Abstract: Viewing of web pages is improved by prioritizing image rendering based on positioning of images within a web page. For example, for images that are likely to be initially viewable upon presentation of the web page (i.e., prior to scrolling), compressed proxy versions are made available so that the images can be transferred and rendered more quickly. These compressed proxy images are later replaced with better quality renderings of the same images. Fetching of images that are not initially visible can be deferred until after other, more important page resources are loaded. Prioritization of page loading in this manner helps to ensure that the page becomes operational earlier, resulting in improved perceived speed and responsiveness, and greater ease of navigation.

Abstract: A virtualized application delivery controller (ADC) device operable in a communication network comprises a hardware infrastructure including at least a memory, a plurality of core processors, and a network interface; a plurality of instances of virtual ADCs (vADCs), the plurality of vADCs are executed over the hardware infrastructure, each of the plurality of vADCs utilizes a portion of hardware resources of the hardware infrastructure, the portion of hardware resources are determined by at least one ADC capacity unit allocated for each of the plurality of the vADCs; a management module for at least creating the plurality of instances of the vADCs; and a traffic distributor for distributing incoming traffic to one of the plurality of vADCs and scheduling execution of the plurality of vADCs on the plurality of core processors, wherein each of the plurality of vADCs is independently executed on at least one of the plurality of core processors.

Abstract: A method for workload balancing among a plurality of physical machines hosting a plurality of virtual machines (VMs) is disclosed. The method comprises periodically measuring a utilization of each hardware resource in each of the plurality of physical machines; computing a resource utilization score for each hardware resource based on its respective measured utilization; computing a total physical machine utilization score for each physical machine based on the computed resource utilization scores of its respective resources; and upon reception of a client request corresponding to a software application, selecting one physical machine of the plurality of physical machines to serve the client request, wherein the selection is based on the computed total physical machine utilization.

Abstract: A method and system for creating, distributing, and managing of shared compression dictionaries. The system comprises a compressor configured to generate at least one shared compression dictionary based on a context of data streams flow between a client web browser and an origin server; an origin accelerator communicatively connected to the origin server and configured to encode an encountered data stream to a compressed form based on the least one shared compression dictionary; and an edge accelerator communicatively connected to the client web browser and configured to decode the compressed form of the data stream to an uncompressed form using the least one shared compression dictionary.

Abstract: A method for efficient mitigation of denial of service (DoS) attacks in a virtual network. The method maintains a security service level agreement (SLA) guaranteed to protected objects. The method includes ascertaining that a denial of service (DoS) attack is performed in the virtual network; checking if the DoS attack affects at least one physical machine hosting at least one protected object, wherein the protected object is provisioned with at least a guaranteed security service level agreement (SLA); determining, by a central controller of the virtual network, an optimal mitigation action to ensure the at least one security SLA guaranteed to the least one protected object; and executing the determined optimal mitigation action to mitigate the DoS attack, wherein the optimal mitigation action is facilitated by resources of the virtual network.

Abstract: A method for managing an application delivery controller (ADC) cluster operable in a software defined networking (SDN)-based network and including a plurality of ADC virtual appliances (VAs). The method comprises creating, by a central controller, a hash table including a plurality of buckets allocated to active VAs out of the plurality of VAs, each bucket is assigned to a range of a source internet protocol (IP) addresses of a client; and programming by the central controller at least one ingress network element connected to the ADC cluster and receive incoming traffic from clients to perform a balanced incoming traffic distribution among the plurality of VAs, wherein the traffic distribution is based in part on the allocation of the buckets to the plurality of VAs and the SIP addresses of the clients originating the incoming traffic. The plurality of VAs are virtual ADC instances operable i the plurality of physical devices.

Abstract: A method for executing virtual application delivery controllers (vADCs) having different application versions over a computing device. The method comprises installing a virtualization infrastructure in the computing device; creating by the virtualization infrastructure a plurality of vADCs having different application versions, wherein each vADC is created from a software image maintained in a hardware infrastructure of the computing device; gathering version information associated with each of the plurality of vADCs; independently executing the plurality of vADCs over an operating system of the computing device; and controlling the execution of the plurality of the vADCs over an operating system of the computing device using the virtualization infrastructure using in part the version information. In one embodiment, each of the plurality of vADCs does not execute its own guest operating system.

Abstract: A method and system for detecting and mitigating attacks performed using a cryptographic protocol are provided. The method comprises establishing an encrypted connection with the client using the cryptographic protocol, upon receiving an indication about a potential attack; receiving an inbound traffic from a client, wherein the inbound traffic is originally directed to a protected entity; analyzing application layer attributes of only the inbound traffic received on the encrypted connection to detect at least one encrypted attack; and causing to establish a new encrypted connection between the client and the protected entity, if the at least one encrypted attack at the application layer has not been detected.

Abstract: A system for generating a security policy for protecting an application-layer entity. The system comprises a security sitemap generator for generating a security sitemap of a protected application-layer entity, the security sitemap is stored in a first repository connected to the security sitemap generator; and a policy builder for generating a security policy for the application-layer entity based on the security sitemap, the security policy is stored in a second repository connected to the policy builder, wherein the security policy includes a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity.

Abstract: According to various embodiments of the present invention, acceleration can be used in connection with edge caching. Edge Side Landing Pages (ESL pages) are cached upstream on a Content Delivery Network (CDN), so as to reduce or eliminate round trips to the origin, thereby improving efficiency and reducing latency. ESL pages optimize performance for first time and repeat visitors for pages flagged to be cached upstream on the CDN. This allows pages cached on the CDN to be accelerated in addition to being cached. At the same time the system still efficiently serves requests to the origin for pages that are not cached on the CDN.

