Abstract: An enhanced server-side Adaptive Bitrate Streaming (ABR) of source content. The ABR switching logic is located in association with a server, and this logic also receives telemetry data as measured by the client. The client receives a single manifest that comprises a set of encoded entries each associated with a segment of the source content and comprising a first portion encoding, as a set of options, each of the multiple bitrates, and a second portion that, for each of the multiple bitrate options, encodes a size of the segment associated therewith. In operation, the client media player makes a request for a portion of the source content, and that request includes one of the encoded entries. In response, the server-side ABR switching logic determines whether to switch delivery of the source content from an existing first bitrate to a second bitrate. If so, the requested portion is delivered to the client at the second bitrate.

Abstract: A method and system of detecting script-based attacks. In this approach, behavioral analysis is performed against a traceable data structure, preferably in the form of a call flow graph (CFG) that is generated at an instrumented end user client browser. The CFG comprises a set of runtime JavaScript execution data points and one or more associated event chains that include the execution data points and their relative ordering. It is generated in a client browser in association with an interaction with a page, and it represents a context-based record of that specific interaction. By collecting similar CFGs from other such interactions with that page, the system identifies execution flow anomalies that represent malicious JavaScript attack(s). These attacks can then be mitigated, e.g., by updating the page or access policy associated with the page such that the attack cannot be successfully executed against other users interacting with the page.

Abstract: A physical object having a programmable, electronically readable tag can be identified and tracked in a given third party system with the aid of an identity services platform. When the owner of the object is about to place it in the custody of a third party system, the owner can use a client device to instruct the identity services platform to generate a nonce, for programming into the object's tag. Devices in the third party system read and use the nonce to identify and track the object and to make decisions about how it is handled. When the object exits from the control of the third party system for return to the owner, the identity services platform is asked to provide a proof of ownership to the third party system, which enables accurate return of the object to its proper owner.

Abstract: A multi-tenant service platform provides network services, such as content delivery, edge compute, and/or media streaming, on behalf of, or directly for, a given tenant. The service platform offers a policy layer enabling each tenant to specify levels of acceptable performance degradation that the platform may incur so that the platform can use electricity with desirable characteristics to service client requests associated with that tenant. Service nodes in the platform (e.g., edge servers) enforce the policy layer at the time of a service request. Preferably, the ‘quality’ of the electricity is a measurement of source of the energy, e.g., whether it is sourced from high-carbon fossil fuels (low-quality) or low-carbon renewables (high-quality). If the desired quality of electricity cannot be achieved, the node can resort to using less electricity to handle the request, which is achieved in a variety of ways.

Abstract: It is often important that a server's responses to a set of client requests are coherent with one another, but if the client's requests are spread over time, that may not occur. In accordance with the teaching of this patent document, a client is able to communicate with a server to achieve coherency. A client can send a request (e.g., an HTTP request for a given resource) with a data preservation directive. The data preservation directive causes the server to initiate a server-side process to preserve the state of underlying server-side data upon which the response relies (or will rely). Also, a client can send a request with an attribute requesting the response be coherent with respect to some date-time or other reference point. This attribute thus asks the server to ensure coherency in the response to the client.

Abstract: Website phishing detection is enabled using a siamese neural network. One twin receives a query image associated with a website page. The other twin receives a subset of a set of reference website images together with positive (phishing) examples that were used to train the networks, the subset of reference website images having been determined by applying an identifier associated with a brand of interest. The operation of applying the identifier significantly reduces the relevant search space for the inferencing task. If the inferencing determines a sufficient likelihood that the website page is a phishing page, control signaling is generated to control a system to take a given mitigation action n.

Abstract: A set of transaction handling computing elements comprise a network core that receive and process transaction requests into an append-only immutable chain of data blocks, wherein a data block is a collection of transactions, and wherein an Unspent Transaction Output (UTXO) data structure supporting the immutable chain of data blocks is an output from a finalized transaction. Typically, the UTXO data structure consists essentially of an address and a value. In this approach, at least one UTXO data structure is configured to include information either in addition to or in lieu of the address and value, thereby defining a Transaction Output (TXO). A TXO may have a variety of types, and one type includes an attribute that encodes data. In response to receipt of a request to process a transaction, the set of transaction handling computing elements are executed to process the transaction into a block using at least the information in the TXO.

Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.

Abstract: An end-to-end verifiable multi-factor authentication scheme uses an authentication service. An authentication request is received from an organization, the request having been generated at the organization in response to receipt there of an access request from a user. The user has an associated public-private key pair. The organization provides the authentication request together with a first nonce. In response to receiving the authentication request and the first nonce, the authentication service generates a second nonce, and then it send the first and second nonces to the user. Thereafter, the service receives a data string, the data string having been generated by the client applying its private key over the first and second nonces. Using the user's public key, the service attempts to verify that the data string includes the first and second nonces.

Abstract: An account protection service to prevent user login or other protected endpoint request abuse. In one embodiment, the service collects user recognition data, preferably for each login attempt (e.g. data about the connection, session, and other relevant context), and it constructs a true user profile for each such user over time, preferably using the recognition data from successful logins. The profile evolves as additional recognition data is collected from successful logins. The profile is a model of what the user “looks like” to the system. For a subsequent login attempt, the system then calculates a true user score. This score represents how well the current user recognition data matches the model represented by the true user profile. The user recognition service is used to drive policy decisions and enforcement capabilities. Preferably, user recognition works in association with bot detection in a combined solution.

