Abstract: Methods for implementing Proof of Work (PoW) as an authorization signal are provided in a multi-node distributed operating environment wherein a set of authorization proxies are used to control access to protected resources. Each authorization proxy is enabled to provide PoW challenges to requesting clients. The methods enforce the constraint that PoW can only be exchange for access once. The approach thus prevents replays of PoW, e.g., wherein a client could do the work and then use that PoW for access multiple times, or a nefarious user could steal the PoW from another client to gain access to the protected resource.

Abstract: A method, apparatus and computer program product provides for zero configuration service registration in association with a network-accessible infrastructure that hosts services on behalf of an enterprise. A service is required to be registered with an authority before being online. The technique is implemented in a network-based automated bootstrap mechanism. In operation, and responsive to a determination that a new service instance is required to be brought online, a determination is made whether a peer service instance has an existing registration with the authority and is active. If so, and without requiring manual intervention, that existing registration is then leveraged on behalf of the new service instance to automatically register that instance with the authority. After automatically register the new service instance, that instance is then executed in the network-accessible infrastructure. Several automated bootstrap mechanisms are described.

Abstract: An agent deployed within a private network creates on-demand connections to an intermediary node outside the private network. When a client contacts the intermediary node for an application or more generally any service available from within the private network, the intermediary node signals the agent to create the on-demand connection outbound to the intermediary. The agent may include advance information in the signal that accelerates the establishment of the on-demand connection and/or transmission of responsive data to the client.

Abstract: Methods for implementing Proof of Work (PoW) as an authorization signal are provided in a multi-node distributed operating environment wherein a set of authorization proxies are used to control access to protected resources. Each authorization proxy is enabled to provide PoW challenges to requesting clients. The methods enforce the constraint that PoW can only be exchange for access once. The approach thus prevents replays of PoW, e.g., wherein a client could do the work and then use that PoW for access multiple times, or a nefarious user could steal the PoW from another client to gain access to the protected resource.

Abstract: A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.

Abstract: This disclosure provides for Artificial Intelligence (AI) support in a distributed computing environment. First machine learning models are configured in a first network located between requesting clients, and a second network, which hosts a second machine learning model, such as a Large Language Model (LLM). Significant processing efficiencies are obtained by provisioning these ML models on the respective networking components. Preferably, and as between a first machine learning model and the second machine learning model, the first machine learning model provides inferencing at a lower cost but with less accuracy. In response to receipt of a request by a first machine learning model, a response is generated. The response is forwarded onward to the second machine learning model for additional handling. The first machine learning model executes primarily on Central Processing Units (CPUs), and the second machine learning model executes primarily on Graphics Processing Units (GPUs).

Abstract: Methods for implementing Proof of Work (PoW) as an authorization signal are provided in a multi-node distributed operating environment wherein a set of authorization proxies are used to control access to protected resources. Each authorization proxy is enabled to provide PoW challenges to requesting clients. The methods enforce the constraint that PoW can only be exchange for access once. The approach thus prevents replays of PoW, e.g., wherein a client could do the work and then use that PoW for access multiple times, or a nefarious user could steal the PoW from another client to gain access to the protected resource.

Abstract: A location service for automatic discovery of locations at which instances of an internal enterprise application are located. The location service is configured to facilitate routing of connection requests directed to the internal enterprise application, which typically is hosted in distinct enterprise locations. The service works in association with a set of connectors that each have an associated public Internet Protocol (IP) address (typically of a device to which the connector is coupled) at which it is reachable and through which a connection to an internal enterprise application instance can be proxied. Connections to the internal enterprise application are routable along a network path from a client to a given connector through a set of intermediary nodes. Using information collected from the connectors, the service performs a series of correlations (viz.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.

Abstract: A technique to detect and mitigate anomalous Application Programming Interface (API) behavior associated with an application having a set of APIs is described. Across one or more sessions during a time period, and in response to receiving a set of one or more transactions directed to the application, a behavioral graph is generated. The graph comprises a set of vertices, an associated set of edges, and a set of weights representing frequency of observation of one or more behaviors, wherein a behavior is denoted by an edge between a pair of connected vertices, wherein the edge depicts at least one interdependent relationship between first and second APIs of the set of APIs. One or more low weight edges are filtered from the behavioral graph to generate a decision graph. The decision graph is then used to detect that one or more new transactions represent anomalous behavior. In response to detecting that the given new transaction represents the anomalous behavior, an action is taken to protect the application.

