Abstract: An overlay network platform facilitates a multi-party conference. End users participate in the conference using client-based web browser software. According to this disclosure, an enhanced “audio” experience for a user participating in the conference is provided by rendering different participants' audio in the conference at different positions in a three-dimensional (3D) space. In operation, and given a set of audio streams that comprise the conference and that are being received, a three-dimensional (3D) position for each audio stream in a 3D soundscape is computed. In one embodiment, the 3D position for each audio stream is computed by identifying a target area region of space, and then determining the 3D position for each stream in the target area region of space. The relative 3D positions may be determined based on contextual information related to the content of an audio stream, as well as a computed “relevance” of one stream versus another.

Abstract: Enable a CDN server to potentially go forward to any of multiple candidate servers (or other infrastructure) to retrieve a client-requested object, based on periodic testing of such candidate servers or infrastructure for cache hits and network latency (among other things), and scoring thereof. Such candidate servers or infrastructure represent alternative places to get the object. Importantly, a candidate may be a server or infrastructure owned and/or operated by another CDN, including a CDN industry competitor, and may be discovered in a preliminary process that involves detection of multi-CDN arrangements on the Internet where the foregoing approach may be viable.

Abstract: Among other things, this document describes systems, methods and devices for discovering and identifying client devices that attempt to access out-of-policy network services via a secure web gateway (or other network security gateway) that lacks visibility into the client network actual IP space. This is a common problem with cloud hosted SWG services that enforce access policy from outside of a customer network (e.g., external to an enterprise network), due to network address translation at the interface between the customer network and the public Internet where the cloud-hosted SWG resides. The teachings hereof address this problem. In one embodiment, a cloud hosted SWG can redirect a client to a bouncer device inside the customer network; that bouncer device can capture the actual client IP address.

Abstract: This document describes, among other things, security hardening techniques that guard against certain client-side attack vectors. These techniques generally involve the use of an intermediary that detects and handles identity service transactions on behalf of a client. In one embodiment, the intermediary establishes a resource domain session with the client in order to provide the client with desired resource domain content or services from a resource domain host. The intermediary detects when the resource domain host invokes a federated identity service as a condition of client access. The intermediary handles the identity transaction in the identity domain on behalf of the client within the client's resource domain session. Upon successful authentication and/or authorization with an IdP, the intermediary connects the results of the identity services domain transaction to the resource domain.

Abstract: This disclosure describes a technique to determine whether a client computing device accessing an API is masquerading its device type (i.e., pretending to be a device that it is not). To this end, and according to this disclosure, the client performs certain processing requested by the server to reveal its actual processing capabilities and thereby its true device type, whereupon—once the server learns the true nature of the client device—it can take appropriate actions to mitigate or prevent further damage. To this end, during the API transaction the server returns information to the client device that causes the client device to perform certain computations or actions. The resulting activity is captured on the client computing and then transmitted back to the server, which then analyzes the data to inform its decision about the true client device type.

Abstract: A server-side technique to detect and mitigate client-side content filtering, such as ad blocking. In operation, the technique operates on a server-side of a client-server communication path to provide real-time detect the existence of a client filter (e.g., an ad blocker plug-in) through transparent request exchanges, and then to mitigate (defeat) that filter through one or operations designed to modify the HTML response body or otherwise obscure URLs. Preferably, the publisher (the CDN customer) defines one or more criteria of the page resources being served by the overlay (CDN) and that need to be protected against the client-side filtering.

Abstract: A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g.

Abstract: Among other things, this document describes systems, devices, and methods for improving the delivery of resources embedded on a web page. In one embodiment, a content delivery network analyzes markup language documents that clients have requested to embedded resources, such as linked references to images, scripts, fonts, cascading style sheets, or other types of content. This analysis may be conducted on the content server and/or asynchronously, in a dedicated analytical environment, to produce delivery instructions. Where embedded resources have hostnames for which the content delivery network is authoritative, and where certain conditions are met, servers can be instructed to push additional certificates for such hostnames over the primary connection. When embedded resources have hostnames for which the platform is not authoritative, and where certain conditions are met, servers can be instructed to pre-fetch and push such resources with a signature from the authoritative origin.

Abstract: A system for enterprise collaboration is associated with an overlay network, such as a content delivery network (CDN). The overlay network comprises machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The system comprises a front-end application, a back-end application, and set of one or more APIs through which the front-end application interacts with the back-end application. The front-end application is a web or mobile application component that provides one or more collaboration functions. The back-end application comprises a signaling component that maintains state information about each participant in a collaboration, a connectivity component that manages connections routed through the overlay network, and a multiplexing component that manages a multi-peer collaboration session to enable an end user peer to access other peers' media streams through the overlay network rather than directly from another peer.

Abstract: This patent document describes, among other things, methods and systems for determining which if any page resources a server might push to a client (using, e.g., an HTTP 2.0 server push mechanism). The approaches described herein improve web page load times by pushing page resources that a client is likely to need to render the base page, while reducing wasteful server pushes of resources that the client is unlikely to request from the server because, for example, they are already cached at the client.

Abstract: An overlay network is enhanced to provide traffic delivery using anycast and end user mapping. An anycast IP address is associated with sets of forwarding machines positioned in the overlay network. These locations correspond with IP addresses for zero rated billing traffic. In response to receipt at a forwarding machine of a packet, the machine issues an end user mapping request to the mapping mechanism. The mapping request has an IP address associated with the client from which the end user request originates. The mapping mechanism resolves the request and provides a response to the request. The response is an IP address associated with a set of server machines distinct from the forwarding machine. The forwarding machine encapsulates the packet and proxies the connection to the identified server. The server receives the connection, decapsulates the request, and processes the packet. The server machine responds to the requesting client directly.

