Abstract: Some embodiments increase throughput across a connection between a host and a client by initializing the congestion window for that connection dynamically using a previously settled value from a prior instance of the connection established between the same or similar endpoints. An initialization agent tracks congestion window values for previously established connections between a host and various clients. For the tracked congestion window values of each monitored connection, the initialization agent stores an address identifying the client endpoint. When establishing a new connection, the initialization agent determines if the new connection is a recurring connection. A new connection is recurring when the new connection client address is similar or related to an address identified for a previous monitored connection.

Abstract: Some embodiments provide a multi-tenant over-the-top multicast solution that integrates the per user stream customizability of unicast with the large scale streaming efficiencies of multicast. The solution involves an application, different multicast groups streaming an event with different customizations, and a manifest file or metadata identifying the different groups and customizations. The solution leverages the different multicast groups in order to provide different time shifts in the event stream, different quality level encodings of the event stream, and different secondary content to be included with a primary content stream. The application configured with the manifest file or metadata dynamically switches between the groups in order to customize the experience for a user or user device on which the application executes. Switching from multicast to unicast is also supported to supplement available customizations and for failover.

Abstract: Some embodiments provide loop detection and loop prevention mechanisms for messaging passing in between peers in a multi-tier hierarchy. In some embodiments, the messaging header is modified to track which peers have received a copy of the message. Each peer appends its identifier to the message header before passing the message to another peer. When selecting a receiving peer, the sending peer ensures that the receiving peer is not already identified in the message header. If the receiving peer has already received the message, then another peer from a next-peer list is selected to receive the message. If all peers in the next-peer have been traversed, the sending peer returns an error message via a reverse traversal of the peers in the message header.

Abstract: Some embodiments provide an optimized multi-hit caching technique that minimizes the performance impact associated with caching of long-tail content while retaining much of the efficiency and minimal overhead associated with first hit caching in determining when to cache content. The optimized multi-hit caching utilizes a modified bloom filter implementation that performs flushing and state rolling to delete indices representing stale content from a bit array used to track hit counts without affecting identification of other content that may be represented with indices overlapping with those representing the stale content. Specifically, a copy of the bit array is stored prior to flushing the bit array so as to avoid losing track of previously requested and cached content when flushing the bit array and the flushing is performed to remove the bit indices representing stale content from the bit array and to minimize the possibility of a false positive.

Abstract: Some embodiments implement end-to-end certificate pinning for content intake from various content providers and for content distribution to various end users. To ensure secure retrieval of content provider content, the content distributor pins the content provider to one or more certificate authorities. Accordingly, the content distributor only retrieves content from a sender identified as the content provider when the sender identity is verified with a certificate issued by a certificate authority pinned to the content provider. To ensure secure delivery of content from the content distributor to an end user, the content distributor modifies the pinset of the user browser to pin the content distributor to one or more certificate authorities. Thereafter, the user browser only accepts content from a sender identified as the content distributor when the sender identity is verified with a certificate issued by a certificate authority pinned to the content distributor in the browser pinset.

Abstract: Some embodiments modify caching server operation to evict cached content based on a deterministic and multifactor modeling of the cached content. The modeling produces eviction scores for the cached items. The eviction scores are derived from two or more factors of age, size, cost, and content type. The eviction scores determine what content is to be evicted based on the two or more factors included in the eviction score derivation. The eviction scores modify caching server eviction operation for specific traffic or content patterns. The eviction scores further modify caching server eviction operation for granular control over an item's lifetime on cache.

Abstract: Some embodiments increase throughput across a connection between a host and a client by initializing the congestion window for that connection dynamically using a previously settled value from a prior instance of the connection established between the same or similar endpoints. An initialization agent tracks congestion window values for previously established connections between a host and various clients. For the tracked congestion window values of each monitored connection, the initialization agent stores an address identifying the client endpoint. When establishing a new connection, the initialization agent determines if the new connection is a recurring connection. A new connection is recurring when the new connection client address is similar or related to an address identified for a previous monitored connection.

