Abstract: A shared computing infrastructure has associated therewith a portal application through which users access the infrastructure and provision one or more services, such as content storage and delivery. The portal comprises a security policy editor, a web-based configuration tool that is intended for use by customers to generate and apply security policies to their media content. The security policy editor provides the user the ability to create and manage security policies, to assign policies so created to desired media content and/or player components, and to view information regarding all of the customer's current policy assignments. The editor provides a unified interface to configure all media security services that are available to the CDN customer from a single interface, and to enable the configured security features to be promptly propagated and enforced throughout the overlay network infrastructure.

Abstract: According to this disclosure, a proxy server is enhanced to be able to interpret instructions that specify how to modify an input object to create an output object to serve to a requesting client. Typically the instructions operate on binary data. For example, the instructions can be interpreted in a byte-based interpreter that directs the proxy as to what order, and from which source, to fill an output buffer that is served to the client. The instructions specify what changes to make to a generic input file. This functionality extends the capability of the proxy server in an open-ended fashion and enables it to efficiently create a wide variety of outputs for a given generic input file. The generic input file and/or the instructions may be cached at the proxy. The teachings hereof have applications in, among other things, the delivery of web content, streaming media, and the like.

Abstract: The teachings herein generally relate to client-server communications and the delivery of content over computer networks to clients, and provide improved methods, systems, and apparatus for identifying and/or characterizing client devices that are requesting content from a server. For example, based on information sent in a client device's request for content, a web server modified in accordance with the teachings hereof can identify a set of characteristics associated with that client device. Such characteristics might include the model name of the client device, the screen dimensions of the client device, information about the particular operating system or browser name/version it is running, content formats it is capable of consuming, and so on. The web server can use this information to modify and customize its response for the given client device.

Abstract: Stream-based data deduplication is provided in a multi-tenant shared infrastructure but without requiring “paired” endpoints having synchronized data dictionaries. Data objects processed by the dedupe functionality are treated as objects that can be fetched as needed. As such, a decoding peer does not need to maintain a symmetric library for the origin. Rather, if the peer does not have the chunks in cache that it needs, it follows a conventional content delivery network procedure to retrieve them. In this way, if dictionaries between pairs of sending and receiving peers are out-of-sync, relevant sections are then re-synchronized on-demand. The approach does not require that libraries maintained at a particular pair of sender and receiving peers are the same. Rather, the technique enables a peer, in effect, to “backfill” its dictionary on-the-fly. On-the-wire compression techniques are provided to reduce the amount of data transmitted between the peers.

Abstract: Methods and systems are disclosed for delivery of tailored content to differentiated devices, such as desktop, mobile, and tablet devices, over a computer network. In one embodiment, a proxy cache server has a content cache for storing previously retrieved objects like web pages or multimedia files. For at least some objects, several versions are stored, each version representing an object suited for a given set of client device characteristics. A device-equivalency data structure maintained at the proxy facilitates a determination of whether such cached versions can be used to service a current request. The versions might represent, for example, modified versions created using, e.g., mobile device transcoding techniques, in response to prior requests. They may also represent a set of alternate content created by a content provider and available from an origin server. Such methods and systems may be implemented in a distributed computing networks, e.g., a content delivery network.

Abstract: This patent document describes, among other things, methods and systems for determining which if any page resources a server might push to a client (using, e.g., an HTTP 2.0 server push mechanism). The approaches described herein improve web page load times by pushing page resources that a client is likely to need to render the base page, while reducing wasteful server pushes of resources that the client is unlikely to request from the server because, for example, they are already cached at the client.

Abstract: This patent document describes, among other things, methods and systems for determining which if any page resources a server might push to a client (using, e.g., an HTTP 2.0 server push mechanism). The approaches described herein improve web page load times by pushing page resources that a client is likely to need to render the base page, while reducing wasteful server pushes of resources that the client is unlikely to request from the server because, for example, they are already cached at the client.

Abstract: A method and system for modifying web pages, including dynamic web pages, based on automated analysis wherein web pages are transformed based on transformation instructions in nearly real-time, and wherein analysis is performed and transformation instructions based on the analysis are prepared prior to a request for the web page. The system has two primary components, an analyzer which asynchronously and repeatedly analyzes web pages creating and updating transformation instructions relating to the web pages, and a transformer which intercepts traffic to a web server in response to a request for the web page, receives the returned web pages, and transforms them based on stored transformation instructions.

Abstract: This document describes, among other things, improved methods, systems, and apparatus for relaying packets on computer networks. Preferably, the relay function is accelerated at a host by implementing selected forwarding functions in hardware, such as the host's network interface card, while upper software layers at the host retain at least some access to the packet flow to handle more complex operations and/or monitoring. In a so-called “split TCP” arrangement, for example, a relay host terminates a first TCP connection from a given host and forwards packets on that connection to another given host on a second TCP connection. The relay host has a TCP forwarding table implemented at the device level, configurable by a relay management application running in the kernel or user-space. Special forwarding table modes may be used to enable full-TCP protocol support while also taking advantage of hardware acceleration.

Abstract: A method for Internet delivery in a delivery network established at network locations, the delivery network comprising a plurality of content servers for serving resources. The servers include a plurality of subsets, each subset being located at one of a plurality of Internet data centers. For each Internet Protocol (IP) address block from which requests for content resources are expected to be received, the method generates a candidate list of data centers to be used to service the requests. For the IP address block, the method selects at least one of the data centers from the candidate list. The selected Internet data center for the IP address block is written into a network map. In response to a DNS query, the map is used to identify one of the Internet data centers from the candidate list to be used to service a request for a content resource.

