Abstract: Sequential consistency across a distributed cloud computing network is described. A database includes a primary database and multiple read replica databases. Write queries are transmitted to the primary database, and commit tokens are provided to the read replica databases and the clients. Commit tokens are included in requests from clients. If a request for a read operation received at a read replica database does not include a token that is later than a commit token of the most recent update to the read replica database, the read operation is served by the primary database. If a request for a read operation received at a read replica database includes a token that is later than a commit token of the most recent update to the read replica database, the read replica database delays servicing the read update until it receives an update from the primary database with an updated commit token.

Abstract: A claim is granted over a partition to a consumer. The claim is valid for a period and allows only that consumer to consume data of the partition during the period. The consumer consumes the data until the claim expires or the data in the partition is fully consumed. If the consumer fully consumes the data of the partition prior to the claim expiring, another claim can be granted over another partition to the consumer. Once the claim over the partition expires, the partition is available to be claimed by another consumer.

Abstract: A server receives a request for a network resource from a client network application. The server retrieves the network resource and detects an online advertisement tag in it. The server determines that it has access to an identity cookie for the requesting client. The server modifies the network resource including causing the tag from being processed directly by the client and adds a reference to a client-side script that will inject the online advertisement into the modified network resource. The server transmits a request for the online advertisement to an advertisement supply source, transmits a push-promise to the requesting client for the client-side script, and transmits the modified network resource to the requesting client. The server receives, from the advertisement supply source, a response to the request for the online advertisement. The server transmits the client-side script to the requesting client without receiving a separate request for the client-side script.

Abstract: Controlling access to external capabilities exposed by a resource server for artificial intelligence models. An access server receives an authorization request from a resource client for authorization of a resource server. The access server determines a set of capabilities associated with the resource server and enforces access policies to identify permitted capabilities subject to user consent. A consent page is presented to the user agent for selective approval of capabilities. After receiving user consent, the access server generates an access token that is capable of being used as a credential for the consented capabilities. Subsequent requests from the resource server are validated and routed to the appropriate capabilities, with responses returned accordingly.

Abstract: A condition exists that triggers an HTTP server to modify one or more HTTP connections for one or more HTTP clients that are connected to the HTTP server. The HTTP server dynamically modifies the one or more HTTP connections including dynamically modifying one or more runtime behaviors for the one or more HTTP connections. For each of the one or more HTTP clients, the HTTP server monitors that HTTP client to determine whether it is complying with the modified one or more runtime behaviors. If one of the one or more HTTP clients is not complying with the modified one or more runtime behaviors, the HTTP server performs a mitigation action on that HTTP client.

Abstract: An intermediary server operates an application proxy. An access request is received for access to an application, where an access policy is associated with the application that specifies authentication method(s) acceptable for satisfying an authentication requirement enforced by the application proxy. The user agent is redirected to submit an authentication request to an identity provider for identity verification. An authentication response generated by the identity provider is received and includes information that specifies authentication method(s) used during the identity verification. If the authentication method(s) used during the identity verification match the authentication method(s) acceptable for satisfying the authentication requirement, the user will not be prompted to perform those authentication method(s) and the authentication requirement enforced by the application proxy is met.

Abstract: Traffic is received at a distributed cloud computing network. The traffic originates from a computing device using a mobile data connection. The traffic is associated with an identifier that identifies a SIM of the computing device. Using the SIM identifier, an identity for identity-based policy enforcement at the distributed cloud computing network is determined. The identity is uniquely associated with the SIM identifier. An identity-based policy that is applicable for the received traffic for the determined identity is determined. The identity-based policy is enforced.

Abstract: A method involves receiving, at a Global Resource Catalog (GRC) controller, credentials for one or more target networks within a distributed cloud network. For each target network, the GRC controller uses a respective network access methodology associated with that target network to identify and store a first set of target network resources associated with that network at a GRC database. The GRC controller links or groups a second set of target network resources of the first set of target network resources in the GRC database based on target network resource dependencies determined by the GRC controller. The GRC controller updates the second set of target network resources in the GRC database based on a received event or at a scheduled interval. A distributed cloud network is then updated based on the second set of target network resources stored at the GRC database.