Abstract: Some embodiments override network or router level path selection with application or server controlled path selection by repurposing the type-of-service (ToS) or differentiated services header field. A mapping table maps different ToS values to different available transit provider paths to a particular destination. A server generating a packet to the destination selects one of the available paths according to any of load balanced, failover, or performance optimization criteria. The server sets the packet header ToS field with the value assigned to the selected path. A router operating in the same network as the server is configured with policy based routing rules that similarly map the ToS values to different transit provider paths to the particular destination network. Upon receiving the server generated packet, the router routes the packet to the destination network through the transit provider path identified in the packet header by the server set ToS value.

Abstract: Disclosed are systems and methods for performing entry access over two or more networks. The two or more networks are leveraged to accelerate the entry access and provide redundancy. Performance over each of the two or more networks is tracked in order to allow a mobile device to exchange entry access messaging over the particular network providing fastest start-to-unlock time. The mobile device can alternatively exchange the entry access messaging simultaneously over the two or more networks to create a race condition whereby the fastest start-to-unlock time is obtained without monitoring network performance. Performing the entry access messaging exchange over the two or more networks also ensures reliability in the event a particular network is down or congested, an authorization device on a particular network is down or overloaded, a radio of a mobile device communicating over a particular network is disabled or slow performing.

Abstract: The embodiments provide systems and methods for efficiently and accurately differentiating requests directed to uncacheable content from requests directed to cacheable content based on identifiers from the requests. The differentiation occurs without analysis or retrieval of the content being requested. Some embodiments hash identifiers of prior requests that resulted in uncacheable content being served in order to set indices within a bloom filter. The bloom filter then tracks prior uncacheable requests without storing each of the identifiers so that subsequent requests for uncacheable requests can be easily identified based on a hash of the request identifier and set indices of the bloom filter. Some embodiments produce a predictive model identifying uncacheable content requests by tracking various characteristics found in identifiers of prior requests that resulted in uncacheable content being served.

Abstract: Some embodiments provide a multi-tenant over-the-top multicast solution that integrates the per user stream customizability of unicast with the large scale streaming efficiencies of multicast. The solution involves an application, different multicast groups streaming an event with different customizations, and a manifest file or metadata identifying the different groups and customizations. The solution leverages the different multicast groups in order to provide different time shifts in the event stream, different quality level encodings of the event stream, and different secondary content to be included with a primary content stream. The application configured with the manifest file or metadata dynamically switches between the groups in order to customize the experience for a user or user device on which the application executes. Switching from multicast to unicast is also supported to supplement available customizations and for failover.

Abstract: Some embodiments provide loop detection and loop prevention mechanisms for messaging passing in between peers in a multi-tier hierarchy. In some embodiments, the messaging header is modified to track which peers have received a copy of the message. Each peer appends its identifier to the message header before passing the message to another peer. When selecting a receiving peer, the sending peer ensures that the receiving peer is not already identified in the message header. If the receiving peer has already received the message, then another peer from a next-peer list is selected to receive the message. If all peers in the next-peer have been traversed, the sending peer returns an error message via a reverse traversal of the peers in the message header.

Abstract: Some embodiments provide distributed rate limiting to combat network based attacks launched against a distributed platform or customers thereof. The distributed rate limiting involves graduated monitoring to identify when an attack expands beyond a single server to other servers operating from within the same distributed platform distribution point, and when the attack further expands from one distributed platform distribution point to other distribution points. Once request rates across the distributed platform distribution points exceed a global threshold, a first set of attack protections are invoked across the distributed platform. Should request rates increase or continue to exceed the threshold, additional attack protections can be invoked. Distributed rate limiting allows any server within the distributed platform to assume command and control over the graduated monitoring as well as escalating the response to any identified attack.

Abstract: Some embodiments provide an optimized multi-hit caching technique that minimizes the performance impact associated with caching of long-tail content while retaining much of the efficiency and minimal overhead associated with first hit caching in determining when to cache content. The optimized multi-hit caching utilizes a modified bloom filter implementation that performs flushing and state rolling to delete indices representing stale content from a bit array used to track hit counts without affecting identification of other content that may be represented with indices overlapping with those representing the stale content. Specifically, a copy of the bit array is stored prior to flushing the bit array so as to avoid losing track of previously requested and cached content when flushing the bit array and the flushing is performed to remove the bit indices representing stale content from the bit array and to minimize the possibility of a false positive.

