a manifest corresponding to the encrypted media content item, where the manifest specifies encryption metadata for retrieving the at least one personalized key by the client. The CDN additionally sends the encrypted media content item and the manifest to the client device.

Abstract: Techniques for embedding secure feature selection at content delivery network (CDN) edge are described. In accordance with various embodiments, server(s) in a cloud receive from a client device a request for a media URL associated with a media asset. The server(s) identify feature state(s) associated with the client device and the media asset on a CDN edge node hosting the media asset. The server(s) then selectively generate a unique token or a common token specifying the feature state(s) before sending the media URL including the unique token or the common token to the client device. Upon receiving the media URL, the CDN edge node in an edge node with features deployed, determines whether the media URL causes a cache miss. Upon determining that the media URL causes the cache miss, the CDN edge node changes a feature state of a feature, applies the feature, and provides the media asset.

Abstract: Techniques for detection over-the-top piracy are described. In some embodiments, a piracy detection method is performed at a server by a piracy detector. The piracy detector obtains records associated with requests for access from a plurality of client devices. The piracy detector further distributes the records to a plurality of nodes according to distribution keys extracted from the records, where each of the plurality of nodes receives a respective set of records associated with a respective distribution key and generates a set of respective watch session records based on the respective set of records. The piracy detector also generates watch session records associated with the distribution keys by aggregating the respective watch session records from the plurality of nodes. The piracy detector additionally identifies one or more pirated client devices among the plurality of client devices based on clusters established from the watch session records.

Abstract: Techniques for server control of client authorization proof of possession are described herein. In various embodiments, a first server provisions client authorization proof of possession for a client device a real-world time, a client public key, and a client private key. The first server generates provisioning response message(s) including the client public key, the client private key, the real-world time, and/or an assertion object, and sends the message(s) to the client device. In various embodiments, a client device obtains an authorization proof token generated based on a client public key, a client private key, and a real-world time provisioned by a first server. The client device generates a request and sends the request to a second server, the request includes the authorization proof token and an assertion object from the first server signed by a server private key and an expiration time and a reference to the client public key.

Abstract: Techniques for server control of client authorization proof of possession are described herein. In various embodiments, a first server provisions client authorization proof of possession for a client device a real-world time, a client public key, and a client private key. The first server generates provisioning response message(s) including the client public key, the client private key, the real-world time, and/or an assertion object, and sends the message(s) to the client device. In various embodiments, a client device obtains an authorization proof token generated based on a client public key, a client private key, and a real-world time provisioned by a first server. The client device generates a request and sends the request to a second server, the request includes the authorization proof token and an assertion object from the first server signed by a server private key and an expiration time and a reference to the client public key.

Abstract: System, device, and method of adaptive network protection for managed Internet-of-Things (IoT) services. A network traffic monitoring unit monitors data traffic, operations-and-management traffic, and control messages, that relate to cellular communication between an IoT device and a core cellular network. An IoT grouping unit groups multiple IoT devices into a particular IoT group. A baseline behavior determination unit determines a Regular Baseline Cellular Communication Behavior (RBCCB) profile that characterizes the cellular communications that are outgoing from and incoming to each member of the particular IoT group. An outlier detector subsequently detects that a particular IoT device of that particular IoT group, exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for that particular IoT group.

Abstract: Techniques for detection over-the-top piracy are described. In some embodiments, a piracy detection method is performed at a server by a piracy detector. The piracy detector obtains records associated with requests for access from a plurality of client devices. The piracy detector further distributes the records to a plurality of nodes according to distribution keys extracted from the records, where each of the plurality of nodes receives a respective set of records associated with a respective distribution key and generates a set of respective watch session records based on the respective set of records. The piracy detector also generates watch session records associated with the distribution keys by aggregating the respective watch session records from the plurality of nodes. The piracy detector additionally identifies one or more pirated client devices among the plurality of client devices based on clusters established from the watch session records.

Abstract: Detecting, mitigating and isolating a Signaling Storm, particularly in 5G communication networks. A Control Plane signal probe is connected at a first network node located between a Radio Access Network and a 5G Core Network, to monitor control messages originating from 5G-capable devices. A User Plane signal probe is connected at a second network node located between the 5G Core Network and remote entities to which the 5G-capable devices are sending messages, to monitor control messages passing through the second network node. An Inventory Management sub-system stores data correlating between 5G-capable devices and IMSI numbers. A Protector Unit is configured to receive (i) data collected by the Control Plane signal probe, and (ii) data collected by the User Plane signal probe, and (iii) a subset of IMSI numbers. The Protector Unit performs Machine Learning analysis, and detects and quarantines particular 5G-capable devices that are compromised or malfunctioning.

Abstract: Method, device, and system for providing hot reservation for in-line deployed network functions with multiple network interfaces. A system includes a first Network Function (NF) unit, connected to an ingress router and to an egress router; and a second NF unit, connected to the ingress router and to the egress router. The first NF unit is initially configured as a controlling NF. The second NF unit is initially configured as a backup NF. The two NF units periodically exchange keep-alive messages via the two routers. The second NF unit, operating as the backup NF, automatically triggers a switchover if the second NF unit did not receive a keep-alive message from the first NF unit for at least a pre-defined time-period. Additionally or alternatively, the controlling NF initiates a switchover if the maintenance status parameters of the backup NF are better than those of the controlling NF.

