Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then forwarded for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted to recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: Described in this document, among other things, is an overload protection system that can protect data sinks from overload by controlling the volume of data sent to those data sinks in a fine-grained manner. The protection system preferably sits in between edge servers, or other producers of data, and data sinks that will receive some or all of the data. Preferably, each data sink owner defines a policy to control how and when overload protection will be applied. Each policy can include definitions of how to monitor the stream of data for overload and specify one or more conditions upon which throttling actions are necessary. In embodiments, a policy can contain a multi-part specification to identify the class(es) of traffic to monitor to see if the conditions have been triggered.

Abstract: Among other things, this document describes systems, methods and devices for performance testing and dynamic placement of computing tasks in a distributed computing environment. In embodiments, a given client request is forwarded up a hierarchy of nodes, or across tiers in the hierarchy. A particular computing node in the system self-determines to perform a computing task to generate (or help generate) particular content for a response to the client. The computing node injects its identifier into the response indicating that it performed those tasks; the identifier is transmitted to the client with particular content. The client runs code that assesses the performance of the system from the client's perspective, e.g., in servicing the request, and beacons this performance data, along with the aforementioned identifier, to a system intelligence component. The performance information may be used to dynamically place and improve the placement of the computing task(s).

Abstract: This disclosure describes a bot detection system that leverages deep learning to facilitate bot detection and mitigation, and that works even when an attacker changes an attack script. The approach herein provides for a system that rapidly and automatically (without human intervention) retrains on new, updated or modified attack vectors.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: A method of delivering a media stream in a network having first and second media servers each capable of delivering segmented media content to a requesting media client. The network provides for HTTP-based delivery of segmented media, and the media client is supported on a client-side device. The method begins by associating the media client with the first media server. As the first server receives from the media client request for media content segments, request times for a given number of the most-recent segments requested are used to generate a prediction, by the first server, of when the media client has transitioned from a start-up or buffering state, to a steady state. In response to a new segment request being received, and upon the first server predicting that the media client has completed a transition to steady state, the new segment request is redirected to the second media server.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: This document describes marker based approaches for a CDN to monitor and report on the amount of traffic that it is serving on behalf of content providers. They are particularly useful in hybrid delivery scenarios. Hybrid delivery scenarios means that a client may obtain content, such as a given multimedia stream, from one or more servers in the CDN, or from one or more peers in a peer to peer network. The amount of data served from the peer network is referred to herein as the “offload”, as delivery of that data has been offloaded from the CDN platform.

Abstract: Processing a purge request is disclosed. In an embodiment, the purge request is received from a node, where the purge request is for a next purge instruction and the node has an associated queue of purge instruction(s) with associated timestamps. In response to receiving the purge request, providing an unprocessed purge instruction having a time stamp before a threshold time. After processing the purge instruction having a timestamp before the threshold time, processing the remaining purge instructions as follows: indicating an availability state of the node as transitional, storing a current time value as a reference time value, processing in chronological order those remaining purge instructions in the queue with a time value chronologically before the reference time value, and indicating an availability state of the node as available.

Abstract: Generally, aspects of the invention involve creating a data structure (a map) that reflects routing of Internet traffic to Anycast prefixes. Assume, for example, that each Anycast prefix is associated with two or more deployments (Points of Presence or PoPs) that can provide a service such as DNS, content delivery (e.g., via proxy servers, as in a CDN), distributed network storage, compute, or otherwise. The map is built in such a way as to identify portions of the Internet (e.g., in IP address space) that are consistently routed with one another, i.e., always to the same PoP as one another, regardless of how the Anycast prefixes are deployed. Aspects of the invention also involve the use of this map, once created. The map can be applied in a variety of ways to assist and/or improve the operation of Anycast deployments and thus represents an improvement to computer networking technology.

Abstract: Described herein are methods, apparatus and systems for selectively delivering content through one of two communication channels, one being origin to client and the other being from or through a CDN to client. Thus a client may choose to request content from a CDN and/or from an origin server. This disclosure sets forth techniques for, among other things, distinguishing between which channel to use for a given object, using the CDN-client channel to obtain the performance benefit of doing so, and reverting to the origin-client channel where content may be private, sensitive, corrupted, or otherwise considered to be unsuitable from delivery from and/or through the CDN.

