Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Each computing node typically is functionally-equivalent to all other nodes in the core.

Abstract: Among other things, this document describes systems, methods and devices for providing a cloud proxy auto-config (PAC) function for clients connected to a private network, such as an enterprise network. The teachings hereof are of particular use with cloud hosted proxy services provided by server deployments outside of the private network (e.g., external to the enterprise or other organizational network). This document also describes systems, methods and devices for providing a proxy auto-config (PAC) function for clients connected to a third party network, such as when the client moves outside of the enterprise network.

Abstract: Among other things, this document describes systems, methods and devices for providing a cloud proxy auto-config (PAC) function for clients connected to a private network, such as an enterprise network. The teachings hereof are of particular use with cloud hosted proxy services provided by server deployments outside of the private network (e.g., external to the enterprise or other organizational network). This document also describes systems, methods and devices for providing a proxy auto-config (PAC) function for clients connected to a third party network, such as when the client moves outside of the enterprise network.

Abstract: Among other things, this document describes systems, devices, and methods for improving the mapping of end user clients to content servers. In one embodiment, an intermediary DNS server receives a DNS answer with multiple IP addresses. The intermediary DNS server modifies this answer before passing it on to the end user client—that is the end user client that originally requested name resolution of the hostname. Modification can involve filtering the list to remove low-performing IP addresses, re-ordering the list, blocking certain IPs according to policy, or other things. The intermediary DNS server can be operated by a internet service provider (carrier) or an enterprise, for example, or provided on their behalf by a third party as a service. The modification can be based on knowledge of the client-side network, including the location and connectivity of the end user client.

Abstract: Individual nodes (e.g., edge machines) in an overlay network each build local machine learning (ML) models associated with a particular behavior of interest. Through a communication mechanism, nodes exchange some portion of their ML models between or among each other. The portion of the local model that is exchanged with one or more other nodes encodes or encapsulates relevant knowledge (learned at the source node) for the particular behavior of interest; in this manner, relevant transfer learning is enabled such that individual node models become smarter. Sets of machines that collaborate converge their models toward a solution that is then used to facilitate another overlay network function or optimization. The local knowledge exchange among the nodes creates an emergent behavioral profile used to control the edge machine behavior. Example functions managed with this ML front-end include predictive pre-fetching, anomaly detection, image management, forecasting to allocate resources, and others.

Abstract: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Abstract: Disclosed herein are systems, methods, and apparatus for performing a new kind of traceroute. This traceroute is referred to herein as a “reverse” traceroute, as it enables a given network node to determine the path of packets sent to it from another node. Preferably, an encapsulating tunnel between the two nodes is leveraged. Preferably, a given network node (“first node”) performs the reverse traceroute by sending encapsulated inner packets in the tunnel to another network node (“second node”). The second node reflects the inner packets back to the first node. Preferably, the inner packets are configured such that their IP header TTLs expire at intermediate nodes (such as routers), and such that the resulting error messages are reported to the first node. In this way, the first node obtains information about the topology of the network and the path taken by inbound packets.

Abstract: Disclosed herein are systems, methods, and apparatus for improving the delivery of web content that has been authored for multiple devices. In certain embodiments, an intermediary device such as a proxy server determines the characteristics of a client device requesting multi-device content, obtains and examines the multi-device content, and in view of the particular requesting client device removes portions that are irrelevant for that device. Doing so can accelerate delivery of the content by reducing payload and relieving the client device of the processing burden associated with parsing the content to make that determination itself, among other things.

Abstract: The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network core is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. The system also provides for confidence-based consensus and automated fork resolution.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Each computing node typically is functionally-equivalent to all other nodes in the core.

Abstract: Among other things, this document describes systems, devices, and methods for wireless content delivery to vehicles and in particular to vehicles in cellular radio environments. The teachings hereof can be used to deliver a vehicle manufacturer's head unit updates, firmware, configurations, and other data to a vehicle. In embodiments, downloads are managed at the control plane and/or data plane. Download management can include mitigating either current or anticipated wireless congestion at cell towers, enforcing campaign priority for firmware updates, accommodating occupant-originated data flows to and from the vehicle, and/or accounting for contractual data arrangements between vehicles makers and cellular providers, among other things.

Abstract: This document describes systems, devices, and methods for testing the integration of a content provider's origin infrastructure with a content delivery network (CDN). In embodiments, the teachings hereof enable a content provider's developer to rapidly and flexibly create test environments that send test traffic through the same CDN hardware and software that handle (or at least have the ability to handle) production traffic, but in isolation from that production traffic and from each other. Furthermore, in embodiments, the teachings hereof enable the content provider to specify an arbitrary test origin behind its corporate firewall with which the CDN should communicate.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Each computing node typically is functionally-equivalent to all other nodes in the core.

Abstract: This document describes, among other things, systems and methods for more efficiently resuming a client-to-origin TLS session through a proxy layer that fronts the origin in order to provide network security services. At the time of an initial TLS handshake with an unknown client, for example, the proxy can perform a set of security checks. If the client passes the checks, the proxy can transmit a ‘proxy token’ upstream to the origin. The origin can incorporate this token into session state data which is passed back to and stored on the client, e.g., using a TLS session ticket extension field, pre-shared key extension field, or other field. On TLS session resumption, when the client sends the session state data, the proxy can recover its proxy token from the session state data, and upon successful validation, bypass security checks that it would otherwise perform against the client, thereby more efficiently handling known clients.

Abstract: A method of multicasting real-time video is described. The method begins by establishing a multicast network of machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The multicast network preferably comprises a portion of an overlay network, such as a content delivery network (CDN). A video stream is published to the multicast network by (a) using the mapping infrastructure to find an ingress node in the multicast network, and then receiving the video stream from a publisher at the ingress node. One or more subscribers then subscribe to the video stream. In particular, and for subscriber, this subscription is carried out by (a) using the mapping infrastructure to find an egress node for the requesting client, and then delivering the video stream to the subscriber from the egress node. Preferably, the publisher and each subscriber use WebRTC to publish or consume the video stream, and video stream is consumed in a videoconference.

Abstract: Typically, clients request a service from a computer hosting multiple services by specifying a destination port number associated with the desired service. In embodiments, the functionality of such a host computer is enhanced by having it condition client access to services available at a particular port number based on client authentication and/or authorization. A host computer can change the service(s) available at a given port number on a client by client basis, enabling access to service(s) for trusted clients unavailable to untrusted clients. Preferably, client trust is based on client authentication via a certificate and a valid, signed transport layer security (TLS) handshake (or similar mechanism in other protocol contexts). In some embodiments, an authorization step can be added following authentication. The systems and methods disclosed herein find wide uses in bundling services on ports, as well as protecting access to services from untrusted and/or malicious clients, among others.

Abstract: This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.

Abstract: This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.

Abstract: According to certain non-limiting embodiments disclosed herein, the functionality of a distributed computing platform, such as a content delivery network with network storage, is improved by providing automated and on-demand upload capability into the network storage. In one embodiment, the platform is made up of many proxy servers. As clients request content from the proxies, they generate upload commands for the network storage subsystem to ingest the content from a content provider origin infrastructure. Preferably, the proxy servers are configured to generate ‘safe’ upload commands such that objects are not ingested if they contain sensitive information and/or are personalized and/or might be dynamically generated objects. Thus, relatively safe ‘static’ objects can be automatically uploaded and migrated from a content provider origin, as client requests arrive.