A verifiable multi-factor authentication scheme uses an authentication service. An authentication request is received from an organization, the request having been generated in response to receipt of an access request from a user. The user has an associated public-private key pair. The organization provides the authentication request together with a first nonce. In response to receiving the authentication request and the first nonce, the service generates a second nonce, and then it sends the first and second nonces to the user. Thereafter, the service receives a data string, the data string having been generated by the client applying its private key over the nonces. Using the user's public key, the service attempts to verify that the data string includes the nonces. If it does, the authentication service provides the authentication decision in response to the authentication request, together with a proof that the user approved the authentication request.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
2.
FAST, SECURE, AND SCALABLE DATA STORE AT THE EDGE FOR CONNECTING NETWORK ENABLED DEVICES
A distributed computing system provides a distributed data store for network enabled devices at the edge. The distributed database is partitioned such that each node in the system has its own partition and some number of followers that replicate the data in the partition. The data in the partition is typically used in providing services to network enabled devices from the edge. The set of data for a particular network enabled device is owned by the node to which the network enabled device connects. Ownership of the data (and the data itself) may move around the distributed computing system to different nodes, e.g., for load balancing, fault-resilience, and/or due to device movement. Security/health checks are enforced at the edge as part of a process of transferring data ownership, thereby providing a mechanism to mitigate compromised or malfunctioning network enabled devices.
H04L 67/1095 - Réplication ou mise en miroir des données, p.ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p.ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
An account protection service to prevent user login or other protected endpoint request abuse. In one embodiment, the service collects user recognition data, preferably for each login attempt (e.g. data about the connection, session, and other relevant context), and it constructs a true user profile for each such user over time, preferably using the recognition data from successful logins. The profile evolves as additional recognition data is collected from successful logins. The profile is a model of what the user “looks like” to the system. For a subsequent login attempt, the system then calculates a true user score. This score represents how well the current user recognition data matches the model represented by the true user profile. The user recognition service is used to drive policy decisions and enforcement capabilities.
An enhanced server-side Adaptive Bitrate Streaming (ABR) of source content. The ABR switching logic is located in association with a server, and this logic also receives telemetry data as measured by the client. The client receives a single manifest that comprises a set of encoded entries each associated with a segment of the source content and comprising a first portion encoding, as a set of options, each of the multiple bitrates, and a second portion that, for each of the multiple bitrate options, encodes a size of the segment associated therewith. In operation, the client media player makes a request for a portion of the source content, and that request includes one of the encoded entries. In response, the server-side ABR switching logic determines whether to switch delivery of the source content from an existing first bitrate to a second bitrate. If so, the requested portion is delivered to the client at the second bitrate.
H04N 21/2662 - Contrôle de la complexité du flux vidéo, p.ex. en mettant à l'échelle la résolution ou le débit binaire du flux vidéo en fonction des capacités du client
H04N 21/2343 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant des opérations de reformatage de signaux vidéo pour la distribution ou la mise en conformité avec les requêtes des utilisateurs finaux ou les exigences des dispositifs des utilisateurs finaux
H04N 21/262 - Ordonnancement de la distribution de contenus ou de données additionnelles, p.ex. envoi de données additionnelles en dehors des périodes de pointe, mise à jour de modules de logiciel, calcul de la fréquence de transmission de carrousel, retardement d
H04N 21/24 - Surveillance de procédés ou de ressources, p.ex. surveillance de la charge du serveur, de la bande passante disponible ou des requêtes effectuées sur la voie montante
H04N 21/6379 - Signaux de commande émis par le client et dirigés vers les éléments du serveur ou du réseau vers le serveur vers le codeur
H04N 21/647 - Signalisation de contrôle entre des éléments du réseau et serveur ou clients; Procédés réseau pour la distribution vidéo entre serveur et clients, p.ex. contrôle de la qualité du flux vidéo en éliminant des paquets, protection du contenu contre une modification non autorisée dans le réseau ou surveillance de la charge du résea
H04L 67/02 - Protocoles basés sur la technologie du Web, p.ex. protocole de transfert hypertexte [HTTP]
H04L 65/75 - Gestion des paquets du réseau multimédia
5.
Server-side adaptive bitrate streaming (ABR) with manifest file encoding
An enhanced server-side Adaptive Bitrate Streaming (ABR) of source content. The ABR switching logic is located in association with a server, and this logic also receives telemetry data as measured by the client. The client receives a single manifest that comprises a set of encoded entries each associated with a segment of the source content and comprising a first portion encoding, as a set of options, each of the multiple bitrates, and a second portion that, for each of the multiple bitrate options, encodes a size of the segment associated therewith. In operation, the client media player makes a request for a portion of the source content, and that request includes one of the encoded entries. In response, the server-side ABR switching logic determines whether to switch delivery of the source content from an existing first bitrate to a second bitrate. If so, the requested portion is delivered to the client at the second bitrate.
H04L 65/75 - Gestion des paquets du réseau multimédia
H04L 65/61 - Diffusion en flux de paquets multimédias pour la prise en charge des services de diffusion par flux unidirectionnel, p.ex. radio sur Internet
H04N 21/238 - Interfaçage de la voie descendante du réseau de transmission, p.ex. adaptation du débit de transmission d'un flux vidéo à la bande passante du réseau; Traitement de flux multiplexés
6.
Establishing On Demand Connections To Intermediary Nodes With Advance Information For Performance Improvement
An agent deployed within a private network creates on-demand connections to an intermediary node outside the private network. When a client contacts the intermediary node for an application or more generally any service available from within the private network, the intermediary node signals the agent to create the on-demand connection outbound to the intermediary. The agent may include advance information in the signal that accelerates the establishment of the on-demand connection and/or transmission of responsive data to the client.
Systems and methods for querying large amounts of data are disclosed. Several different versions of a data feed are provided, ranging from a full set of data to various other versions that are smaller or faster to query (e.g., sampled versions, aggregations, sketches) . . . . A machine learning model is trained on features of input queries run against the various versions of the data feed and the corresponding results. The trained model is then applied to a new query to choose, automatically, which version of the data feed to apply the query against. That is, the system can select which version of the data feed to use when executing the given query, optimizing speed and/or compute costs while providing an appropriate level of accuracy for the given query.
Website phishing detection is enabled using a siamese neural network. One twin receives a query image associated with a website page. The other twin receives a subset of a set of reference website images together with positive (phishing) examples that were used to train the networks, the subset of reference website images having been determined by applying an identifier associated with a brand of interest. The operation of applying the identifier significantly reduces the relevant search space for the inferencing task. If the inferencing determines a sufficient likelihood that the website page is a phishing page, control signaling is generated to control a system to take a given mitigation action n.
G06V 10/82 - Dispositions pour la reconnaissance ou la compréhension d’images ou de vidéos utilisant la reconnaissance de formes ou l’apprentissage automatique utilisant les réseaux neuronaux
A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.
Improved security inspections for API traffic are disclosed. A data obfuscation process is applied to structured data in a request or response body to obfuscate the content while retaining the structural aspects thereof. The resulting sanitized version of the structured data is sent for analysis. For example a machine learning component is trained on such sanitized data to develop a signature or model that detects anomalous interactions with the API. The retained structure contains signals useful for pattern recognition and anomaly detection. The signature or model is preferably developed for a specific API endpoint. Then, a detection engine can be deployed to assess subsequent API traffic for the API endpoint, with such subsequent live traffic being similarly obfuscated by the system before being assessed. The teachings hereof can be used to block attacks or other malicious activities directed against API endpoints.
It is often important that a server's responses to a set of client requests are coherent with one another, but if the client's requests are spread over time, that may not occur. In accordance with the teaching of this patent document, a client is able to communicate with a server to achieve coherency. A client can send a request (e.g., an HTTP request for a given resource) with a data preservation directive. The data preservation directive causes the server to initiate a server-side process to preserve the state of underlying server-side data upon which the response relies (or will rely). Also, a client can send a request with an attribute requesting the response be coherent with respect to some date-time or other reference point. This attribute thus asks the server to ensure coherency in the response to the client.
H04L 67/1025 - Adaptation dynamique des critères sur lesquels repose la sélection du serveur
H04L 67/02 - Protocoles basés sur la technologie du Web, p.ex. protocole de transfert hypertexte [HTTP]
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
H04L 67/1012 - Sélection du serveur pour la répartition de charge basée sur la conformité des exigences ou des conditions avec les ressources de serveur disponibles
G06F 12/0815 - Protocoles de cohérence de mémoire cache
H04L 67/1029 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués en utilisant des données liées à l'état des serveurs par un répartiteur de charge
12.
REAL-TIME DETECTION OF SITE PHISHING USING MESSAGE PASSING NEURAL NETWORKS (MPNN) ON DIRECTED GRAPHS
Website phishing detection is enabled using a Message Passing Neural Network (MPNN) that scores requested HTML with a likelihood of being a phishing website. The technique leverages the assumption that the HTML in a phishing website often presents anomalous structure or features when compared with an analogous benign website. Once a phishing site is detected, a given mitigation action is then taken.
