Abstract: A technique to detect and mitigate anomalous Application Programming Interface (API) behavior associated with an application having a set of APIs is described. Across one or more sessions during a time period, and in response to receiving a set of one or more transactions directed to the application, a behavioral graph is generated. The graph comprises a set of vertices, an associated set of edges, and a set of weights representing frequency of observation of one or more behaviors, wherein a behavior is denoted by an edge between a pair of connected vertices, wherein the edge depicts at least one interdependent relationship between first and second APIs of the set of APIs. One or more low weight edges are filtered from the behavioral graph to generate a decision graph. The decision graph is then used to detect that one or more new transactions represent anomalous behavior. In response to detecting that the given new transaction represents the anomalous behavior, an action is taken to protect the application.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Secure transaction processing is facilitated by storing cryptographic key materials in secure and trusted computing environments associated with the computing nodes to facilitate construction mining proofs during the validation of a block.

Abstract: Stream-based data deduplication is provided in a multi-tenant shared infrastructure but without requiring “paired” endpoints having synchronized data dictionaries. Data objects processed by the dedupe functionality are treated as objects that can be fetched as needed. As such, a decoding peer does not need to maintain a symmetric library for the origin. Rather, if the peer does not have the chunks in cache that it needs, it follows a conventional content delivery network procedure to retrieve them. In this way, if dictionaries between pairs of sending and receiving peers are out-of-sync, relevant sections are then re-synchronized on-demand. The approach does not require that libraries maintained at a particular pair of sender and receiving peers are the same. Rather, the technique enables a peer, in effect, to “backfill” its dictionary on-the-fly. On-the-wire compression techniques are provided to reduce the amount of data transmitted between the peers.

Abstract: A distributed ledger and transaction computing network fabric over which large numbers of transactions are processed concurrently in a scalable, reliable, secure and efficient manner. The computing network fabric or “core” supports a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. The nodes operate on blocks independently from one another while still maintaining a consistent and logically-complete view of the blockchain as a whole.

Abstract: Among other things, this document describes systems, devices, and methods for improving the delivery and performance of web pages authored to produce virtual reality (VR) or augmented reality (AR) experiences. In some embodiments, such web pages are analyzed. This analysis may be initiated at the request of a content server that receives a client request for the HTML. The analysis may involve, asynchronous to the client request, loading the the page into a non-user-facing browser environment and allowing the VR or AR scene to execute, even including executing animation routines for a predetermined period of time. Certain characteristics of the scene and of objects are thereby captured. Based on this information, an object list ordered by loading priority is prepared. Consulting this information in response to subsequent requests for the page, a content server can implement server push, early hints and/or other delivery enhancements.

Abstract: A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.

Abstract: A plurality of WiFi-enabled devices that are physically proximate to one another form an ad hoc mesh network, which is associated with an overlay network, such as a content delivery network. A typical WiFi device is a WiFi router that comprises addressable data storage, together with control software operative to configure the device seamlessly into the WiFi mesh network formed by the device and one or more physically-proximate devices. The addressable data storage across multiple such devices comprises a distributed or “mesh-assisted” cache that is managed by the overly network. The WiFi mesh network thus provides bandwidth that is leveraged by the overlay network to provide distribution of content, e.g., content that has been off-loaded for delivery (by content providers) to the CDN. Other devices that may be leveraged include set-top boxes and IPTV devices.

Abstract: This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.

Abstract: A set of transaction handling computing elements comprise a network core that receive and process transaction requests into an append-only immutable chain of data blocks, wherein a data block is a collection of transactions, and wherein an Unspent Transaction Output (UTXO) data structure supporting the immutable chain of data blocks is an output from a finalized transaction. Typically, the UTXO data structure consists essentially of an address and a value. In this approach, at least one UTXO data structure is configured to include information either in addition to or in lieu of the address and value, thereby defining a Transaction Output (TXO). A TXO may have a variety of types, and one type includes an attribute that encodes data. In response to receipt of a request to process a transaction, the set of transaction handling computing elements are executed to process the transaction into a block using at least the information in the TXO.

Abstract: A system for enterprise collaboration is associated with an overlay network, such as a content delivery network (CDN). The overlay network comprises machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The system comprises a front-end application, a back-end application, and set of one or more APIs through which the front-end application interacts with the back-end application. The front-end application is a web or mobile application component that provides one or more collaboration functions. The back-end application comprises a signaling component that maintains state information about each participant in a collaboration, a connectivity component that manages connections routed through the overlay network, and a multiplexing component that manages a multi-peer collaboration session to enable an end user peer to access other peers' media streams through the overlay network rather than directly from another peer.