Abstract: In a client/server environment wherein resources are returned in response to client requests, a resource can be in-lined the first time it is requested, and then cached locally for use in connection with subsequent requests. When a user returns to the page for a subsequent visit, the resource requests are served from the local cache, thus avoiding the need for re-transmission with each response. According to various embodiments, the system and method of the present invention can be implemented in connection with delivery of any content in a client/server system, including for example HTML responses to requests for web pages. In at least one embodiment, the techniques described herein are tailored to mobile data network constraints; however, these techniques can be applied to any data network.

Abstract: A computerized method and system for detecting access of a protected server by malicious bots are provided. The method comprises receiving a request from a client machine; generating a polymorphic script code challenge that includes a scrambled secret; sending the polymorphic script code challenge to the client machine in response to the received request; receiving a token from the client machine in response to the polymorphic script code challenge; comparing contents of the token to the secret in its unscrambled form; and determining the client machine to be a malicious bot in an event including any one of the token does not match the secret and a token has not been received, wherein a new polymorphic script code challenge containing a new scrambled secret is generated for each new request received from a client machine.

Abstract: A method and network device for managing a multi-homed network are provided. The method comprises receiving a request from a client within a client computer network directed to a remote server computer within a remote computer network, wherein the client and the remote server computer are connected through a plurality of data routes, each of the plurality of data routes is connected to a router; selecting a data route from the plurality of data routes to route the received request, wherein the selection of the data route is based on a decision function; translating a source IP address of the client to an IP address corresponding to the selected data route; and routing the received request from the client to the remote server computer over the selected data route.

Abstract: A method and system for separation of traffic processing in a software defined network (SDN). The method comprises allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone; assigning the computing resources in the first group to a first ADC and the computing resources in the second group with a second ADC; triggering a zoning mode in the computing frame to mitigate a potential cyber-attack; and causing at least one network element in the SDN to divert traffic from a trusted client to the first group of computing resources and traffic from an un-trusted client to the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element.

Abstract: A mechanism for achieving resiliency and load balancing for SIP application services and, in particular, in geographic distributed sites. A method performs a distribution of SIP requests among SIP servers, where at least two sites with a load balancer in each site is configured. The method includes receiving a SIP request by a first load balancer in a first site; determining whether the SIP request should be redirected to a second site; and redirecting the SIP request to an address of a second load balancer in the second site. The invention also includes a SIP proxy including a receiving unit receiving SIP requests; a load balancing unit distributing SIP requests between SIP entities; and a health monitoring unit verifying availability of the SIP entities. The SIP proxy may further be configured with a proximity measuring unit determining a proximity to a SIP entity.

Abstract: A system and method for separation of traffic processing in a computing farm. The method comprises allocating a first group of computing resources of the computing farm to a trusted zone and a second group of computing resources to an un-trusted zone, wherein the computing resources in the first group are allocated to ensure at least service-level agreements (SLA) guaranteed to a group of trusted clients; determining, based on a plurality of security risk indication parameters, if a client associated with an incoming traffic is a trusted client or an un-trusted client; forwarding the incoming traffic to the second group of computing resources when the client is determined to be an un-trusted client; and diverting the incoming traffic to the first group of computing resources when the client is determined to be a trusted client, thereby ensuring at least the SLA guaranteed to the trusted client.

Abstract: A system, method and device for providing connection resiliency. The method including maintaining, by a first proxy, a TCP connection with a TCP client and a TCP connection with a TCP server through one or more TCP networks; maintaining information of both TCP connections by a forwarding component between the TCP networks and the first proxy; establishing, by the forwarding component, a new TCP connection with a second proxy for each of the TCP connections maintained by the first proxy; and forwarding data, to and from both the client and the server, to and from the second proxy without disconnection of the TCP connections of the TCP client and TCP server.

Abstract: A method for mitigating of denial of service (DoS) attacks in a software defined network (SDN). The method comprises receiving a DoS attack indication performed against at least one destination server; programming each network element in the SDN to forward a packet based on a diversion value designated in a packet diversion field, upon reception of the DoS attack indication; instructing at least one peer network element in the SDN to mark a diversion field in each packet in the incoming traffic addressed to the destination server to allow diversion of the packet to a security server; and instructing edge network elements in the SDN to unmark the diversion field of each packet output by the security server, wherein each network element in the SDN is programmed to forward the unmarked packets processed by the security server to the at least one destination server.

Abstract: A method for an assisted live migration of virtual machines is disclosed. The method comprises receiving an assist request for assisting in a migration of a virtual machine, wherein the assist request includes at least a comfort load level; determining a current load of the virtual machine to be migrated; comparing the current load to the comfort load level; reducing a load on the virtual machine to be migrated until the current load is lower than the comfort load level; and initiating a live migration of the virtual machine to be migrated when the current load is lower than the comfort load level.

Abstract: A method and security system for detecting and mitigating encrypted denial-of-service (DoS) attacks. The system includes a DoS defense (DoSD) module configured to detect an encrypted DoS attack in an inbound traffic by analyzing attributes only in the inbound traffic that relate to at least one of a network layer and an application layer, wherein the DoSD module is further configured to mitigate a detected encrypted attack, the inbound traffic originates at a client and is addressed to a protected server; and a cryptographic protocol engine (CPE) configured to establish a new encrypted session between the client and the security system, decrypt requests included in the inbound traffic, and send encrypted responses to the client over the new encrypted session between the client and the security system.