Website phishing detection is enabled using a Message Passing Neural Network (MPNN) that scores requested HTML with a likelihood of being a phishing website. The technique leverages the assumption that the HTML in a phishing website often presents anomalous structure or features when compared with an analogous benign website. Once a phishing site is detected, a given mitigation action is then taken.
A technique to detect and mitigate anomalous Application Programming Interface (API) behavior associated with an application having a set of APIs is described. Across one or more sessions during a time period, and in response to receiving a set of one or more transactions directed to the application, a behavioral graph is generated. The graph comprises a set of vertices, an associated set of edges, and a set of weights representing frequency of observation of one or more behaviors, wherein a behavior is denoted by an edge between a pair of connected vertices, wherein the edge depicts at least one interdependent relationship between first and second APIs of the set of APIs. One or more low weight edges are filtered from the behavioral graph to generate a decision graph. The decision graph is then used to detect that one or more new transactions represent anomalous behavior. In response to detecting that the given new transaction represents the anomalous behavior, an action is taken to protect the application.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A technique to detect and mitigate anomalous Application Programming Interface (API) behavior associated with an application having a set of APIs is described. Across one or more sessions during a time period, and in response to receiving a set of one or more transactions directed to the application, a behavioral graph is generated. The graph comprises a set of vertices, an associated set of edges, and a set of weights representing frequency of observation of one or more behaviors, wherein a behavior is denoted by an edge between a pair of connected vertices, wherein the edge depicts at least one interdependent relationship between first and second APIs of the set of APIs. One or more low weight edges are filtered from the behavioral graph to generate a decision graph. The decision graph is then used to detect that one or more new transactions represent anomalous behavior. In response to detecting that the given new transaction represents the anomalous behavior, an action is taken to protect the application.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/51 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p.ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
16.
NETWORK SECURITY ANALYSIS SYSTEM WITH REINFORCEMENT LEARNING FOR SELECTING DOMAINS TO SCAN
This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.
H04L 47/263 - Modification du taux à la source après avoir reçu des retours
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
17.
Automated learning and detection of web bot transactions using deep learning
This disclosure describes a bot detection system that leverages deep learning to facilitate bot detection and mitigation, and that works even when an attacker changes an attack script. The approach herein provides for a system that rapidly and automatically (without human intervention) retrains on new, updated or modified attack vectors.
A messaging channel is embedded directly into a media stream. Messages delivered via the embedded messaging channel are extracted at a client media player. In lieu of embedding the message data in the media stream, a coordination index is injected, and the message data is sent separately and merged into the media stream downstream (at the media player) based on the index. In one example embodiment, multiple data streams (each potentially with different content intended for a particular “type” or class of user) are transmitted alongside the video stream in which the coordination index has been injected into a video frame. Based on a user's service level, a particular one of the multiple data streams is released when the sequence number appears in the video frame, and the data in that stream is associated with the media.
H04L 65/75 - Gestion des paquets du réseau multimédia
H04L 65/612 - Diffusion en flux de paquets multimédias pour la prise en charge des services de diffusion par flux unidirectionnel, p.ex. radio sur Internet pour monodiffusion [unicast]
H04L 65/80 - Dispositions, protocoles ou services dans les réseaux de communication de paquets de données pour prendre en charge les applications en temps réel en répondant à la qualité des services [QoS]
19.
Systems and Methods For Content Delivery Acceleration of Virtual Reality and Augmented Reality Web Pages
Among other things, this document describes systems, devices, and methods for improving the delivery and performance of web pages authored to produce virtual reality (VR) or augmented reality (AR) experiences. In some embodiments, such web pages are analyzed. This analysis may be initiated at the request of a content server that receives a client request for the HTML. The analysis may involve, asynchronous to the client request, loading the the page into a non-user-facing browser environment and allowing the VR or AR scene to execute, even including executing animation routines for a predetermined period of time. Certain characteristics of the scene and of objects are thereby captured. Based on this information, an object list ordered by loading priority is prepared. Consulting this information in response to subsequent requests for the page, a content server can implement server push, early hints and/or other delivery enhancements.
F16H 61/00 - Fonctions internes aux unités de commande pour changements de vitesse ou pour mécanismes d'inversion des transmissions transmettant un mouvement rotatif
F16H 61/02 - Fonctions internes aux unités de commande pour changements de vitesse ou pour mécanismes d'inversion des transmissions transmettant un mouvement rotatif caractérisées par les signaux utilisés
F16K 17/04 - Soupapes ou clapets de sûreté; Soupapes ou clapets d'équilibrage fermant sur insuffisance de pression d'un côté actionnés par ressort
F16K 17/06 - Soupapes ou clapets de sûreté; Soupapes ou clapets d'équilibrage fermant sur insuffisance de pression d'un côté actionnés par ressort avec dispositions particulières pour régler la pression d'ouverture
G06F 40/143 - Balisage, p.ex. utilisation du langage SGML ou de définitions de type de document
This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
21.
Client Entity Validation with Session Tokens Derived From Underlying Communication Service Values
The generation and use of session tokens in a computer networking environment is disclosed. Such session tokens can be used in a variety of ways, such as to validate client identity and entitlement to resources, for security assessment, or in other trust establishment mechanisms. Preferably, the session token generation algorithm incorporates one or more non-ephemeral value(s) that are established for a given communication session between two hosts. To validate a token presented by a client, for example, a server can check it against the session values actually in use to communicate with the client.
A method of “warm” migrating a virtual machine (VM) on a source host to a target virtual machine on a destination host. The method begins by mirroring contents of disk onto a target disk associated with the target VM. Transfer of the RAM contents is then initiated. Unlike live migration strategies where data transfer occurs at a high rate, the RAM contents are transferred at a low transfer rate. While the contents of the RAM are being transferred, a shutdown of the virtual machine is initiated. This operation flushes to disk all of the remaining RAM contents. Before the shutdown completes, those remaining contents, now on disk, are mirrored to the target disk. Once that mirroring is finished, the shutdown of the virtual machine is completed, and this shutdown is mirrored at the destination host. To complete the warm migration, the target virtual machine is then booted from the target disk.
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
23.
WARM MIGRATIONS FOR VIRTUAL MACHINES IN A CLOUD COMPUTING ENVIRONMENT
A method of "warm" migrating a virtual machine (VM) on a source host to a target virtual machine on a destination host. The method begins by mirroring contents of disk onto a target disk associated with the target VM. Transfer of the RAM contents is then initiated. Unlike live migration strategies where data transfer occurs at a high rate, the RAM contents are transferred at a low transfer rate. While the contents of the RAM are being transferred, a shutdown of the virtual machine is initiated. This operation flushes to disk all of the remaining RAM contents. Before the shutdown completes, those remaining contents, now on disk, are mirrored to the target disk. Once that mirroring is finished, the shutdown of the virtual machine is completed, and this shutdown is mirrored at the destination host. To complete the warm migration, the target virtual machine is then booted from the target disk.
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 9/50 - Allocation de ressources, p.ex. de l'unité centrale de traitement [UCT]
G06F 11/20 - Détection ou correction d'erreur dans une donnée par redondance dans le matériel en utilisant un masquage actif du défaut, p.ex. en déconnectant les éléments défaillants ou en insérant des éléments de rechange
24.
Efficient congestion control in a tunneled network
A method of congestion control implemented by a sender over a network link that includes a router having a queue. During a first state, information is received from a receiver. The information comprises an estimated maximum bandwidth for the link, a one-way transit time for traffic over the link, and an indication whether the network link is congested. In response to the link being congested, the sender transitions to a second state. While in the second state, a sending rate of packets in reduced, in part to attempt to drain the queue of data packets contributed by the sender. The sender transitions to a third state when the sender estimates that the queue has been drained of the data packets contributed. During the third state, the sending rate is increased until either the sender transitions back to the first state, or receives a new indication that the link is congested.
This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as “TLS fingerprinting.” Preferably, TLS fingerprinting herein comprises combining different parameters from the initial “Hello” packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the “TLS signature”) are: record layer version, client version, ordered TLS extensions, ordered cipher list, ordered elliptic curve list, and ordered signature algorithms list. Preferably, the edge server persists the TLS signature for the duration of a session.
A server in a content delivery network (CDN) can examine API traffic and extract therefrom content that can be optimized before it is served to a client. The server can apply content location instructions to a given API message to find such content therein. Upon finding an instance of such content, the server can verify the identity of the content by applying a set of content verification instructions. If verification succeeds, the server can retrieve an optimized version of the identified content and swap it into the API message for the original version. If an optimized version is not available, the server can initiate an optimization process so that next time the optimized version will be available. In some embodiments, an analysis service can assist by observing traffic from an API endpoint over time, detecting the format of API messages and producing the content location and verification instructions.