Abstract: Generally, aspects of the invention involve creating a data structure (a map) that reflects routing of Internet traffic to Anycast prefixes. Assume, for example, that each Anycast prefix is associated with two or more deployments (Points of Presence or PoPs) that can provide a service such as DNS, content delivery (e.g., via proxy servers, as in a CDN), distributed network storage, compute, or otherwise. The map is built in such a way as to identify portions of the Internet (e.g., in IP address space) that are consistently routed with one another, i.e., always to the same PoP as one another, regardless of how the Anycast prefixes are deployed. Aspects of the invention also involve the use of this map, once created. The map can be applied in a variety of ways to assist and/or improve the operation of Anycast deployments and thus represents an improvement to computer networking technology.

Abstract: A hybrid HTTP/UDP delivery protocol provides significant improvements for delivery of video and other content over a network, such as an overlay. The approach is especially useful to address problems (e.g., slow startup times, rebuffering, and low bitrates) for HTTP-based streaming. In general, the protocol has two phases: an HTTP phase, and a UDP phase. In the HTTP phase, the client sends an HTTP GET request to a server. The GET request contains a transport header informing the server that the client would like to use UDP-based transfer over the protocol. The server may refuse this mode and continue in ordinary HTTP mode, or the server may respond by sending an empty response with header information informing the client how to make the connection to enter the UDP phase. In the UDP phase, the client initiates a connection and receives the originally-requested content over UDP.

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.

Abstract: A method of “warm” migrating a virtual machine (VM) on a source host to a target virtual machine on a destination host. The method begins by mirroring contents of disk onto a target disk associated with the target VM. Transfer of the RAM contents is then initiated. Unlike live migration strategies where data transfer occurs at a high rate, the RAM contents are transferred at a low transfer rate. While the contents of the RAM are being transferred, a shutdown of the virtual machine is initiated. This operation flushes to disk all of the remaining RAM contents. Before the shutdown completes, those remaining contents, now on disk, are mirrored to the target disk. Once that mirroring is finished, the shutdown of the virtual machine is completed, and this shutdown is mirrored at the destination host. To complete the warm migration, the target virtual machine is then booted from the target disk.

Abstract: A method of congestion control implemented by a sender over a network link that includes a router having a queue. During a first state, information is received from a receiver. The information comprises an estimated maximum bandwidth for the link, a one-way transit time for traffic over the link, and an indication whether the network link is congested. In response to the link being congested, the sender transitions to a second state. While in the second state, a sending rate of packets in reduced, in part to attempt to drain the queue of data packets contributed by the sender. The sender transitions to a third state when the sender estimates that the queue has been drained of the data packets contributed. During the third state, the sending rate is increased until either the sender transitions back to the first state, or receives a new indication that the link is congested.

Abstract: This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as “TLS fingerprinting.” Preferably, TLS fingerprinting herein comprises combining different parameters from the initial “Hello” packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the “TLS signature”) are: record layer version, client version, ordered TLS extensions, ordered cipher list, ordered elliptic curve list, and ordered signature algorithms list. Preferably, the edge server persists the TLS signature for the duration of a session.

Abstract: A server in a content delivery network (CDN) can examine API traffic and extract therefrom content that can be optimized before it is served to a client. The server can apply content location instructions to a given API message to find such content therein. Upon finding an instance of such content, the server can verify the identity of the content by applying a set of content verification instructions. If verification succeeds, the server can retrieve an optimized version of the identified content and swap it into the API message for the original version. If an optimized version is not available, the server can initiate an optimization process so that next time the optimized version will be available. In some embodiments, an analysis service can assist by observing traffic from an API endpoint over time, detecting the format of API messages and producing the content location and verification instructions.

Abstract: Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the processing device, at least one of the features against a corresponding portion of a characteristic model to differentiate the human user from the malicious code acting as if it were the human user.

Abstract: An overlay network is enhanced to provide traffic delivery using anycast and end user mapping. An anycast IP address is associated with sets of forwarding machines positioned in the overlay network. These locations correspond with IP addresses for zero rated billing traffic. In response to receipt at a forwarding machine of a packet, the machine issues an end user mapping request to the mapping mechanism. The mapping request has an IP address associated with the client from which the end user request originates. The mapping mechanism resolves the request and provides a response to the request. The response is an IP address associated with a set of server machines distinct from the forwarding machine. The forwarding machine encapsulates the packet and proxies the connection to the identified server. The server receives the connection, decapsulates the request, and processes the packet. The server machine responds to the requesting client directly.

Abstract: A method executes upon receiving data (email, IP address) associated with an account registration. In response, an encoding is applied to the data to generate a node vector. The node vector indexes a database of such node vectors that the system maintains (from prior registrations). The database potentially includes one or more node vector(s) that may have a given similarity to the encoded node vector. To determine whether there are such vectors present, a set of k-nearest neighbors to the encoded node vector are then obtained from the database. This set of k-nearest neighbors together with the encoded node vector comprise a virtual graph that is then fed as a graph input to a Graph Neural Network previously trained on a set of training data. The GNN generates a probability that the virtual graph represents a NAF. If the probability exceeds a configurable threshold, the system outputs an indication that the registration is potentially fraudulent, and a mitigation action is taken.