Abstract: Systems and methods for zero trust authentication. In certain embodiments, a method may comprise providing, from a client computing system to an identity provider (IdP) authority, an authentication nonce value generated by hashing a random value and a public key of the client computing system, and receiving, at the client computing system from the IdP authority, an authorization token including the authentication nonce value, where the authorization token is signed by a private key of the IdP authority. The method may further comprise providing a message including the authorization token from the client computing system to a target computing system via an intermediary co-signer (ICS) configured to authenticate the message.

Abstract: A server receives from a client device that is executing a client application a request to initiate a remote application in the server. The server instantiates an instance of the remote application. The server intercepts draw commands associated with the remote application instance. The server provides the draw commands to the client to cause the client application to render portion(s) of output based on the draw commands. The server receives an input event from the client application. The server provides the client one or more draw commands based on the input event to cause the client application to render portion(s) of output based on those draw commands.

Abstract: Methods, systems, and techniques for application isolation by remote-enabling applications are provided. Example embodiments provide an Adaptive Rendering Application Isolation System (“ARAIS”), which transparently enables applications to run in an isolated execution environment yet be rendered locally in a manner that facilitates preventing theft of sensitive information while allowing users to interact with any third-party application or website via the local environment without overburdening available bandwidth or computational resources by, in some cases, evaluating only select information responsive only to select events, as compared to whitelist/blacklist techniques, monitoring all information provided by the user, or other techniques. The ARAIS typically includes an orchestrator server that comprises one or more of a sensitive-information theft-prevention logic engine, information-theft prevention engines, or a rules engine.

Abstract: Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.

Abstract: An edge server of a cloud-based application vulnerability detection service receives a first request from a requesting device to access a resource hosted by an origin server. The edge server can determine that the first request has indications of including malicious content and block the first request. The edge server can then send a second request to a test environment of the origin server, where the second request is based on the first request. The edge server then receives a response from the origin server responsive to the second request. The cloud-based application vulnerability detection service can analyze the response to determine that the origin server has a vulnerability. The cloud-based application vulnerability detection service then provides information to a customer associated with the origin server indicating that the vulnerability has been blocked by the cloud-based application vulnerability detection service and that the origin server is subject to the vulnerability.

Abstract: A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.

Abstract: Automatic speculation configuration management is described. An intermediary server receives a request from a client. The resource is retrieved from the origin server, where the resource includes link(s) to other resource(s). The intermediary server generates and transmits a response that includes a header that references a speculation configuration for prefetching at least one of the other resource(s). The intermediary server receives a request for the speculation configuration from the client. The intermediary server generates and transmits a response to the client that includes the speculation configuration. The intermediary server receives a prefetching request from the client for one of the resources indicated in the speculation configuration, retrieves that resource, and transmits a response to the client with that resource.

Abstract: A compute server of a distributed cloud computing network receives an inference request that is directed to an AI model hosted at a destination external to the distributed cloud computing network. The compute server determines that the inference request satisfies security rules associated with the AI model. Upon determining that the inference request is not answerable from a cache, the compute server transmits the inference request to the AI model hosted at the external destination. The compute server receives an inference response from the AI model in response to the inference request, transmits the inference response, and stores the inference request and the inference response in cache.

Abstract: An authoritative domain name system (DNS) server receives DNS requests for domains. The authoritative DNS server transmits DNS responses to the DNS requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first DNS response can include IP addresses different from IP addresses included in a second DNS response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may select the IP addresses to include in DNS responses to the DNS requests using a round-robin process.

Abstract: An email is received that is from an email sender. From the email, the display name of the email sender, an email address of the email sender, and an email domain of the email sender, is extracted. A score is determined for the email based on at least: the extracted display name of the email sender, the extracted email address of the email sender, and the extracted email domain of the email sender, where the score indicates a probability that the email is from a legitimate sender. Message content of the email is input into multiple classifiers each corresponding to a particular message type. The message type of the email is determined based on output of the classifiers. Based on at least the determined score for the email and the determined message type of the email, a determination is made whether the email is associated with a BEC attack.

Abstract: An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.

Abstract: A method involves receiving, at a Global Resource Catalog (GRC) controller, credentials for one or more target networks within a distributed cloud network. For each target network, the GRC controller uses a respective network access methodology associated with that target network to identify and store a first set of target network resources associated with that network at a GRC database. The GRC controller links or groups a second set of target network resources of the first set of target network resources in the GRC database based on target network resource dependencies determined by the GRC controller. The GRC controller updates the second set of target network resources in the GRC database based on a received event or at a scheduled interval. A distributed cloud network is then updated based on the second set of target network resources stored at the GRC database.