A method executes upon receiving data (email, IP address) associated with an account registration. In response, an encoding is applied to the data to generate a node vector. The node vector indexes a database of such node vectors that the system maintains (from prior registrations). The database potentially includes one or more node vector(s) that may have a given similarity to the encoded node vector. To determine whether there are such vectors present, a set of k-nearest neighbors to the encoded node vector are then obtained from the database. This set of k-nearest neighbors together with the encoded node vector comprise a virtual graph that is then fed as a graph input to a Graph Neural Network previously trained on a set of training data. The GNN generates a probability that the virtual graph represents a NAF. If the probability exceeds a configurable threshold, the system outputs an indication that the registration is potentially fraudulent, and a mitigation action is taken.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
28.
REAL-TIME DETECTION OF ONLINE NEW-ACCOUNT CREATION FRAUD USING GRAPH-BASED NEURAL NETWORK MODELING
A method executes upon receiving data (email, IP address) associated with an account registration. In response, an encoding is applied to the data to generate a node vector. The node vector indexes a database of such node vectors that the system maintains (from prior registrations). The database potentially includes one or more node vector(s) that may have a given similarity to the encoded node vector. To determine whether there are such vectors present, a set of k-nearest neighbors to the encoded node vector are then obtained from the database. This set of k-nearest neighbors together with the encoded node vector comprise a virtual graph that is then fed as a graph input to a Graph Neural Network previously trained on a set of training data. The GNN generates a probability that the virtual graph represents a NAF. If the probability exceeds a configurable threshold, the system outputs an indication that the registration is potentially fraudulent, and a mitigation action is taken.
Systems and methods for obfuscating data. The technology herein can be used to produce an obfuscated output that exhibits no easily discernible pattern, making difficult to identify or to filter using regular expressions, signature matching or other pattern matching. The output nevertheless can be reversed and the original data recovered by an intended recipient with a relatively low-cost of processing, making it suitable for low-powered devices. The obfuscation is stateless and does not require encryption.
An overlay network is augmented to provide more efficient data storage by processing a dataset of high dimension into an equivalent dataset of lower dimension, wherein the data reduction reduces the amount of actual physical data but not necessarily its informational value. Data to be processed (dimensionally-reduced) is received by an ingestion layer and supplied to a learning-based storage reduction application that implements the data reduction technique. The application applies a data reduction algorithm and stores the resulting dimensionally-reduced data sets in the native data storage or third party cloud. To recover the original higher-dimensional data, an associated reverse algorithm is implemented. In general, the application coverts an N dimensional data set to a K dimensional data set, where K<
A method, apparatus and computer program product for real-time new account fraud detection and prevention. The technique leverages machine learning. In this approach, first and second computational branches of a machine learning model are trained jointly on a corpus of emails. Following training, an arbitrary email is received. The arbitrary email is then applied through the computational branches of the machine learning model. The first branch has an attention layer, and the second branch has a convolutional layer. The outputs of the branches are aggregated into an output that is then applied through another self-attention layer to generate a score. Based on the score, the arbitrary email is characterized. If the email is characterized as fraudulent, a mitigation action is taken.
A method, apparatus and computer program product for real-time new account fraud detection and prevention. The technique leverages machine learning. In this approach, first and second computational branches of a machine learning model are trained jointly on a corpus of emails. Following training, an arbitrary email is received. The arbitrary email is then applied through the computational branches of the machine learning model. The first branch has an attention layer, and the second branch has a convolutional layer. The outputs of the branches are aggregated into an output that is then applied through another self-attention layer to generate a score. Based on the score, the arbitrary email is characterized. If the email is characterized as fraudulent, a mitigation action is taken.
A method for dynamic and extensible creation of an extensible wireless network, using a set of drones that individually support server processes. The drones interact with one another, exchanging information, type of coverage, type and amount of throughput, location, etc. A control node connects to a wired network. The node operates a leader election protocol, captures state information from the drones, and positions/re-positions the drones as necessary. Drones are flown in to position and then engaged as necessary to stretch/adapt the coverage as necessary. The drone's power utilization is monitored and its coverage area modified as necessary to optimize power utilization. The control node performs drone-based coverage/power utilization computations, and attempts to apply the appropriate location assignments to provide maximum network coverage (extensibility) while also preserving drone-specific power (battery) utilization. The approach herein can be used to supplement existing networks during events, migrations of populations during work hours, etc.
H04W 84/18 - Réseaux auto-organisés, p.ex. réseaux ad hoc ou réseaux de détection
H04W 40/12 - Sélection d'itinéraire ou de voie de communication, p.ex. routage basé sur l'énergie disponible ou le chemin le plus court sur la base de la qualité d'émission ou de la qualité des canaux
A physical object having a programmable, electronically readable tag can be identified and tracked in a given third party system with the aid of an identity services platform. When the owner of the object is about to place it in the custody of a third party system, the owner can use a client device to instruct the identity services platform to generate a nonce, for programming into the object's tag. Devices in the third party system read and use the nonce to identify and track the object and to make decisions about how it is handled. When the object exits from the control of the third party system for return to the owner, the identity services platform is asked to provide a proof of ownership to the third party system, which enables accurate return of the object to its proper owner.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06K 19/06 - Supports d'enregistrement pour utilisation avec des machines et avec au moins une partie prévue pour supporter des marques numériques caractérisés par le genre de marque numérique, p.ex. forme, nature, code
G06K 19/077 - Supports d'enregistrement avec des marques conductrices, des circuits imprimés ou des éléments de circuit à semi-conducteurs, p.ex. cartes d'identité ou cartes de crédit avec des puces à circuit intégré - Détails de structure, p.ex. montage de circuits dans le support
Among other things, this document describes systems, devices, and methods for improving the delivery and performance of web pages authored to produce virtual reality (VR) or augmented reality (AR) experiences. In some embodiments, such web pages are analyzed. This analysis may be initiated at the request of a content server that receives a client request for the HTML. The analysis may involve, asynchronous to the client request, loading the page into a non-user-facing browser environment and allowing the VR or AR scene to execute, even including executing animation routines for a predetermined period of time. Certain characteristics of the scene and of objects are thereby captured. Based on this information, an object list ordered by loading priority is prepared. Consulting this information in response to subsequent requests for the page, a content server can implement server push, early hints and/or other delivery enhancements.
A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p.ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A plurality of WiFi-enabled devices that are physically proximate to one another form an ad hoc mesh network, which is associated with an overlay network, such as a content delivery network. A typical WiFi device is a WiFi router that comprises addressable data storage, together with control software operative to configure the device seamlessly into the WiFi mesh network formed by the device and one or more physically-proximate devices. The addressable data storage across multiple such devices comprises a distributed or “mesh-assisted” cache that is managed by the overly network. The WiFi mesh network thus provides bandwidth that is leveraged by the overlay network to provide distribution of content, e.g., content that has been off-loaded for delivery (by content providers) to the CDN. Other devices that may be leveraged include set-top boxes and IPTV devices.
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p.ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
H04L 67/1061 - Réseaux de pairs [P2P] en utilisant des mécanismes de découverte de pairs basés sur les nœuds
H04L 67/1087 - Réseaux de pairs [P2P] en utilisant les aspects inter-fonctionnels d’établissement de réseau
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p.ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
H04L 67/568 - Stockage temporaire des données à un stade intermédiaire, p.ex. par mise en antémémoire
H04W 4/70 - Services pour la communication de machine à machine ou la communication de type machine
38.
High performance distributed system of record with cryptographic service support
A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Each computing node typically is functionally-equivalent to all other nodes in the core. The nodes operate on blocks independently from one another while still maintaining a consistent and logically-complete view of the blockchain as a whole. According to another feature, secure transaction processing is facilitated by storing cryptographic key materials in secure and trusted computing environments associated with the computing nodes to facilitate construction of trust chains for transaction requests and their associated responses.
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
H04L 9/12 - Dispositifs de chiffrement d'émission et de réception synchronisés ou initialisés d'une manière particulière
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06Q 20/36 - Architectures, schémas ou protocoles de paiement caractérisés par l'emploi de dispositifs spécifiques utilisant des portefeuilles électroniques ou coffres-forts électroniques
H04L 9/14 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
39.
Uniquely identifying and securely communicating with an appliance in an uncontrolled network
A service consumer that utilizes a cloud-based access service provided by a service provider has associated therewith a network that is not capable of being controlled by the service provider. An enterprise connector is supported in this uncontrolled network, preferably as an appliance-based solution. According to this disclosure, the enterprise configures an appliance and then deploys it in the uncontrolled network. To this end, an appliance is required to proceed through a multi-stage approval protocol before it is accepted as a “connector” and is thus enabled for secure communication with the service provider. The multiple stages include a “first contact” (back to the service) stage, an undergoing approval stage, a re-generating identity material stage, and a final approved and configured stage. Unless the appliance passes through these stages, the appliance is not permitted to interact with the service as a connector. As an additional aspect, the service provides various protections for addressing scenarios wherein entities masquerade as approved appliances.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/14 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
40.