Abstract: System, device, and method of adaptive network protection for managed Internet-of-Things (IoT) services. A network traffic monitoring unit monitors data traffic, operations-and-management traffic, and control messages, that relate to cellular communication between an IoT device and a core cellular network. An IoT grouping unit groups multiple IoT devices into a particular IoT group. A baseline behavior determination unit determines a Regular Baseline Cellular Communication Behavior (RBCCB) profile that characterizes the cellular communications that are outgoing from and incoming to each member of the particular IoT group. An outlier detector subsequently detects that a particular IoT device of that particular IoT group, exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for that particular IoT group.

Abstract: Method, device, and system for providing hot reservation for in-line deployed network functions with multiple network interfaces. A system includes a first Network Function (NF) unit, connected to an ingress router and to an egress router; and a second NF unit, connected to the ingress router and to the egress router. The first NF unit is initially configured as a controlling NF. The second NF unit is initially configured as a backup NF. The two NF units periodically exchange keep-alive messages via the two routers. The second NF unit, operating as the backup NF, automatically triggers a switchover if the second NF unit did not receive a keep-alive message from the first NF unit for at least a pre-defined time-period. Additionally or alternatively, the controlling NF initiates a switchover if the maintenance status parameters of the backup NF are better than those of the controlling NF.

Abstract: System, device, and method of adaptive network protection for managed Internet-of-Things (IoT) services. A network traffic monitoring unit monitors data traffic, operations-and-management traffic, and control messages, that relate to cellular communication between an IoT device and a core cellular network. An IoT grouping unit groups multiple IoT devices into a particular IoT group. A baseline behavior determination unit determines a Regular Baseline Cellular Communication Behavior (RBCCB) profile that characterizes the cellular communications that are outgoing from and incoming to each member of the particular IoT group. An outlier detector subsequently detects that a particular IoT device of that particular IoT group, exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for that particular IoT group.

Abstract: Method, device, and system for providing hot reservation for in-line deployed network functions with multiple network interfaces. A system includes a first Network Function (NF) unit, connected to an ingress router and to an egress router; and a second NF unit, connected to the ingress router and to the egress router. The first NF unit is initially configured as a controlling NF. The second NF unit is initially configured as a backup NF. The two NF units periodically exchange keep-alive messages via the two routers. The second NF unit, operating as the backup NF, automatically triggers a switchover if the second NF unit did not receive a keep-alive message from the first NF unit for at least a pre-defined time-period. Additionally or alternatively, the controlling NF initiates a switchover if the maintenance status parameters of the backup NF are better than those of the controlling NF.

Abstract: Detecting, mitigating and isolating a Signaling Storm, particularly in 5G communication networks. A Control Plane signal probe is connected at a first network node located between a Radio Access Network and a 5G Core Network, to monitor control messages originating from 5G-capable devices. A User Plane signal probe is connected at a second network node located between the 5G Core Network and remote entities to which the 5G-capable devices are sending messages, to monitor control messages passing through the second network node. An Inventory Management sub-system stores data correlating between 5G-capable devices and IMSI numbers. A Protector Unit is configured to receive (i) data collected by the Control Plane signal probe, and (ii) data collected by the User Plane signal probe, and (iii) a subset of IMSI numbers. The Protector Unit performs Machine Learning analysis, and detects and quarantines particular 5G-capable devices that are compromised or malfunctioning.

Abstract: System, device, and method of adaptive network protection for managed Internet-of-Things (IoT) services. A network traffic monitoring unit monitors data traffic, operations-and-management traffic, and control messages, that relate to cellular communication between an IoT device and a core cellular network. An IoT grouping unit groups multiple IoT devices into a particular IoT group. A baseline behavior determination unit determines a Regular Baseline Cellular Communication Behavior (RBCCB) profile that characterizes the cellular communications that are outgoing from and incoming to each member of the particular IoT group. An outlier detector subsequently detects that a particular IoT device of that particular IoT group, exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for that particular IoT group.

Abstract: A method of avoiding packet fragmentation. The method includes receiving a data packet belonging to a data connection, determining whether the received data packet was fragmented or determining whether the received data packet is expected to be fragmented on the way to its destination and registering the data connection of the received packet in a list of connections that carried packets that were fragmented or were expected to be fragmented.

Abstract: A method of creating a software wizard. The method involves receiving, by a computer, an instruction to create a wizard, displaying by the computer one or more forms, created before receiving the instruction to create the wizard, receiving by the computer one or more customization instructions of at least one of the displayed one or more forms and storing a file defining a wizard including the displayed one or more forms as customized by the one or more customization instructions.

Abstract: An improved caching method comprising: (a) employing circuitry to identify and analyze a plurality of data streams, each of said data streams resulting from a request to access a same content item stored in a cache; (b) calculating an initial access interval for said content item based upon said analyzing; and (c) adjusting a data transfer rate in at least one of said data streams in order to reduce said initial access interval to a reduced access interval.