Abstract: Stream-based data deduplication is provided in a multi-tenant shared infrastructure but without requiring “paired” endpoints having synchronized data dictionaries. Data objects processed by the dedupe functionality are treated as objects that can be fetched as needed. As such, a decoding peer does not need to maintain a symmetric library for the origin. Rather, if the peer does not have the chunks in cache that it needs, it follows a conventional content delivery network procedure to retrieve them. In this way, if dictionaries between pairs of sending and receiving peers are out-of-sync, relevant sections are then re-synchronized on-demand. The approach does not require that libraries maintained at a particular pair of sender and receiving peers are the same. Rather, the technique enables a peer, in effect, to “backfill” its dictionary on-the-fly. On-the-wire compression techniques are provided to reduce the amount of data transmitted between the peers.

Abstract: A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.

Abstract: A system for enterprise collaboration is associated with an overlay network, such as a content delivery network (CDN). The overlay network comprises machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The system comprises a front-end application, a back-end application, and set of one or more APIs through which the front-end application interacts with the back-end application. The front-end application is a web or mobile application component that provides one or more collaboration functions. The back-end application comprises a signaling component that maintains state information about each participant in a collaboration, a connectivity component that manages connections routed through the overlay network, and a multiplexing component that manages a multi-peer collaboration session to enable an end user peer to access other peers' media streams through the overlay network rather than directly from another peer.

Abstract: A method of multicasting real-time video is described. The method begins by establishing a multicast network of machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The multicast network preferably comprises a portion of an overlay network, such as a content delivery network (CDN). A video stream is published to the multicast network by (a) using the mapping infrastructure to find an ingress node in the multicast network, and then receiving the video stream from a publisher at the ingress node. One or more subscribers then subscribe to the video stream. In particular, and for subscriber, this subscription is carried out by (a) using the mapping infrastructure to find an egress node for the requesting client, and then delivering the video stream to the subscriber from the egress node. Preferably, the publisher and each subscriber use WebRTC to publish or consume the video stream, and video stream is consumed in a videoconference.

Abstract: A system for enterprise collaboration is associated with an overlay network, such as a content delivery network (CDN). The overlay network comprises machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The system comprises a front-end application, a back-end application, and set of one or more APIs through which the front-end application interacts with the back-end application. The front-end application is a web or mobile application component that provides one or more collaboration functions. The back-end application comprises a signaling component that maintains state information about each participant in a collaboration, a connectivity component that manages connections routed through the overlay network, and a multiplexing component that manages a multi-peer collaboration session to enable an end user peer to access other peers' media streams through the overlay network rather than directly from another peer.

Abstract: Stream-based data deduplication is provided in a multi-tenant shared infrastructure but without requiring “paired” endpoints having synchronized data dictionaries. Data objects processed by the dedupe functionality are treated as objects that can be fetched as needed. As such, a decoding peer does not need to maintain a symmetric library for the origin. Rather, if the peer does not have the chunks in cache that it needs, it follows a conventional content delivery network procedure to retrieve them. In this way, if dictionaries between pairs of sending and receiving peers are out-of-sync, relevant sections are then re-synchronized on-demand. The approach does not require that libraries maintained at a particular pair of sender and receiving peers are the same. Rather, the technique enables a peer, in effect, to “backfill” its dictionary on-the-fly. On-the-wire compression techniques are provided to reduce the amount of data transmitted between the peers.

Abstract: A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.

Abstract: A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).

Abstract: It is often necessary to securely transfer data, such as authenticators or authorization tokens, between programs running on the same end-user device. The teachings hereof enable the pairing of two programs executing on a given end-user device and then the transfer of data from one program to the other. In an embodiment, a first program connects to a server and sends encrypted data elements. A second program intercepts the connection and/or the encrypted data elements. The second program tunnels the encrypted data elements (which remain opaque to the second program at this point) to a server, using an encapsulating protocol. This enables the server to receive the data elements sent by the first program, decrypt them, and provide them to the second program via return message using control fields of the encapsulating protocol. Once set up, the tunneling arrangement enables bidirectional data transfer.