Systems and methods for preventing the caching of rarely requested objects
Improved technology for managing the caching of objects that are rarely requested by clients. A cache system can be configured to assess a class of objects (such as objects associated with a particular domain) for cacheability, based on traffic observations. If the maximum possible cache offloading for the class of objects falls below a threshold level, which indicates a high proportion of non-cacheable or “single-hitter” content, then cache admission logic is configured to admit objects only after multiple clients requests during a time period (usually the object's time in cache, or eviction age). Otherwise, the cache admission logic may operate to admit objects to the cache after the first client request, assuming the object meets cacheability criteria. The technological improvements disclosed herein can be used to improve cache utilization, for example by preventing single-hitter objects from pushing out multi-hit objects (the objects that get hits after being added to cache).
This disclosure describes a technique to determine whether a client computing device accessing an API is masquerading its device type (i.e., pretending to be a device that it is not). To this end, and according to this disclosure, the client performs certain processing requested by the server to reveal its actual processing capabilities and thereby its true device type, whereupon—once the server learns the true nature of the client device—it can take appropriate actions to mitigate or prevent further damage. To this end, during the API transaction the server returns information to the client device that causes the client device to perform certain computations or actions. The resulting activity is captured on the client computing and then transmitted back to the server, which then analyzes the data to inform its decision about the true client device type. Thus, when the server detects the true client device type (as opposed to the device type that the device is masquerading to be), it can take appropriate action to defend the site.
A system for enterprise collaboration is associated with an overlay network, such as a content delivery network (CDN). The overlay network comprises machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The system comprises a front-end application, a back-end application, and set of one or more APIs through which the front-end application interacts with the back-end application. The front-end application is a web or mobile application component that provides one or more collaboration functions. The back-end application comprises a signaling component that maintains state information about each participant in a collaboration, a connectivity component that manages connections routed through the overlay network, and a multiplexing component that manages a multi-peer collaboration session to enable an end user peer to access other peers' media streams through the overlay network rather than directly from another peer. Peers preferably communicate with the platform using WebRTC. A collaboration manager component enables users to configure, manage and control their collaboration sessions.
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p.ex. pour le traitement simultané de plusieurs programmes
H04L 65/1093 - Procédures en session en supprimant des participants
H04L 65/40 - Prise en charge des services ou des applications
H04L 65/401 - Prise en charge des services ou des applications dans laquelle les services impliquent une session principale en temps réel et une ou plusieurs sessions parallèles additionnelles en temps réel ou sensibles au temps, p.ex. accès partagé à un tableau blanc ou mise en place d’une sous-conférence
H04L 65/403 - Dispositions pour la communication multipartite, p.ex. pour les conférences
A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network core is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. The system also provides for confidence-based consensus. A configuration system is provided to enable configuration updates to be securely implemented across various subsets of the computing nodes.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
An account protection service to prevent user login or other protected endpoint request abuse. In one embodiment, the service collects user recognition data, preferably for each login attempt (e.g. data about the connection, session, and other relevant context), and it constructs a true user profile for each such user over time, preferably using the recognition data from successful logins. The profile evolves as additional recognition data is collected from successful logins. The profile is a model of what the user “looks like” to the system. For a subsequent login attempt, the system then calculates a true user score. This score represents how well the current user recognition data matches the model represented by the true user profile. The user recognition service is used to drive policy decisions and enforcement capabilities. Preferably, user recognition works in association with bot detection in a combined solution.
A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish- proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.
A client application sends DNS requests to a threat protection service when a mobile device operating the client application is operating off-network. The application is configured to detect network conditions and automatically configure an appropriate system-wide DNS resolution setting. Preferably, DNS requests from the client identify the customer and the device to threat protection (TP) service resolvers without introducing a publicly-visible customer or device identifier to the DNS requests or responses. The TP system then applies the correct policy to DNS requests coming from off-network clients. In particular, the resolver recognizes the customer for requests coming for off net clients and apply the customer’s policy to such request. The resolver is configured to log the customer and the device associated with requests from the TP off-net client. Request logs from the TP resolver are provided to a cloud security intelligence platform for threat intelligence analytics and customer visible reporting.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04W 12/37 - Gestion des politiques de sécurité pour des dispositifs mobiles ou pour le contrôle d’applications mobiles
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
Improvements to internet cache protocols are disclosed. In certain embodiments, a client-facing proxy server can query peer servers to determine whether they have a copy of an object that the proxy server needs. The peer servers can respond based on object information that the peer servers stored about objects they have in cache, where the peers recorded such object information previously when ingesting the objects into their cache and stored it separately from the objects for fast access (e.g. in RAM vs. on disk). This information can be expressed in a compact way using just a few object flags, and enables the peer server to quickly respond and with detail about the status of objects they hold. The proxy server can make an intelligent decision about which peer to use, and indeed whether to use a peer at all.
G06F 12/00 - Accès à, adressage ou affectation dans des systèmes ou des architectures de mémoires
G06F 12/0802 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p.ex. mémoires cache
A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.
A set of transaction handling computing elements comprise a network core that receive and process transaction requests into an append-only immutable chain of data blocks, wherein a data block is a collection of transactions, and wherein an Unspent Transaction Output (UTXO) data structure supporting the immutable chain of data blocks is an output from a finalized transaction. Typically, the UTXO data structure consists essentially of an address and a value. In this approach, at least one UTXO data structure is configured to include information either in addition to or in lieu of the address and value, thereby defining a Transaction Output (TXO). A TXO may have a variety of types, and one type includes an attribute that encodes data. In response to receipt of a request to process a transaction, the set of transaction handling computing elements are executed to process the transaction into a block using at least the information in the TXO.
G06F 16/22 - Indexation; Structures de données à cet effet; Structures de stockage
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuées; Architectures de systèmes de bases de données distribuées à cet effet
G06F 21/64 - Protection de l’intégrité des données, p.ex. par sommes de contrôle, certificats ou signatures
G06Q 20/36 - Architectures, schémas ou protocoles de paiement caractérisés par l'emploi de dispositifs spécifiques utilisant des portefeuilles électroniques ou coffres-forts électroniques
G06Q 20/40 - Autorisation, p.ex. identification du payeur ou du bénéficiaire, vérification des références du client ou du magasin; Examen et approbation des payeurs, p.ex. contrôle des lignes de crédit ou des listes négatives
G06Q 30/0226 - Systèmes d’incitation à un usage fréquent, p.ex. programmes de miles pour voyageurs fréquents ou systèmes de points
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
G06Q 20/20 - Systèmes de réseaux présents sur les points de vente
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
50.
Traffic forwarding and disambiguation by using local proxies and addresses
A method of traffic forwarding and disambiguation through the use of local proxies and addresses. The technique leverages DNS to on-ramp traffic to a local proxy. The local proxy runs on the end user's device. According to a first embodiment, DNS is used to remap what would normally be a wide range of IP addresses to localhost based on 127.0.0.0/8 listening sockets, where the system can then listen for connections and data. In a second embodiment, a localhost proxy based on a TUN/TAP interface (or other packet interception method) with a user-defined CIDR range to which the local DNS server drives traffic is used. Requests on that local proxy are annotated (by adding data to the upstream connection).
H04L 67/56 - Approvisionnement des services mandataires
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
51.
Service platform with configurable electricity usage characteristics
A multi-tenant service platform provides network services, such as content delivery, edge compute, and/or media streaming, on behalf of, or directly for, a given tenant. The service platform offers a policy layer enabling each tenant to specify levels of acceptable performance degradation that the platform may incur so that the platform can use electricity with desirable characteristics to service client requests associated with that tenant. Service nodes in the platform (e.g., edge servers) enforce the policy layer at the time of a service request. Preferably, the ‘quality’ of the electricity is a measurement of source of the energy, e.g., whether it is sourced from high-carbon fossil fuels (low-quality) or low-carbon renewables (high-quality). If the desired quality of electricity cannot be achieved, the node can resort to using less electricity to handle the request, which is achieved in a variety of ways.
G06F 9/48 - Lancement de programmes; Commutation de programmes, p.ex. par interruption
G06F 1/18 - Installation ou distribution d'énergie
G06F 1/3206 - Surveillance d’événements, de dispositifs ou de paramètres initiant un changement de mode d’alimentation
G06F 1/3234 - Gestion de l’alimentation, c. à d. passage en mode d’économie d’énergie amorcé par événements Économie d’énergie caractérisée par l'action entreprise
G06F 9/50 - Allocation de ressources, p.ex. de l'unité centrale de traitement [UCT]
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p.ex. des interruptions ou des opérations d'entrée–sortie
This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
53.
High performance distributed system of record with key management
A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. Secure transaction processing is facilitated by storing cryptographic key materials in secure and trusted computing environments associated with the computing nodes to facilitate construction mining proofs during the validation of a block.
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
54.