Abstract: This document describes systems, methods and apparatus for locating an object and/or processed versions of that object in a CDN cache system. When a CDN server needs to send a forward request to an origin server to retrieve an object, the CDN server can append a ‘cache hint’ (sometimes referred to herein as a pointer or as ‘reverse cookie’) to its request. The cache hint preferably includes information that will be stored at the origin server and provided to other CDN servers that subsequently ask for the same object. Preferably the information is a pointer that will enable the object to be located within the CDN and/or enable the location of modified version of the object that have already been created and stored within the CDN.

Abstract: Radix trees and other trees use memory inefficiently when storing key-value associations with ‘or’ conditions. Their function can be optimized by using multiple key field trees, each corresponding to a key field, which is typically a character (or group thereof) in a string input key. The tree for the final key field has nodes with the output values, and these are annotated to identify, for each output value, the valid key field values from prior key fields. To execute a lookup, each key field tree is traversed to find a matching key field value. The final key field tree is traversed to reach one or more output values; then the previously determined key field values are compared against the valid key field values to determine if there is a match for a particular output value. The matched and valid key field values can be expressed in encoded form.

Abstract: Disclosed herein are systems, methods, and apparatus for performing a new kind of traceroute. This traceroute is referred to herein as a “reverse” traceroute, as it enables a given network node to determine the path of packets sent to it from another node. Preferably, an encapsulating tunnel between the two nodes is leveraged. Preferably, a given network node (“first node”) performs the reverse traceroute by sending encapsulated inner packets in the tunnel to another network node (“second node”). The second node reflects the inner packets back to the first node. Preferably, the inner packets are configured such that their IP header TTLs expire at intermediate nodes (such as routers), and such that the resulting error messages are reported to the first node. In this way, the first node obtains information about the topology of the network and the path taken by inbound packets.

Abstract: A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations. The operations include collecting, by a processing device, raw data regarding a user action. The operations also include converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user. The operations also include identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD. The operations also include generating, by the processing device, a predictor from a comparison of the CTD against the corresponding characteristic model, wherein the predictor comprises a score indicating a probability that the user action came from an authenticated user.

Abstract: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Abstract: A method for improving client subnet efficiency by equivalence class aggregation includes receiving a Domain Name System (DNS) query from a client, determining, based on predetermined class criteria, that the client is associated with an equivalency class, searching a cache associated with the equivalence class for an answer corresponding to the DNS query, and upon locating the answer, serving the answer to the client. If it is determined that the cache does not include the answer, the method proceeds with querying, by a recursive server, an authoritative server using client subnet data associated with the equivalence class, receiving the answer from the authoritative server, storing the answer to the cache associated with the equivalency class, and serving the answer to the client. The client subnet data may include a representative CIDR block, the representative CIDR block being used to make queries on behalf of all clients associated with the equivalence class.

Abstract: Stream delivery within a content delivery network (CDN) includes recording the stream using a recording tier, and playing the stream using a player tier. Recording begins when the stream is received in a source format. The stream is then converted into an intermediate format (IF), which comprises a stream manifest, one or more fragment indexes (FI), and a set of IF fragments. A player process begins when a requesting client is associated with a CDN HTTP proxy. In response to receipt at the proxy of a request for the stream, the HTTP proxy retrieves (either from the archive or the data store) the stream manifest and at least one fragment index. Using the fragment index, the IF fragments are retrieved to the HTTP proxy, converted to a target format, and then served in response to the client request. Preferably, fragments are accessed, cached and served by the proxy via HTTP.

Abstract: Enable a CDN server to potentially go forward to any of multiple candidate servers (or other infrastructure) to retrieve a client-requested object, based on periodic testing of such candidate servers or infrastructure for cache hits and network latency (among other things), and scoring thereof. Such candidate servers or infrastructure represent alternative places to get the object. Importantly, a candidate may be a server or infrastructure owned and/or operated by another CDN, including a CDN industry competitor, and may be discovered in a preliminary process that involves detection of multi-CDN arrangements on the Internet where the foregoing approach may be viable.

Abstract: Among other things, this document describes systems, methods and apparatus for identifying and mitigating network attacks, particularly botnet attacks and other volumetric attacks. In some embodiments, a distributed computing platform provides client-facing service endpoints and a request routing mechanism (request router or RR) directing clients to a particular service endpoint or cluster thereof to obtain a service. The state of the RR at a given time is communicated to enforcement points in the system, which may be cluster equipment, service endpoints, or other components. When client traffic arrives at a particular enforcement point it is checked for consistency with the RR's directions, referred to as ‘mapping consistency’. This information is incorporated into decisions about how to handle the packets from the client.