Abstract: A method of delivering a media stream in a network having first and second media servers each capable of delivering segmented media content to a requesting media client. The network provides for HTTP-based delivery of segmented media, and the media client is supported on a client-side device. The method begins by associating the media client with the first media server. As the first server receives from the media client request for media content segments, request times for a given number of the most-recent segments requested are used to generate a prediction, by the first server, of when the media client has transitioned from a start-up or buffering state, to a steady state. In response to a new segment request being received, and upon the first server predicting that the media client has completed a transition to steady state, the new segment request is redirected to the second media server.

Abstract: This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.

Abstract: This patent document describes failure recovery technologies for the processing of streaming data, also referred to as pipelined data. The technologies described herein have particular applicability in distributed computing systems that are required to process streams of data and provide at-most-once and/or exactly-once service levels. In a preferred embodiment, a system comprises many nodes configured in a network topology, such as a hierarchical tree structure. Data is generated at leaf nodes. Intermediate nodes process the streaming data in a pipelined fashion, sending towards the root aggregated or otherwise combined data from the source data streams towards. To reduce overhead and provide locally handled failure recovery, system nodes transfer data using a protocol that controls which node owns the data for purposes of failure recovery as it moves through the network.

Abstract: Among other things, this document describes systems, methods and apparatus for identifying and mitigating network attacks, particularly botnet attacks and other volumetric attacks. In some embodiments, a distributed computing platform provides client-facing service endpoints and a request routing mechanism (request router or RR) directing clients to a particular service endpoint or cluster thereof to obtain a service. The state of the RR at a given time is communicated to enforcement points in the system, which may be cluster equipment, service endpoints, or other components. When client traffic arrives at a particular enforcement point it is checked for consistency with the RR's directions, referred to as ‘mapping consistency’. This information is incorporated into decisions about how to handle the packets from the client.

Abstract: An index file for an on-demand media stream (such as video-on-demand) is analyzed to determine one or more content insertion points, also referred to as cue points. The streaming platform modifies the index file such that the streaming platform can select the content to insert later on, preferably making that selection after the index file has been served and preferably a short time before the cue point in the stream. Put another way, the decision as to which content to insert at such points is not predetermined at the time of serving the index file. In this way, content insertions decisions can be made midstream.

Abstract: An overlay network is augmented to provide more efficient data storage by processing a dataset of high dimension into an equivalent dataset of lower dimension, wherein the data reduction reduces the amount of actual physical data but not necessarily its informational value. Data to be processed (dimensionally-reduced) is received by an ingestion layer and supplied to a learning-based storage reduction application that implements the data reduction technique. The application applies a data reduction algorithm and stores the resulting dimensionally-reduced data sets in the native data storage or third party cloud. To recover the original higher-dimensional data, an associated reverse algorithm is implemented. In general, the application coverts an N dimensional data set to a K dimensional data set, where K<<N. The N dimensional dataset has a high dimension, and the K dimensional dataset has a low dimension.

Abstract: A method of enabling single sign-on (SSO) access to an application executing in an enterprise, wherein authorized, secure access to specific enterprise applications are facilitated via an enterprise-based connector. In response to successful authentication of an end user via a first authentication method, a credential associated with the successful authentication is encrypted to generate an encrypted user token. The encrypted user token is then forwarded for storage in a database accessible by the enterprise-based connector. Following a redirect (e.g., from a login server instance) that returns the end user to the enterprise-based connector, the encrypted user token is fetched and decrypted to recover the credential. The credential so recovered is then used to attempt to authenticate the user to an application via a second authentication method distinct from the first authentication method.

Abstract: Website phishing detection is enabled using a Message Passing Neural Network (MPNN) that scores requested HTML with a likelihood of being a phishing website. The technique leverages the assumption that the HTML in a phishing website often presents anomalous structure or features when compared with an analogous benign website. Once a phishing site is detected, a given mitigation action is then taken.

Abstract: This disclosure describes a technique to determine whether a client computing device accessing an API is masquerading its device type (i.e., pretending to be a device that it is not). To this end, and according to this disclosure, the client performs certain processing requested by the server to reveal its actual processing capabilities and thereby its true device type, whereupon—once the server learns the true nature of the client device—it can take appropriate actions to mitigate or prevent further damage. To this end, during the API transaction the server returns information to the client device that causes the client device to perform certain computations or actions. The resulting activity is captured on the client computing and then transmitted back to the server, which then analyzes the data to inform its decision about the true client device type.

Abstract: A distributed computing system provides a distributed data store for network enabled devices at the edge. The distributed database is partitioned such that each node in the system has its own partition and some number of followers that replicate the data in the partition. The data in the partition is typically used in providing services to network enabled devices from the edge. The set of data for a particular network enabled device is owned by the node to which the network enabled device connects. Ownership of the data (and the data itself) may move around the distributed computing system to different nodes, e.g., for load balancing, fault-resilience, and/or due to device movement. Security/health checks are enforced at the edge as part of a process of transferring data ownership, thereby providing a mechanism to mitigate compromised or malfunctioning network enabled devices.