High performance distributed system of record with extended transaction processing capability
A set of transaction handling computing elements comprise a network core that receive and process transaction requests into an append-only immutable chain of data blocks, wherein a data block is a collection of transactions, and wherein an Unspent Transaction Output (UTXO) data structure supporting the immutable chain of data blocks is an output from a finalized transaction. Typically, the UTXO data structure consists essentially of an address and a value. In this approach, at least one UTXO data structure is configured to include information either in addition to or in lieu of the address and value, thereby defining a Transaction Output (TXO). A TXO may have a variety of types, and one type includes an attribute that encodes data. In response to receipt of a request to process a transaction, the set of transaction handling computing elements are executed to process the transaction into a block using at least the information in the TXO.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuées; Architectures de systèmes de bases de données distribuées à cet effet
G06F 21/64 - Protection de l’intégrité des données, p.ex. par sommes de contrôle, certificats ou signatures
G06Q 20/36 - Architectures, schémas ou protocoles de paiement caractérisés par l'emploi de dispositifs spécifiques utilisant des portefeuilles électroniques ou coffres-forts électroniques
G06Q 20/40 - Autorisation, p.ex. identification du payeur ou du bénéficiaire, vérification des références du client ou du magasin; Examen et approbation des payeurs, p.ex. contrôle des lignes de crédit ou des listes négatives
G06Q 30/0226 - Systèmes d’incitation à un usage fréquent, p.ex. programmes de miles pour voyageurs fréquents ou systèmes de points
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
G06Q 20/20 - Systèmes de réseaux présents sur les points de vente
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
55.
Real-time message delivery and update service in a proxy server network
This patent document describes technology for providing real-time messaging and entity update services in a distributed proxy server network, such as a CDN. Uses include distributing real-time notifications about updates to data stored in and delivered by the network, with both high efficiency and locality of latency. The technology can be integrated into conventional caching proxy servers providing HTTP services, thereby leveraging their existing footprint in the Internet, their existing overlay network topologies and architectures, and their integration with existing traffic management components.
H04L 65/80 - Dispositions, protocoles ou services dans les réseaux de communication de paquets de données pour prendre en charge les applications en temps réel en répondant à la qualité des services [QoS]
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p.ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
H04L 67/568 - Stockage temporaire des données à un stade intermédiaire, p.ex. par mise en antémémoire
H04L 67/02 - Protocoles basés sur la technologie du Web, p.ex. protocole de transfert hypertexte [HTTP]
This disclosure provides embedding a messaging channel directly into a media stream, where messages delivered via the embedded messaging channel are the extracted at a client media player. An advantage of embedding a message is that it can be done in a single ingest point and then passes transparently through a CDN architecture, effectively achieving message replication using the native CDN media delivery infrastructure.
G06F 13/00 - Interconnexion ou transfert d'information ou d'autres signaux entre mémoires, dispositifs d'entrée/sortie ou unités de traitement
H04L 65/80 - Dispositions, protocoles ou services dans les réseaux de communication de paquets de données pour prendre en charge les applications en temps réel en répondant à la qualité des services [QoS]
H04W 28/02 - Gestion du trafic, p.ex. régulation de flux ou d'encombrement
H04L 67/141 - Configuration des sessions d'application
H04L 65/65 - Protocoles de diffusion en flux de paquets multimédias, p.ex. protocole de transport en temps réel [RTP] ou protocole de commande en temps réel [RTCP]
H04L 65/612 - Diffusion en flux de paquets multimédias pour la prise en charge des services de diffusion par flux unidirectionnel, p.ex. radio sur Internet pour monodiffusion [unicast]
57.
Detection and optimization of content in the payloads of API messages
A server in a content delivery network (CDN) can examine API traffic and extract therefrom content that can be optimized before it is served to a client. The server can apply content location instructions to a given API message to find such content therein. Upon finding an instance of such content, the server can verify the identity of the content by applying a set of content verification instructions. If verification succeeds, the server can retrieve an optimized version of the identified content and swap it into the API message for the original version. If an optimized version is not available, the server can initiate an optimization process so that next time the optimized version will be available. In some embodiments, an analysis service can assist by observing traffic from an API endpoint over time, detecting the format of API messages and producing the content location and verification instructions.
Edge server compute capacity demand in an overlay network is predicted and used to pre-position compute capacity in advance of application-specific demands. Preferably, machine learning is used to proactively predict anticipated compute capacity needs for an edge server region (e.g., a set of co-located edge servers). In advance, compute capacity (application instances) are made available in-region, and data associated with an application instance is migrated to be close to the instance. The approach facilitates compute-at-the-edge services, which require data (state) to be close to a pre-positioned latency-sensitive application instance. Overlay network mapping (globally) may be used for more long-term positioning, with short-duration scheduling then being done in-region as needed. Compute instances and associated state are migrated intelligently based on predicted (e.g., machine-learned) demand, and with full data consistency enforced.
H04W 36/12 - Resélection d'un nœud de commutation ou de routage d'un réseau fédérateur
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 67/12 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p.ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance
59.
SYNCHRONIZING INDEPENDENT MEDIA AND DATA STREAMS USING MEDIA STREAM SYNCHRONIZATION POINTS
A messaging channel is embedded directly into a media stream. Messages delivered via the embedded messaging channel are extracted at a client media player. According to a variant embodiment, and in lieu of embedding all of the message data in the media stream, only a coordination index is injected, and the message data is sent separately and merged into the media stream downstream (at the client media player) based on the coordination index. In one example embodiment, multiple data streams (each potentially with different content intended for a particular "type" or class of user) are transmitted alongside the video stream in which the coordination index (e.g., a sequence number) has been injected into a video frame. Based on a user's service level, a particular one of the multiple data streams is released when the sequence number appears in the video frame, and the data in that stream is associated with the media.
H04L 67/1095 - Réplication ou mise en miroir des données, p.ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
H04L 67/562 - Courtage des services de mandataires
H04L 67/61 - Ordonnancement ou organisation du service des demandes d'application, p.ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en tenant compte de la qualité de service [QoS] ou des exigences de priorité
H04N 21/242 - Procédés de synchronisation, p.ex. traitement de références d'horloge de programme [PCR]
H04N 21/43 - Traitement de contenu ou données additionnelles, p.ex. démultiplexage de données additionnelles d'un flux vidéo numérique; Opérations élémentaires de client, p.ex. surveillance du réseau domestique ou synchronisation de l'horloge du décodeur; Intergiciel de client
60.
Traffic delivery using anycast and end user-based mapping in an overlay network
An overlay network is enhanced to provide traffic delivery using anycast and end user mapping. An anycast IP address is associated with sets of forwarding machines positioned in the overlay network. These locations correspond with IP addresses for zero rated billing traffic. In response to receipt at a forwarding machine of a packet, the machine issues an end user mapping request to the mapping mechanism. The mapping request has an IP address associated with the client from which the end user request originates. The mapping mechanism resolves the request and provides a response to the request. The response is an IP address associated with a set of server machines distinct from the forwarding machine. The forwarding machine encapsulates the packet and proxies the connection to the identified server. The server receives the connection, decapsulates the request, and processes the packet. The server machine responds to the requesting client directly.
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p.ex. pour le traitement simultané de plusieurs programmes
A method of delivering a media stream in a network having first and second media servers each capable of delivering segmented media content to a requesting media client. The network provides for HTTP-based delivery of segmented media, and the media client is supported on a client-side device. The method begins by associating the media client with the first media server. As the first server receives from the media client request for media content segments, request times for a given number of the most-recent segments requested are used to generate a prediction, by the first server, of when the media client has transitioned from a start-up or buffering state, to a steady state. In response to a new segment request being received, and upon the first server predicting that the media client has completed a transition to steady state, the new segment request is redirected to the second media server.
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p.ex. pour le traitement simultané de plusieurs programmes
H04L 65/70 - Mise en paquets adaptés au réseau des données multimédias
H04L 65/75 - Gestion des paquets du réseau multimédia
H04L 65/80 - Dispositions, protocoles ou services dans les réseaux de communication de paquets de données pour prendre en charge les applications en temps réel en répondant à la qualité des services [QoS]
H04L 67/02 - Protocoles basés sur la technologie du Web, p.ex. protocole de transfert hypertexte [HTTP]
H04L 67/1023 - Sélection du serveur pour la répartition de charge basée sur un hachage appliqué aux adresses IP ou aux coûts
H04L 67/1008 - Sélection du serveur pour la répartition de charge basée sur les paramètres des serveurs, p.ex. la mémoire disponible ou la charge de travail
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p.ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
62.
Systems and methods for failure recovery in at-most-once and exactly-once streaming data processing
This patent document describes failure recovery technologies for the processing of streaming data, also referred to as pipelined data. The technologies described herein have particular applicability in distributed computing systems that are required to process streams of data and provide at-most-once and/or exactly-once service levels. In a preferred embodiment, a system comprises many nodes configured in a network topology, such as a hierarchical tree structure. Data is generated at leaf nodes. Intermediate nodes process the streaming data in a pipelined fashion, sending towards the root aggregated or otherwise combined data from the source data streams towards. To reduce overhead and provide locally handled failure recovery, system nodes transfer data using a protocol that controls which node owns the data for purposes of failure recovery as it moves through the network.