Abstract: Some embodiments provide loop detection and loop prevention mechanisms for messaging passing in between peers in a multi-tier hierarchy. In some embodiments, the messaging header is modified to track which peers have received a copy of the message. Each peer appends its identifier to the message header before passing the message to another peer. When selecting a receiving peer, the sending peer ensures that the receiving peer is not already identified in the message header. If the receiving peer has already received the message, then another peer from a next-peer list is selected to receive the message. If all peers in the next-peer have been traversed, the sending peer returns an error message via a reverse traversal of the peers in the message header.

Abstract: Some embodiments provide intelligent predictive stream caching for live, linear, or video-on-demand streaming content using prefetching, segmented caching, and request clustering. Prefetching involves retrieving streaming content segments from an origin server prior to the segments being requested by users. Prefetching live or linear streaming content segments involves continually reissuing requests to the origin until the segments are obtained or a preset retry duration is completed. Prefetching is initiated in response to a first request for a segment falling within a particular interval. Request clustering commences thereafter. Subsequent requests are queued until the segments are retrieved. Segmented caching involves caching segments for one particular interval. Segments falling within a next interval are not prefetched until a first request for one such segment in the next interval is received.

Abstract: Some embodiments implement end-to-end certificate pinning for content intake from various content providers and for content distribution to various end users. To ensure secure retrieval of content provider content, the content distributor pins the content provider to one or more certificate authorities. Accordingly, the content distributor only retrieves content from a sender identified as the content provider when the sender identity is verified with a certificate issued by a certificate authority pinned to the content provider. To ensure secure delivery of content from the content distributor to an end user, the content distributor modifies the pinset of the user browser to pin the content distributor to one or more certificate authorities. Thereafter, the user browser only accepts content from a sender identified as the content distributor when the sender identity is verified with a certificate issued by a certificate authority pinned to the content distributor in the browser pinset.

Abstract: Some embodiments provide an optimized multi-hit caching technique that minimizes the performance impact associated with caching of long-tail content while retaining much of the efficiency and minimal overhead associated with first hit caching in determining when to cache content. The optimized multi-hit caching utilizes a modified bloom filter implementation that performs flushing and state rolling to delete indices representing stale content from a bit array used to track hit counts without affecting identification of other content that may be represented with indices overlapping with those representing the stale content. Specifically, a copy of the bit array is stored prior to flushing the bit array so as to avoid losing track of previously requested and cached content when flushing the bit arrays and the flushing is performed to remove the bit indices representing stale content from the bit array and to minimize the possibility of a false positive.

Abstract: Some embodiments provide a content delivery network (CDN) solution that affords the CDN control over those elements of customer content that are delivered by third parties. The CDN integrates a distributed set of monitoring agents. Each monitoring agent monitors the delivery performance of third parties to the region in which the agent operates. The CDN uses the performance monitoring information to dynamically manage the content tags to the third-party delivered elements of CDN-customer content. Specifically, a CDN server retrieves the parent page for requested CDN-customer content. The CDN server identifies the region from where the request originates and retrieves the logs from the monitoring agents monitoring from that region. The CDN server then modifies the base page by dynamically removing the tags to the third-party delivered elements that are reported in the monitoring agent logs as being unavailable, inaccessible, or underperforming in the identified region.

Abstract: Some embodiments provide techniques for mitigating against layer 7 distributed denial of service attacks. Some embodiments submit a computational intensive problem, also referred to as a bot detection problem, in response to a user request. Bots that lack sophistication needed to render websites or are configured to not respond to the server response will be unable to provide a solution to the problem and their requests will therefore be denied. If the requesting user is a bot and has the sophisticated to correctly solve the problem, the server will monitor the user request rate. For subsequent requests from that same user, the server can increase the difficulty of the problem when the request rate exceeds different thresholds. In so doing, the problem consumes greater resources of the user, slowing the rate at which the user can submit subsequent requests, and thereby preventing the user from overwhelming the server.