Abstract: Described in this document, among other things, is an overload protection system that can protect data sinks from overload by controlling the volume of data sent to those data sinks in a fine-grained manner. The protection system preferably sits in between edge servers, or other producers of data, and data sinks that will receive some or all of the data. Preferably, each data sink owner defines a policy to control how and when overload protection will be applied. Each policy can include definitions of how to monitor the stream of data for overload and specify one or more conditions upon which traffic shaping actions are necessary. In embodiments, a policy can contain a multi-part specification to identify the class(es) of traffic to monitor to see if the conditions have been triggered.

Abstract: Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the processing device, at least one of the features against a corresponding portion of a characteristic model to differentiate the human user from the malicious code acting as if it were the human user.

Abstract: This patent document describes, among other things, methods, apparatus, and systems for tracking those resources that a server has pushed to a client, e.g., using the HTTP 2.0 or other server push mechanism. Pushed resources may be cached at the client. By tracking such pushed resources, a server can avoid pushing such cached resources in response to subsequent requests from that client; doing so would be wasteful if the client already has the resource cached. Among other things, techniques for storing, encoding, organizing, and managing data about pushed resources in cookies are disclosed.

Abstract: Described herein are—among other things—systems, methods, and apparatus for accelerating and increasing the reliability of content delivery by serving objects redundantly over multiple paths from multiple servers. In preferred embodiments, the decision to use such multipath delivery is made on the server side. A content server can modify or generate a given web page so as to invoke multipath, e.g., by injecting markup language directives and/or script instructions that will cause the client device to make multiple requests for a given object on the page. Preferably the multiple requests are made to separate content servers in separate points of presence. The teachings hereof may be advantageously implemented, without limitation, in intermediary servers such as caching proxy servers and/or in origin servers.

Abstract: A plurality of WiFi-enabled devices that are physically proximate to one another form an ad hoc mesh network, which is associated with an overlay network, such as a content delivery network. A typical WiFi device is a WiFi router that comprises addressable data storage, together with control software operative to configure the device seamlessly into the WiFi mesh network formed by the device and one or more physically-proximate devices. The addressable data storage across multiple such devices comprises a distributed or “mesh-assisted” cache that is managed by the overly network. The WiFi mesh network thus provides bandwidth that is leveraged by the overlay network to provide distribution of content, e.g., content that has been off-loaded for delivery (by content providers) to the CDN. Other devices that may be leveraged include set-top boxes and IPTV devices.

Abstract: Among other things, this document describes systems, devices, and methods for improving the delivery and performance of web pages authored to produce virtual reality (VR) or augmented reality (AR) experiences. In some embodiments, such web pages are analyzed. This analysis may be initiated at the request of a content server that receives a client request for the HTML. The analysis may involve, asynchronous to the client request, loading the page into a non-user-facing browser environment and allowing the VR or AR scene to execute, even including executing animation routines for a predetermined period of time. Certain characteristics of the scene and of objects are thereby captured. Based on this information, an object list ordered by loading priority is prepared. Consulting this information in response to subsequent requests for the page, a content server can implement server push, early hints and/or other delivery enhancements.

Abstract: Stream-based data deduplication is provided in a multi-tenant shared infrastructure but without requiring “paired” endpoints having synchronized data dictionaries. Data objects processed by the dedupe functionality are treated as objects that can be fetched as needed. As such, a decoding peer does not need to maintain a symmetric library for the origin. Rather, if the peer does not have the chunks in cache that it needs, it follows a conventional content delivery network procedure to retrieve them. In this way, if dictionaries between pairs of sending and receiving peers are out-of-sync, relevant sections are then re-synchronized on-demand. The approach does not require that libraries maintained at a particular pair of sender and receiving peers are the same. Rather, the technique enables a peer, in effect, to “backfill” its dictionary on-the-fly. On-the-wire compression techniques are provided to reduce the amount of data transmitted between the peers.

Abstract: An infrastructure delivery platform provides a proxy service as an enhancement to the TLS/SSL protocol to off-load to an external server the generation of a digital signature, the digital signature being generated using a private key that would otherwise have to be maintained on a terminating server. Using this service, instead of digitally signing (using the private key) “locally,” the terminating server proxies given public portions of ephemeral key exchange material to the external server and receives, in response, a signature validating the terminating server is authorized to continue with the key exchange. In this manner, a private key used to generate the digital signature (or, more generally, to facilitate the key exchange) does not need to be stored in association with the terminating server. Rather, that private key is stored only at the external server, and there is no requirement for the pre-master secret to travel (on the wire).

Abstract: A content delivery network (CDN) is enhanced to enable mobile network operators (MNOs) to provide their mobile device users with a content prediction and pre-fetching service. Preferably, the CDN enables the service by providing infrastructure support comprising a client application, and a distributed predictive pre-fetching function. The client application executes in the user's mobile device and enables the device user to subscribe to content (e.g., video) from different websites, and to input viewing preferences for such content (e.g.: “Sports: MLB: Boston Red Sox”). This user subscription and preference information is sent to the predictive pre-fetching support function that is preferably implemented within or across CDN server clusters. A preferred implementation uses a centralized back-end infrastructure, together with front-end servers positioned in association with the edge server regions located nearby the mobile core network.