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p.ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
G06F 11/07 - Réaction à l'apparition d'un défaut, p.ex. tolérance de certains défauts
H04L 1/18 - Systèmes de répétition automatique, p.ex. systèmes Van Duuren
H04L 1/1867 - Dispositions spécialement adaptées au point d’émission
H04L 69/10 - Protocoles rationalisés, légers ou à haute vitesse, p.ex. protocole de transfert express [XTP] ou flux d'octets
H04L 41/0654 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant la reprise sur incident de réseau
63.
Certificate authority (CA) security model in an overlay network supporting a branch appliance
A method to generate a trusted certificate on an endpoint appliance located in an untrusted network, wherein client devices are configured to trust a first Certificate Authority (CA) that is administered by the untrusted network. In this approach, an overlay network is configured between the endpoint appliance and an origin server associated with the endpoint appliance. The overlay comprises an edge machine located proximate the endpoint appliance, and an associated key management service. A second CA is configured in association with the key management service to receive a second certificate signed by the first CA. A third CA is configured in association with the edge machine to receive a third certificate signed by the second CA. In response to a request from the appliance, a server certificate signed by the third CA is dynamically generated and provided to the appliance. A client device receiving the server certificate from the endpoint appliance trusts the server certificate as if the server certificate originated from the first CA, thereby enabling the endpoint appliance to terminate a secure information flow received at the endpoint appliance.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.
H04L 45/02 - Mise à jour ou découverte de topologie
H04L 47/193 - Commande de flux; Commande de la congestion au niveau des couches au-dessus de la couche réseau au niveau de la couche de transport, p.ex. liée à TCP
65.
Method and apparatus to detect non-human users on computer systems
Methods and systems for malicious non-human user detection on computing devices are described. The method includes collecting, by a processing device, raw data corresponding to a user action, converting, by the processing device, the raw data to features, wherein the features represent characteristics of a human user or a malicious code acting as if it were the human user, and comparing, by the processing device, at least one of the features against a corresponding portion of a characteristic model to differentiate the human user from the malicious code acting as if it were the human user.
Among other things, this document describes systems, methods and devices for performance testing and dynamic placement of computing tasks in a distributed computing environment. In embodiments, a given client request is forwarded up a hierarchy of nodes, or across tiers in the hierarchy. A particular computing node in the system self-determines to perform a computing task to generate (or help generate) particular content for a response to the client. The computing node injects its identifier into the response indicating that it performed those tasks; the identifier is transmitted to the client with particular content. The client runs code that assesses the performance of the system from the client's perspective, e.g., in servicing the request, and beacons this performance data, along with the aforementioned identifier, to a system intelligence component. The performance information may be used to dynamically place and improve the placement of the computing task(s).
H04L 67/1008 - Sélection du serveur pour la répartition de charge basée sur les paramètres des serveurs, p.ex. la mémoire disponible ou la charge de travail
G06F 17/18 - Opérations mathématiques complexes pour l'évaluation de données statistiques
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p.ex. des interruptions ou des opérations d'entrée–sortie
H04L 67/1023 - Sélection du serveur pour la répartition de charge basée sur un hachage appliqué aux adresses IP ou aux coûts
G06F 9/50 - Allocation de ressources, p.ex. de l'unité centrale de traitement [UCT]
G06F 9/48 - Lancement de programmes; Commutation de programmes, p.ex. par interruption
67.
Network security system with enhanced traffic analysis based on feedback loop
This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
68.
Fast, secure, and scalable data store at the edge for connecting network enabled devices
A distributed computing system provides a distributed data store for network enabled devices at the edge. The distributed database is partitioned such that each node in the system has its own partition and some number of followers that replicate the data in the partition. The data in the partition is typically used in providing services to network enabled devices from the edge. The set of data for a particular network enabled device is owned by the node to which the network enabled device connects. Ownership of the data (and the data itself) may move around the distributed computing system to different nodes, e.g., for load balancing, fault-resilience, and/or due to device movement. Security/health checks are enforced at the edge as part of a process of transferring data ownership, thereby providing a mechanism to mitigate compromised or malfunctioning network enabled devices.
H04L 67/1095 - Réplication ou mise en miroir des données, p.ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p.ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
69.
FAST, SECURE, AND SCALABLE DATA STORE AT THE EDGE FOR CONNECTING NETWORK ENABLED DEVICES
A distributed computing system provides a distributed data store for network enabled devices at the edge. The distributed database is partitioned such that each node in the system has its own partition and some number of followers that replicate the data in the partition. The data in the partition is typically used in providing services to network enabled devices from the edge. The set of data for a particular network enabled device is owned by the node to which the network enabled device connects. Ownership of the data (and the data itself) may move around the distributed computing system to different nodes, e.g., for load balancing, fault-resilience, and/or due to device movement. Security /health checks are enforced at the edge as part of a process of transferring data ownership, thereby providing a mechanism to mitigate compromised or malfunctioning network enabled devices.
An analysis system automates IP address structure discovery by deep analysis of sample IPv6 addresses using a set of computational methods, namely, information-theoretic analysis, machine learning, and statistical modeling. The system receives a sample set of IP addresses, computes entropies, discovers and mines address segments, builds a network model of address segment inter-dependencies, and provides a graphical display with various plots and tools to enable a network analyst to navigate and explore the exposed IPv6 address structure. The structural information is then applied as input to applications that include: (a) identifying homogeneous groups of client addresses, e.g., to assist in mapping clients to content in a CDN; (b) supporting network situational awareness efforts, e.g., in cyber defense; (c) selecting candidate targets for active measurements, e.g., traceroutes campaigns, vulnerability assessments, or reachability surveys; and (d) remotely assessing a network's addressing plan and address assignment policy.
H04L 41/142 - Analyse ou conception de réseau en utilisant des méthodes statistiques ou mathématiques
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/5007 - Adresses de protocole Internet [IP]
H04L 61/5092 - Allocation d'adresse par auto-allocation, p.ex. en choisissant des adresses au hasard et en testant si elles sont déjà utilisées
H04L 101/659 - Adresses IPv6 du protocole Internet version 6
H04L 101/686 - Types d'adresses de réseau en utilisant des hôtes à double pile, p.ex. dans les réseaux à protocole Internet de version 4 [IPv4]/protocole Internet de version 6 [IPv6]
71.
Mapping internet routing with anycast and utilizing such maps for deploying and operating anycast points of presence (PoPs)
Generally, aspects of the invention involve creating a data structure (a map) that reflects routing of Internet traffic to Anycast prefixes. Assume, for example, that each Anycast prefix is associated with two or more deployments (Points of Presence or PoPs) that can provide a service such as DNS, content delivery (e.g., via proxy servers, as in a CDN), distributed network storage, compute, or otherwise. The map is built in such a way as to identify portions of the Internet (e.g., in IP address space) that are consistently routed with one another, i.e., always to the same PoP as one another, regardless of how the Anycast prefixes are deployed. Aspects of the invention also involve the use of this map, once created. The map can be applied in a variety of ways to assist and/or improve the operation of Anycast deployments and thus represents an improvement to computer networking technology.
H04L 61/4511 - Répertoires de réseau; Correspondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/5007 - Adresses de protocole Internet [IP]
H04L 67/1008 - Sélection du serveur pour la répartition de charge basée sur les paramètres des serveurs, p.ex. la mémoire disponible ou la charge de travail
72.
Overload protection for data sinks in a distributed computing system
Described in this document, among other things, is an overload protection system that can protect data sinks from overload by controlling the volume of data sent to those data sinks in a fine-grained manner. The protection system preferably sits in between edge servers, or other producers of data, and data sinks that will receive some or all of the data. Preferably, each data sink owner defines a policy to control how and when overload protection will be applied. Each policy can include definitions of how to monitor the stream of data for overload and specify one or more conditions upon which throttling actions are necessary. In embodiments, a policy can contain a multi-part specification to identify the class(es) of traffic to monitor to see if the conditions have been triggered.
H04L 49/50 - Détection ou protection de surcharge dans un seul élément de commutation
H04L 47/25 - Commande de flux; Commande de la congestion le débit étant modifié par la source lors de la détection d'un changement des conditions du réseau
H04L 43/045 - Traitement des données de surveillance capturées, p.ex. pour la génération de fichiers journaux pour la visualisation graphique des données de surveillance
H04L 41/142 - Analyse ou conception de réseau en utilisant des méthodes statistiques ou mathématiques
H04L 41/147 - Analyse ou conception de réseau pour prédire le comportement du réseau
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p.ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 43/067 - Génération de rapports en utilisant des rapports de délai
73.
