Abstract: Among other things, this document describes systems, devices, and methods for improving the delivery and performance of web pages authored to produce virtual reality (VR) or augmented reality (AR) experiences. In some embodiments, such web pages are analyzed. This analysis may be initiated at the request of a content server that receives a client request for the HTML. The analysis may involve, asynchronous to the client request, loading the page into a non-user-facing browser environment and allowing the VR or AR scene to execute, even including executing animation routines for a predetermined period of time. Certain characteristics of the scene and of objects are thereby captured. Based on this information, an object list ordered by loading priority is prepared. Consulting this information in response to subsequent requests for the page, a content server can implement server push, early hints and/or other delivery enhancements.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Each computing node typically is functionally-equivalent to all other nodes in the core.

Abstract: A service consumer that utilizes a cloud-based access service provided by a service provider has associated therewith a network that is not capable of being controlled by the service provider. An enterprise connector is supported in this uncontrolled network, preferably as an appliance-based solution. According to this disclosure, the enterprise configures an appliance and then deploys it in the uncontrolled network. To this end, an appliance is required to proceed through a multi-stage approval protocol before it is accepted as a “connector” and is thus enabled for secure communication with the service provider. The multiple stages include a “first contact” (back to the service) stage, an undergoing approval stage, a re-generating identity material stage, and a final approved and configured stage. Unless the appliance passes through these stages, the appliance is not permitted to interact with the service as a connector.

Abstract: An overlay network is augmented to provide more efficient data storage by processing a dataset of high dimension into an equivalent dataset of lower dimension, wherein the data reduction reduces the amount of actual physical data but not necessarily its informational value. Data to be processed (dimensionally-reduced) is received by an ingestion layer and supplied to a learning-based storage reduction application that implements the data reduction technique. The application applies a data reduction algorithm and stores the resulting dimensionally-reduced data sets in the native data storage or third party cloud. To recover the original higher-dimensional data, an associated reverse algorithm is implemented. In general, the application coverts an N dimensional data set to a K dimensional data set, where K<<N. The N dimensional dataset has a high dimension, and the K dimensional dataset has a low dimension.

Abstract: Transaction handling computing elements comprise a network core that processes transaction requests into a blockchain, wherein a data block is a collection of transactions, and wherein an Unspent Transaction Output (UTXO) supporting the blockchain is an output from a finalized transaction. The elements interoperate with a transaction signing mechanism that associates a set of addresses on the blockchain with a delegate address, the delegate address having a set of signing public keys corresponding to one or more signing private keys used to sign UTXOs. In association with a new transaction being processed by the set of transaction handling components, a signing public key for an associated UXTO is located by following an address chain that includes an address in the set of addresses together with the delegate address. The signing public key is retrieved from a location associated with the delegate address and then used to sign (unlock) the associated UXTO.

Abstract: This disclosure describes a technique to determine whether a client computing device accessing an API is masquerading its device type (i.e., pretending to be a device that it is not). To this end, and according to this disclosure, the client performs certain processing requested by the server to reveal its actual processing capabilities and thereby its true device type, whereupon—once the server learns the true nature of the client device—it can take appropriate actions to mitigate or prevent further damage. To this end, during the API transaction the server returns information to the client device that causes the client device to perform certain computations or actions. The resulting activity is captured on the client computing and then transmitted back to the server, which then analyzes the data to inform its decision about the true client device type.

Abstract: Improved technology for managing the caching of objects that are rarely requested by clients. A cache system can be configured to assess a class of objects (such as objects associated with a particular domain) for cacheability, based on traffic observations. If the maximum possible cache offloading for the class of objects falls below a threshold level, which indicates a high proportion of non-cacheable or “single-hitter” content, then cache admission logic is configured to admit objects only after multiple clients requests during a time period (usually the object's time in cache, or eviction age). Otherwise, the cache admission logic may operate to admit objects to the cache after the first client request, assuming the object meets cacheability criteria. The technological improvements disclosed herein can be used to improve cache utilization, for example by preventing single-hitter objects from pushing out multi-hit objects (the objects that get hits after being added to cache).

Abstract: A method for dynamic and extensible creation of an extensible wireless network, using a set of drones that individually support server processes. The drones interact with one another, exchanging information, type of coverage, type and amount of throughput, location, etc. A control node connects to a wired network. The node operates a leader election protocol, captures state information from the drones, and positions/re-positions the drones as necessary. Drones are flown in to position and then engaged as necessary to stretch/adapt the coverage as necessary. The drone's power utilization is monitored and its coverage area modified as necessary to optimize power utilization. The control node performs drone-based coverage/power utilization computations, and attempts to apply the appropriate location assignments to provide maximum network coverage (extensibility) while also preserving drone-specific power (battery) utilization.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network core is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. The system also provides for confidence-based consensus. A configuration system is provided to enable configuration updates to be securely implemented across various subsets of the computing nodes.

