Abstract: Among other things, this document describes systems, methods and devices for performance testing and dynamic placement of computing tasks in a distributed computing environment. In embodiments, a given client request is forwarded up a hierarchy of nodes, or across tiers in the hierarchy. A particular computing node in the system self-determines to perform a computing task to generate (or help generate) particular content for a response to the client. The computing node injects its identifier into the response indicating that it performed those tasks; the identifier is transmitted to the client with particular content. The client runs code that assesses the performance of the system from the client's perspective, e.g., in servicing the request, and beacons this performance data, along with the aforementioned identifier, to a system intelligence component. The performance information may be used to dynamically place and improve the placement of the computing task(s).

Abstract: This document describes systems, methods and apparatus for locating an object and/or processed versions of that object in a CDN cache system. When a CDN server needs to send a forward request to an origin server to retrieve an object, the CDN server can append a ‘cache hint’ (sometimes referred to herein as a pointer or as ‘reverse cookie’) to its request. The cache hint preferably includes information that will be stored at the origin server and provided to other CDN servers that subsequently ask for the same object. Preferably the information is a pointer that will enable the object to be located within the CDN and/or enable the location of modified version of the object that have already been created and stored within the CDN.

Abstract: Among other things, this document describes systems, methods and devices for content delivery from a server to a client, and in particular using certain windows of time on the server side—during which little or no activity is expected from a client application—to perform operations that will improve the speed of content delivery.

Abstract: A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations. The operations include collecting, by a processing device, raw data regarding a user action. The operations also include converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user. The operations also include identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD. The operations also include generating, by the processing device, a predictor from a comparison of the CTD against the corresponding characteristic model, wherein the predictor comprises a score indicating a probability that the user action came from an authenticated user.

Abstract: Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the service(s) available at a given port number on a client by client basis, enabling access to service(s) for trusted clients unavailable to untrusted clients. Preferably, client trust is based on client authentication via a certificate and a valid, signed transport layer security (TLS) handshake (or similar mechanism in other protocol contexts). In some embodiments, an authorization step can be added following authentication. The systems and methods disclosed herein find wide uses in bundling services on ports, as well as protecting access to services from untrusted and/or malicious clients, among others.

Abstract: The web cookie data specifying a web cookie associated with an encoded domain is received. An identifier of an original domain corresponding to the encoded domain is determined. The web cookie data is stored in a stored web cookie in a manner that associates the web cookie data to the original domain but the stored web cookie is scoped to a domain scope that includes the encoded domain.

Abstract: A shared computing infrastructure has associated therewith a portal application through which users access the infrastructure and provision one or more services, such as content storage and delivery. The portal comprises a security policy editor, a web-based configuration tool that is intended for use by customers to generate and apply security policies to their media content. The security policy editor provides the user the ability to create and manage security policies, to assign policies so created to desired media content and/or player components, and to view information regarding all of the customer's current policy assignments. The editor provides a unified interface to configure all media security services that are available to the CDN customer from a single interface, and to enable the configured security features to be promptly propagated and enforced throughout the overlay network infrastructure.

Abstract: The disclosure is related to computer-implemented methods for domain name scoring. In one example, the method includes receiving a request to provide a reputation score of a domain name, receiving input data associated with the domain name, extracting a plurality of features from the input data and the domain name, generating a feature vector based on the plurality of features, and calculating the reputation score of the domain name by a machine-learning classifier based on a graph database, which includes feature vectors associated with at least a plurality of reference domain names, a plurality of servers, a plurality of domain name owners, and so forth. In another example, the method can calculate the reputation score by finding a similarity between the feature vector and one of domain name clusters in the graph database. The reputation score represents a probability that the domain name is associated with malicious activity.

Abstract: A traffic on-boarding method is operative at an acceleration server of an overlay network. It begins at the acceleration server when that server receives an assertion generated by an identity provider (IdP), the IdP having generated the assertion upon receiving an authentication request from a service provider (SP), the SP having generated the authentication request upon receiving from a client a request for a protected resource. The acceleration server receives the assertion and forwards it to the SP, which verifies the assertion and returns to the acceleration server a token, together with the protected resource. The acceleration server then returns a response to the requesting client that includes a version of the protected resource that points back to the acceleration server and not the SP. When the acceleration server then receives an additional request from the client, the acceleration server interacts with the service provider using an overlay network optimization.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. According to an aspect of this disclosure, the CDN edge network is then used to deliver receipts associated with transactions that are processed into the blockchain.

Abstract: Among other things, this document describes systems, devices, and methods for using TLS session resumption tickets to store and manage information about objects that a server or a set of servers has previously delivered to a client and therefore that the client is likely to have in client-side cache. When communicated to a server later, this information can be used to drive server decisions about whether to push an object to a client, e.g., using an HTTP/2 server push function or the like, or whether to send an early hint to the client about anobject.