Intermediary handling of identity services to guard against client side attack vectors
This document describes, among other things, security hardening techniques that guard against certain client-side attack vectors. These techniques generally involve the use of an intermediary that detects and handles identity service transactions on behalf of a client. In one embodiment, the intermediary establishes a resource domain session with the client in order to provide the client with desired resource domain content or services from a resource domain host. The intermediary detects when the resource domain host invokes a federated identity service as a condition of client access. The intermediary handles the identity transaction in the identity domain on behalf of the client within the client's resource domain session. Upon successful authentication and/or authorization with an IdP, the intermediary connects the results of the identity services domain transaction to the resource domain.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A proxy server is augmented with the capability of taking transient possession of a received entity for purposes of serving consuming devices. This capability supplements destination forwarding and/or origin server transactions performed by the proxy server. This capability enables several entity transfer modes, including a rendezvous service, in which the proxy server can (if invoked by a client) fulfill a client's request with an entity that the proxy server receives from a producing device contemporaneous with (or shortly after) the request for that entity. It also enables server-to- server transfers with synchronous or asynchronous destination forwarding behavior. It also enables a mode in which clients can request different representations of entities, e.g., from either the near-channel (e.g., the version stored at the proxy server) or a far-channel (e.g., at origin server). The teachings hereof are compatible with, although not limited to, conventional HTTP messaging protocols, including GET, POST and PUT methods.
This patent document describes technology for providing real-time messaging and entity update services in a distributed proxy server network, such as a CDN. Uses include distributing real-time notifications about updates to data stored in and delivered by the network, with both high efficiency and locality of latency. The technology can be integrated into conventional caching proxy servers providing HTTP services, thereby leveraging their existing footprint in the Internet, their existing overlay network topologies and architectures, and their integration with existing traffic management components.
A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.
A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.
An end-to-end verifiable multi-factor authentication scheme uses an authentication service. An authentication request is received from an organization, the request having been generated at the organization in response to receipt there of an access request from a user. The user has an associated public-private key pair. The organization provides the authentication request together with a first nonce. In response to receiving the authentication request and the first nonce, the authentication service generates a second nonce, and then it send the first and second nonces to the user. Thereafter, the service receives a data string, the data string having been generated by the client applying its private key over the first and second nonces. Using the user's public key, the service attempts to verify that the data string includes the first and second nonces. If it does, the authentication service provides the authentication decision in response to the authentication request, together with a proof that the user approved the authentication request.
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
An end-to-end verifiable multi-factor authentication scheme uses an authentication service. An authentication request is received from an organization, the request having been generated at the organization in response to receipt there of an access request from a user. The user has an associated public-private key pair. The organization provides the authentication request together with a first nonce. In response to receiving the authentication request and the first nonce, the authentication service generates a second nonce, and then it send the first and second nonces to the user. Thereafter, the service receives a data string, the data string having been generated by the client applying its private key over the first and second nonces. Using the user' s public key, the service attempts to verify that the data string includes the first and second nonces. If it does, the authentication service provides the authentication decision in response to the authentication request, together with a proof that the user approved the authentication request.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
Improved technology for managing the caching of objects that are rarely requested by clients. A cache system can be configured to assess a class of objects (such as objects associated with a particular domain) for cacheability, based on traffic observations. If the maximum possible cache offloading for the class of objects falls below a threshold level, which indicates a high proportion of non-cacheable or “single-hitter” content, then cache admission logic is configured to admit objects only after multiple clients requests during a time period (usually the object's time in cache, or eviction age). Otherwise, the cache admission logic may operate to admit objects to the cache after the first client request, assuming the object meets cacheability criteria. The technological improvements disclosed herein can be used to improve cache utilization, for example by preventing single-hitter objects from pushing out multi-hit objects (the objects that get hits after being added to cache).
This document relates to a CDN balancing mitigation system. An implementing CDN can deploy systems and techniques to monitor the domains of content provider customers with an active DNS scanner and detect which are using other CDNs on the same domain. This information can be used as an input signal for identifying and implementing adjustments to CDN configuration. Both automated and semi-automated adjustments are possible. The system can issue configuration adjustments or recommendations to the implementing CDN's servers or to its personnel. These might include “above-SLA” treatments intended to divert traffic to the implementing CDN. The effectiveness can be measured with the multi-CDN balance subsequently observed. The scanning and adjustment workflow can be permanent, temporary, or cycled. Treatments may include a variety of things, such as more cache storage, routing to less loaded servers, and so forth.
H04L 61/30 - Gestion des noms de réseau, p.ex. utilisation d'alias ou de surnoms
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 67/1029 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués en utilisant des données liées à l'état des serveurs par un répartiteur de charge
H04L 67/1008 - Sélection du serveur pour la répartition de charge basée sur les paramètres des serveurs, p.ex. la mémoire disponible ou la charge de travail
82.
Secure transfer of data between programs executing on the same end-user device
It is often necessary to securely transfer data, such as authenticators or authorization tokens, between programs running on the same end-user device. The teachings hereof enable the pairing of two programs executing on a given end-user device and then the transfer of data from one program to the other. In an embodiment, a first program connects to a server and sends encrypted data elements. A second program intercepts the connection and/or the encrypted data elements. The second program tunnels the encrypted data elements (which remain opaque to the second program at this point) to a server, using an encapsulating protocol. This enables the server to receive the data elements sent by the first program, decrypt them, and provide them to the second program via return message using control fields of the encapsulating protocol. Once set up, the tunneling arrangement enables bidirectional data transfer.
The methods and system described herein automatically generate network router access control entities (ACEs) that are used to filter internet traffic and more specifically to block malicious traffic. The rules are generated by an ACE engine that processes incoming internet packets and examines existing ACEs and a statistical profile of the captured packets to produce one or more recommended ACEs with a quantified measure of confidence. Preferably, a recommended ACE is identified in real time of the attack, and preferably selected from a library of pre-authored ACEs. It is then deployed automatically or alternatively sent to system personnel for review and confirmation.
A payment network comprises ledger services, and associated wallet services. To provide wallet services resiliency, multiple active wallet replicas are used to enable the system (i) to rely on collision detection and blockchain idempotency to produce a single correct outcome, and (2) to implement various collision avoidance techniques. Using a ledger services idempotency feature, multiple actors form independent valid intents and know that no more than one intent will get finalized on the ledger. In a variant embodiment, replicas implement processing delays and utilize so-called "intent" messages. By adding the delays, decision logic is biased logic towards one intent. The. intent messages are used to intercede before a wallet handles a same original upstream message and forms a different intent. Seeing the replica's intent, the wallet can adopt the same intent and proceed with downstream processing. After adopting intent, preferably a wallet also informs its replicas of its intent.
G06Q 20/36 - Architectures, schémas ou protocoles de paiement caractérisés par l'emploi de dispositifs spécifiques utilisant des portefeuilles électroniques ou coffres-forts électroniques
G06Q 20/38 - Architectures, schémas ou protocoles de paiement - leurs détails
This document describes systems, devices, and methods for testing the integration of a content provider's origin infrastructure with a content delivery network (CDN). In embodiments, the teachings hereof enable a content provider's developer to rapidly and flexibly create test environments that send test traffic through the same CDN hardware and software that handle (or at least have the ability to handle) production traffic, but in isolation from that production traffic and from each other. Furthermore, in embodiments, the teachings hereof enable the content provider to specify an arbitrary test origin behind its corporate firewall with which the CDN should communicate.
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p.ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
86.
High performance distributed system of record with wallet services resiliency
A payment network comprises ledger services, and associated wallet services. To provide wallet services resiliency, multiple active wallet replicas are used to enable the system (i) to rely on collision detection and blockchain idempotency to produce a single correct outcome, and (2) to implement various collision avoidance techniques. Using a ledger services idempotency feature, multiple actors form independent valid intents and know that no more than one intent will get finalized on the ledger. In a variant embodiment, replicas implement processing delays and utilize so-called “intent” messages. By adding the delays, decision logic is biased logic towards one intent. The intent messages are used to intercede before a wallet handles a same original upstream message and forms a different intent. Seeing the replica's intent, the wallet can adopt the same intent and proceed with downstream processing. After adopting intent, preferably a wallet also informs its replicas of its intent.
G06Q 20/36 - Architectures, schémas ou protocoles de paiement caractérisés par l'emploi de dispositifs spécifiques utilisant des portefeuilles électroniques ou coffres-forts électroniques
G06Q 20/38 - Architectures, schémas ou protocoles de paiement - leurs détails
The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.
H04N 21/266 - Gestion de canal ou de contenu, p.ex. génération et gestion de clés et de messages de titres d'accès dans un système d'accès conditionnel, fusion d'un canal de monodiffusion de VOD dans un canal multidiffusion
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 45/64 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données à l'aide d'une couche de routage superposée
H04N 21/6334 - Signaux de commande issus du serveur dirigés vers des éléments du réseau ou du client vers le client pour l’autorisation, p.ex. en transmettant une clé
88.
Synchronizing independent media and data streams using media stream synchronization points
A messaging channel is embedded directly into a media stream. Messages delivered via the embedded messaging channel are extracted at a client media player. According to a variant embodiment, and in lieu of embedding all of the message data in the media stream, only a coordination index is injected, and the message data is sent separately and merged into the media stream downstream (at the client media player) based on the coordination index. In one example embodiment, multiple data streams (each potentially with different content intended for a particular “type” or class of user) are transmitted alongside the video stream in which the coordination index (e.g., a sequence number) has been injected into a video frame. Based on a user's service level, a particular one of the multiple data streams is released when the sequence number appears in the video frame, and the data in that stream is associated with the media.