Abstract: According to non-limiting embodiments disclosed herein, the functionality of an object cache in a server can be extended to monitor and track web traffic, and in particular to perform rate accounting on selected web traffic. As the server communicates with clients (e.g., receiving HTTP requests and responding to those requests), the server can use its existing object cache storage and existing object cache services to monitor web traffic by recording how often a client makes a particular request in the object cache and/or other data about the requests. Preferably, the object cache is still used for conventional caching of objects, the object cache thus providing a dual role by storing both web objects and rate accounting data.

Abstract: Described herein, without limitation, are methods and systems to defend web applications against abuse and attack from bots, scrapers, and agents, by validating and enforcing a workflow for web application users. Described herein, without limitation, are methods and systems that enforce and validate workflows in a way that enables web application owners to flexibly define and control workflows, even for complex website topologies.

Abstract: A method of controlling size of a receive window includes transmitting packets over a communication channel from a transmitting device to a receiver, and receiving acknowledgment packets from the receiver, the received acknowledgement packets from the receiver including an advertised receive window size. The method further includes determining a backlog parameter for the receiver in accordance with the advertised receive window size, determining a queuing delay in accordance the received acknowledgment packets, resetting a size of a congestion window in accordance with a function of a current size of the congestion window and a factor proportional to the queuing delay, and resetting a size of a receive window in accordance with a function of a current size of the receive window and the backlog parameter. A network window is reset in accordance with the smaller of the size of the congestion window and the size of the receive window.

Abstract: Described herein are systems, methods and apparatus for detecting and classifying malicious agents on a computer network. Many attacks require that the malicious message or messages employ certain characters. Such sets of characters can be indicative of an attack and referred to as a “malicious alphabet.” All clients on a network are likely to use characters from malicious alphabets in legitimate and valid network messages. However, malicious clients are likely to use characters from malicious alphabets in different ways than legitimate clients. According to the teachings hereof, a particular client's use of a malicious alphabet can be tracked and used to identify it as a potential attacker. Such tracking may take place across the applications and/or websites to which the traffic is directed. Based on the nature and extent of the client's use of the malicious alphabet, a reputation score for the client can be developed.

Abstract: Using cryptographic techniques, sensitive data is protected against disclosure in the event of a compromise of a content delivery network (CDN) edge infrastructure. These techniques obviate storage and/or transfer of such sensitive data, even with respect to payment transactions that are being authorized or otherwise enabled from CDN edge servers.

Abstract: Described herein are systems, methods, and apparatus for processing network packets in a computer network. According to the teachings hereof, distributed computing resources can be organized into a service platform to provide certain value-add services—such as deep packet inspection, transcoding, lawful intercept, or otherwise—using a service function chaining model. The platform can be used operate on traffic coming from or going to a mobile network (or other target network) to the public Internet. The platform may send to the mobile network various kinds of metadata related to or reflecting the services it is performing and/or the traffic that is flowing to or from the mobile network, among other things.

Abstract: Described herein are systems, methods, and apparatus for processing network packet data in a distributed computing platform, such as a content delivery network, to provide services to mobile network operators and/or their mobile subscribers. According to the teachings hereof, distributed computing resources can be organized into a service platform to provide certain value-add services—such as deep packet inspection, transcoding, lawful intercept, or otherwise—using a service function chaining model. The platform resources are preferably located external to the mobile network, on the public Internet. The platform preferably operates on and processes traffic entering or exiting the mobile network. In some embodiments, the service platform is able to establish an encrypted channel between itself and the mobile client through the mobile network, e.g., using content provider key and certificate information available to the platform (but which may not be available to the mobile network operator).

Abstract: Described herein are systems, methods, and apparatus for processing network packets in a computer network, including in particular the processing of subscriber traffic in a mobile network. According to the teachings hereof, distributed computing resources can be organized into a service platform to provide certain value-add services—such as deep packet inspection, transcoding, lawful intercept, or otherwise—using a service function chaining model. The platform may operate on traffic egressing or ingressing to a mobile network (or other target network) to the public Internet. The service platform can alternatively be deployed wholly or partially within a target network. Service function chains may be built dynamically based on configured platform policies, packet contents, computing resource status, load, network location, current network conditions, and the like.

Abstract: A method of correlating nameserver addresses is implemented in a multi-tier name server hierarchy comprising a first level authority for a domain, and one or more second level authorities to which the first level authority delegates with respect to a particular sub-domain associated with the domain. Preferably, the first level authority is IPv4-based and at least one second level authority is IPv6-based. The first level authority responds to a request issued by a client caching nameserver (a “CCNS”) and returns an answer that includes both IPv4 and IPv6 authorities for the domain. The CCNS is located at an IPv4 source address that is passed along to the first level authority with the CCNS request. According to a feature of this disclosure, the first level authority encodes the CCNS IPv4 source address in the IPv6 destination address of at least one IPv6 authority.

Abstract: The process of rendering web pages can be significantly improved with a content delivery system that pre-renders web content for a client device. A web page “program” can be pre-executed and the result delivered to a requesting client device, rather than or before sending a traditional set of web page components, such as a markup language document, cascading style sheets, embedded objects. This pre-execution can relieve the client device of the burden of rendering the web page, saving resources and decreasing latency before the web page is ready, and can reduce the number of network requests that the client device must make before being able to display the page. Disclosed herein are methods, systems, and devices for creating and delivering pre-rendered web pages for accelerated browsing.