Abstract: A system for enterprise collaboration is associated with an overlay network, such as a content delivery network (CDN). The overlay network comprises machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The system comprises a front-end application, a back-end application, and set of one or more APIs through which the front-end application interacts with the back-end application. The front-end application is a web or mobile application component that provides one or more collaboration functions. The back-end application comprises a signaling component that maintains state information about each participant in a collaboration, a connectivity component that manages connections routed through the overlay network, and a multiplexing component that manages a multi-peer collaboration session to enable an end user peer to access other peers' media streams through the overlay network rather than directly from another peer.

Abstract: Stream-based data deduplication is provided in a multi-tenant shared infrastructure but without requiring “paired” endpoints having synchronized data dictionaries. Data objects processed by the dedupe functionality are treated as objects that can be fetched as needed. As such, a decoding peer does not need to maintain a symmetric library for the origin. Rather, if the peer does not have the chunks in cache that it needs, it follows a conventional content delivery network procedure to retrieve them. In this way, if dictionaries between pairs of sending and receiving peers are out-of-sync, relevant sections are then re-synchronized on-demand. The approach does not require that libraries maintained at a particular pair of sender and receiving peers are the same. Rather, the technique enables a peer, in effect, to “backfill” its dictionary on-the-fly. On-the-wire compression techniques are provided to reduce the amount of data transmitted between the peers.

Abstract: A method of delivering location-specific content by a content processing server is disclosed. A request for web content is received by the content processing server. A location of an originator of the received request for web content is identified. A local proxy server is selected based on the identified location of the originator of the received request for web content. The web content is requested via the selected local proxy server. Location-specific web content from the content provider is received via the selected local proxy server. The received local-specific web content is sent to the originator of the received request in response to the received request.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: An account protection service to prevent user login or other protected endpoint request abuse. In one embodiment, the service collects user recognition data, preferably for each login attempt (e.g. data about the connection, session, and other relevant context), and it constructs a true user profile for each such user over time, preferably using the recognition data from successful logins. The profile evolves as additional recognition data is collected from successful logins. The profile is a model of what the user “looks like” to the system. For a subsequent login attempt, the system then calculates a true user score. This score represents how well the current user recognition data matches the model represented by the true user profile. The user recognition service is used to drive policy decisions and enforcement capabilities. Preferably, user recognition works in association with bot detection in a combined solution.

Abstract: This document describes systems, devices, and methods for testing the integration of a content provider's origin infrastructure with a content delivery network (CDN). In embodiments, the teachings hereof enable a content provider's developer to rapidly and flexibly create test environments that send test traffic through the same CDN hardware and software that handle (or at least have the ability to handle) production traffic, but in isolation from that production traffic and from each other. Furthermore, in embodiments, the teachings hereof enable the content provider to specify an arbitrary test origin behind its corporate firewall with which the CDN should communicate.

Abstract: Described in this document, among other things, is an overload protection system that can protect data sinks from overload by controlling the volume of data sent to those data sinks in a fine-grained manner. The protection system preferably sits in between edge servers, or other producers of data, and data sinks that will receive some or all of the data. Preferably, each data sink owner defines a policy to control how and when overload protection will be applied. Each policy can include definitions of how to monitor the stream of data for overload and specify one or more conditions upon which throttling actions are necessary. In embodiments, a policy can contain a multi-part specification to identify the class(es) of traffic to monitor to see if the conditions have been triggered.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: An entity can disseminate nonces by introducing them into various aspects of network traffic, and then listening for them, thereby detecting eavesdroppers on the Internet. A nonce may be numeric, alphanumeric, or otherwise; nonces are contextually appropriate to how they are disseminated. Preferably, a nonce is disseminated by incorporating it into some aspect of network traffic. For example, a nonce can be placed in a network identifier such as an IP address or domain name label. Correlating the circumstances under which the nonce was disseminated and under which it was observed to “propagate”, intelligence about who is eavesdropping on what portions of the Internet can be derived. Such intelligence can be put to many uses, including reporting on eavesdroppers, routing traffic around eavesdroppers, developing reputation scores, and adopting enhanced obfuscation/privacy/security techniques.

Abstract: A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.

Abstract: A set of transaction handling computing elements comprise a network core that receive and process transaction requests into an append-only immutable chain of data blocks, wherein a data block is a collection of transactions, and wherein an Unspent Transaction Output (UTXO) data structure supporting the immutable chain of data blocks is an output from a finalized transaction. Typically, the UTXO data structure consists essentially of an address and a value. In this approach, at least one UTXO data structure is configured to include information either in addition to or in lieu of the address and value, thereby defining a Transaction Output (TXO). A TXO may have a variety of types, and one type includes an attribute that encodes data. In response to receipt of a request to process a transaction, the set of transaction handling computing elements are executed to process the transaction into a block using at least the information in the TXO.