G06F 13/00 - Interconnexion ou transfert d'information ou d'autres signaux entre mémoires, dispositifs d'entrée/sortie ou unités de traitement
H04L 65/75 - Gestion des paquets du réseau multimédia
H04L 65/80 - Dispositions, protocoles ou services dans les réseaux de communication de paquets de données pour prendre en charge les applications en temps réel en répondant à la qualité des services [QoS]
H04L 65/612 - Diffusion en flux de paquets multimédias pour la prise en charge des services de diffusion par flux unidirectionnel, p.ex. radio sur Internet pour monodiffusion [unicast]
89.
Content delivery network (CDN) bot detection using primitive and compound feature sets
A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g., as being associated with a human user, or a bot.
H04L 61/3015 - Enregistrement, génération ou allocation de nom
H04N 21/239 - Interfaçage de la voie montante du réseau de transmission, p.ex. établissement de priorité des requêtes de clients
H04N 21/24 - Surveillance de procédés ou de ressources, p.ex. surveillance de la charge du serveur, de la bande passante disponible ou des requêtes effectuées sur la voie montante
90.
Content delivery network (CDN) edge server-based bot detection with session cookie support handling
A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.
A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.
A method and apparatus for data collection to facilitate bot detection. According to this approach, and in lieu of conventional user agent-based fingerprinting, a client script is executed to attempt to identify one or more Javascript “landmark” features. In one embodiment, a landmark Javascript feature is a Javascript implementation that exists in a first browser type but not a second browser type distinct from the first browser type, and that also exists in one or more releases of the first browser type, but not in one or more other releases of the first browser type. By testing against landmark Javascript features as opposed to an unconstrained set of API calls and the like, the technique herein provides for much more computationally-efficient client-side operation.
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
93.
Content delivery network (CDN)-based bot detection service with stop and reset protocols
A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.
This patent document describes technology for providing real-time messaging and entity update services in a distributed proxy server network, such as a CDN. Uses include distributing real-time notifications about updates to data stored in and delivered by the network, with both high efficiency and locality of latency. The technology can be integrated into conventional caching proxy servers providing HTTP services, thereby leveraging their existing footprint in the Internet, their existing overlay network topologies and architectures, and their integration with existing traffic management components.
H04L 65/80 - Dispositions, protocoles ou services dans les réseaux de communication de paquets de données pour prendre en charge les applications en temps réel en répondant à la qualité des services [QoS]
H04L 67/568 - Stockage temporaire des données à un stade intermédiaire, p.ex. par mise en antémémoire
H04L 67/02 - Protocoles basés sur la technologie du Web, p.ex. protocole de transfert hypertexte [HTTP]
H04L 67/566 - Regroupement ou agrégation de demandes de service, p.ex. pour un traitement unifié
G06F 12/0813 - Systèmes de mémoire cache multi-utilisateurs, multiprocesseurs ou multitraitement avec configuration en réseau ou matrice
G06F 21/53 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p.ex. "boîte à sable" ou machine virtuelle sécurisée
A proxy server is augmented with the capability of taking transient possession of a received entity for purposes of serving consuming devices. This capability supplements destination forwarding and/or origin server transactions performed by the proxy server. This capability enables several entity transfer modes, including a rendezvous service, in which the proxy server can (if invoked by a client) fulfill a client's request with an entity that the proxy server receives from a producing device contemporaneous with (or shortly after) the request for that entity. It also enables server-to-server transfers with synchronous or asynchronous destination forwarding behavior. It also enables a mode in which clients can request different representations of entities, e.g., from either the near-channel (e.g., the version stored at the proxy server) or a far-channel (e.g., at origin server). The teachings hereof are compatible with, although not limited to, conventional HTTP messaging protocols, including GET, POST and PUT methods.
G06F 15/167 - Communication entre processeurs utilisant une mémoire commune, p.ex. boîte aux lettres électronique
H04L 67/563 - Redirection de flux de réseau de données
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p.ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
H04L 67/02 - Protocoles basés sur la technologie du Web, p.ex. protocole de transfert hypertexte [HTTP]
96.
Detection and optimization of content in the payloads of API messages
A server in a content delivery network (CDN) can examine API traffic and extract therefrom content that can be optimized before it is served to a client. The server can apply content location instructions to a given API message to find such content therein. Upon finding an instance of such content, the server can verify the identity of the content by applying a set of content verification instructions. If verification succeeds, the server can retrieve an optimized version of the identified content and swap it into the API message for the original version. If an optimized version is not available, the server can initiate an optimization process so that next time the optimized version will be available. In some embodiments, an analysis service can assist by observing traffic from an API endpoint over time, detecting the format of API messages and producing the content location and verification instructions.
Origin offload is a key performance indicator of a content delivery network (CDN). This patent document presents unique methods and systems for measuring origin offload and applying those measurements to improve the offload. The techniques presented herein enable resource-efficient measurement of origin offload by individual servers and aggregation and analysis of such measurements to produce significant insights. The teachings hereof can be used to better identify root causes of suboptimal offload performance, to tune CDN settings and configurations, and to modify network operations, deployment and/or capacity planning. In addition, discussed herein are improved metrics showing offload in relation to the maximum achievable offload for the particular traffic being served.
H04N 21/231 - Opération de stockage de contenu, p.ex. mise en mémoire cache de films pour stockage à court terme, réplication de données sur plusieurs serveurs, ou établissement de priorité des données pour l'effacement
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
98.
Measuring and improving origin offload and resource utilization in caching systems
Origin offload is a key performance indicator of a content delivery network (CDN). This patent document presents unique methods and systems for measuring origin offload and applying those measurements to improve the offload. The techniques presented herein enable resource-efficient measurement of origin offload by individual servers and aggregation and analysis of such measurements to produce significant insights. The teachings hereof can be used to better identify root causes of suboptimal offload performance, to tune CDN settings and configurations, and to modify network operations, deployment and/or capacity planning. In addition, discussed herein are improved metrics showing offload in relation to the maximum achievable offload for the particular traffic being served.
H04N 21/231 - Opération de stockage de contenu, p.ex. mise en mémoire cache de films pour stockage à court terme, réplication de données sur plusieurs serveurs, ou établissement de priorité des données pour l'effacement
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
H04N 21/2665 - Rassemblement de contenus provenant de différentes sources, p.ex. Internet et satellite
Disclosed herein are systems and methods for coordinating the wireless sharing of content between vehicles in a secure and efficient manner. In one embodiment, vehicles recognize when there is an opportunity for them to participate in content sharing, such as when a vehicle is temporarily stopped at a traffic signal, or stuck in traffic, or the like. In response to this opportunity, the vehicle can notify a coordination component, sending a manifest of content it has available for sharing and content that it desires. The coordination component can match two vehicles in location and time, and can facilitate a secure wireless content share transaction. Such a transaction can involve use of ephemeral wireless network parameters, including temporary' network names, passwords and/or security keys. Feedback about the success of the content transfer may be reported to system component(s) to improve identification of sharing opportunities in the future.
H04L 29/08 - Procédure de commande de la transmission, p.ex. procédure de commande du niveau de la liaison
H04W 4/46 - Services spécialement adaptés à des environnements, à des situations ou à des fins spécifiques pour les véhicules, p.ex. communication véhicule-piétons pour la communication de véhicule à véhicule
H04W 4/44 - Services spécialement adaptés à des environnements, à des situations ou à des fins spécifiques pour les véhicules, p.ex. communication véhicule-piétons pour la communication entre véhicules et infrastructures, p.ex. véhicule à nuage ou véhicule à domicile
100.
IDENTIFICATION AND COORDINATION OF OPPORTUNITIES FOR VEHICLE TO VEHICLE WIRELESS CONTENT SHARING
Disclosed herein are systems and methods for coordinating the wireless sharing of content between vehicles in a secure and efficient manner. In one embodiment, vehicles recognize when there is an opportunity for them to participate in content sharing, such as when a vehicle is temporarily stopped at a traffic signal, or stuck in traffic, or the like. In response to this opportunity, the vehicle can notify a coordination component, sending a manifest of content it has available for sharing and content that it desires. The coordination component can match two vehicles in location and time, and can facilitate a secure wireless content share transaction. Such a transaction can involve use of ephemeral wireless network parameters, including temporary network names, passwords and/or security keys. Feedback about the success of the content transfer may be reported to system component(s) to improve identification of sharing opportunities in the future.
H04W 4/44 - Services spécialement adaptés à des environnements, à des situations ou à des fins spécifiques pour les véhicules, p.ex. communication véhicule-piétons pour la communication entre véhicules et infrastructures, p.ex. véhicule à nuage ou véhicule à domicile
H04W 76/14 - Gestion de la connexion Établissement de la connexion Établissement de la connexion en mode direct
H04W 4/02 - Services utilisant des informations de localisation