Abstract: A technique to slow down or block creation of automated attack scripts uses a detector configured to discriminate whether particular attack-like activity is a true attack, or simply a hacker “testing” an automated attack script, and then permitting any such test script to continue working (attacking) the site, albeit on a limited basis. In this manner, the hacker receives an indication that his or her automated attack script is already working. Thereafter, when the detector later detects a launch of an actual attack based on or otherwise associated with the automated attack script (previously under test), the attack fails either because the script was not a working script in the first instance, or because information learned about the script is used to adjust the site as necessary to then prepare adequately for a true attack.

Abstract: This disclosure describes a technique to determine whether a client computing device accessing an API is masquerading its device type (i.e., pretending to be a device that it is not). To this end, and according to this disclosure, the client performs certain processing requested by the server to reveal its actual processing capabilities and thereby its true device type, whereupon—once the server learns the true nature of the client device—it can take appropriate actions to mitigate or prevent further damage. To this end, during the API transaction the server returns information to the client device that causes the client device to perform certain computations or actions. The resulting activity is captured on the client computing and then transmitted back to the server, which then analyzes the data to inform its decision about the true client device type.

Abstract: A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g.

Abstract: In a content protection scheme, and in response to a request for a content segment received by a server, the server generates and associates with the segment a message that confers entitlement to a session-specific key from which one or more decryption keys may be derived. The decryption keys are useful to decrypt the segment at runtime as it is about to be rendered by a player. Before delivery, the server encrypts the segment to generate an encrypted fragment, and it then serves the encrypted fragment (and the message) in response to the request. At the client, information in the message is used to obtain the session-specific key. Using that key, the decryption keys are derived, and those keys are then used to decrypt the received encrypted fragment. The decryption occurs at runtime. The approach protects content while in transit to and at rest in the client browser environment.

Abstract: A technique that addresses the problem of a TCP connection's throughput being very vulnerable to early losses implements a pair of controls around ssthresh. A first control is a loss forgiveness mechanism that applies to the first n-loss events by the TCP connection. Generally, this mechanism prevents new TCP connections from ending slow-start and becoming conservative on window growth too early (which would otherwise occur due to the early losses). The second control is a self-decay mechanism that is applied beyond the first n-losses that are handled by the first control. This mechanism decouples of ssthresh drop from cwnd and is thus useful in arresting otherwise steep ssthresh drops. The self-decay mechanism also enables TCP to enter/continue to be slow-start even after fast-recovery from a loss event.

Abstract: A method for improving client subnet efficiency by equivalence class aggregation includes receiving a Domain Name System (DNS) query from a client, determining, based on predetermined class criteria, that the client is associated with an equivalency class, searching a cache associated with the equivalence class for an answer corresponding to the DNS query, and upon locating the answer, serving the answer to the client. If it is determined that the cache does not include the answer, the method proceeds with querying, by a recursive server, an authoritative server using client subnet data associated with the equivalence class, receiving the answer from the authoritative server, storing the answer to the cache associated with the equivalency class, and serving the answer to the client. The client subnet data may include a representative CIDR block, the representative CIDR block being used to make queries on behalf of all clients associated with the equivalence class.

Abstract: This document describes, among other things, improved methods, systems, and apparatus for relaying packets on computer networks. Preferably, the relay function is accelerated at a host by implementing selected forwarding functions in hardware, such as the host's network interface card, while upper software layers at the host retain at least some access to the packet flow to handle more complex operations and/or monitoring. In a so-called “split TCP” arrangement, for example, a relay host terminates a first TCP connection from a given host and forwards packets on that connection to another given host on a second TCP connection. The relay host has a TCP forwarding table implemented at the device level, configurable by a relay management application running in the kernel or user-space. Special forwarding table modes may be used to enable full-TCP protocol support while also taking advantage of hardware acceleration.

Abstract: Edge server compute capacity demand in an overlay network is predicted and used to pre-position compute capacity in advance of application-specific demands. Preferably, machine learning is used to proactively predict anticipated compute capacity needs for an edge server region (e.g., a set of co-located edge servers). In advance, compute capacity (application instances) are made available in-region, and data associated with an application instance is migrated to be close to the instance. The approach facilitates compute-at-the-edge services, which require data (state) to be close to a pre-positioned latency-sensitive application instance. Overlay network mapping (globally) may be used for more long-term positioning, with short-duration scheduling then being done in-region as needed. Compute instances and associated state are migrated intelligently based on predicted (e.g., machine-learned) demand, and with full data consistency enforced.

Abstract: Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the processing device, at least one of the features against a corresponding portion of a characteristic model to differentiate the human user from the malicious code acting as if it were the human user.