A first compute server of a distributed cloud computing network that includes multiple compute servers receives an API request that is directed to an API endpoint. The first compute server determines an identifier that uniquely identifies a session that is associated with the API request. Based on the determined identifier, the first compute server determines which of the compute servers of the distributed cloud computing network is responsible for storing information about previous API operations associated with the determined identifier. The first compute server transmits an API sequence request to the determined compute server. In response, the first compute server receives information that specifies a time-ordered sequence of API operations associated with the determined identifier most recently observed. The first compute server may enforce a rule based at least on a sequence of at least two of the latest API operations.
A method includes receiving, from a pre-processor, an output file, the output file having been created by the pre-processor in response to input of an electronic file to the pre-processor, the electronic file being an attachment to an electronic mail message that is in-transit to a recipient computer on a network, the electronic file being a spreadsheet file, the output file containing features that are created by the pre-processor; receiving, from a machine learning-based classifier, malware classification data, the malware classification data being output by the machine learning-based classifier in response to the machine learning-based classifier determining whether the features are indicators of obfuscation, the data used to create the machine learning-based classifier including output files previously created by the pre-processor; in response to the malware classification data matching a criterion, causing the network to modify, delay, or block transmission of the electronic file to the recipient computer.
G06F 12/14 - Protection against unauthorised use of memory
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
H04L 29/06 - Communication control; Communication processing characterised by a protocol
3.
USING A ZERO-KNOWLEDGE PROOF TO PROVE KNOWLEDGE THAT A WEBSITE VISITOR IS A LEGITIMATE HUMAN USER
A client device receives a challenge request from a server to prove that internet traffic was initiated by a human user through verifying a physical interaction between a human user and a hardware component. The client device causes a prompt to be displayed to perform the physical interaction with the hardware component. A cryptographic attestation is received that includes an attestation signature that is generated after confirmation that the physical interaction was performed with the hardware component. A zero-knowledge proof of the attestation signature is generated and transmitted to the server for verification. The client device receives the requested content responsive to the server verifying the validity of the zero-knowledge proof.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
G06F 21/32 - User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
H04L 9/14 - Arrangements for secret or secure communicationsNetwork security protocols using a plurality of keys or algorithms
A method involves receiving data identifying a set of information technology (IT) resources of an IT infrastructure and generating a first IT resource dependency graph using the set of IT resources. First INCLUDES and EXCLUDES configuration data indicating one or more IT resources that should either be included or excluded from an IT resource group is received. Initial selection statuses for IT resources in the first dependency graph are set based on the first INCLUDES and EXCLUDES configuration data. A breadth-first search of the first dependency graph is performed to generate the IT resource group based on the initial selection status for the IT resources in the first dependency graph, and the IT infrastructure is updated or managed using the IT resource group.
Purging resources from a cache in a distributed networked system is described. A compute server of a first data center of the distributed networked system receives a purge request to purge a resource from cache. If the purge request does not include a cache key, the compute server determines whether the purge request is valid, and if valid, purges the resource from cache of the first data center, generates a cache key for the resource, and causes the purge request that includes the generated cache key to be sent to other data centers of the distributed networked system for purging the resource from cache. If the purge request includes a cache key, the compute server skips determining whether the purge request is valid and purges the resource from cache based on the cache key.
G06F 12/08 - Addressing or allocationRelocation in hierarchically structured memory systems, e.g. virtual memory systems
G06F 12/0891 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches using clearing, invalidating or resetting means
G06F 12/14 - Protection against unauthorised use of memory
7.
MANAGING ARTIFICIAL INTELLIGENCE INFERENCE REQUESTS THAT ARE DIRECTED TO AN AI MODEL EXTERNAL TO A DISTRIBUTED CLOUD COMPUTING NETWORK
A compute server of a distributed cloud computing network receives an inference request that is directed to an AI model hosted at a destination external to the distributed cloud computing network. The compute server determines that the inference request satisfies security rules associated with the AI model. Upon determining that the inference request is not answerable from a cache, the compute server transmits the inference request to the AI model hosted at the external destination. The compute server receives an inference response from the AI model in response to the inference request, transmits the inference response, and stores the inference request and the inference response in cache.
A compute server of a distributed cloud computing network receives an inference request that is directed to an AI model hosted at a destination external to the distributed cloud computing network. The compute server determines that the inference request satisfies security rules associated with the AI model. Upon determining that the inference request is not answerable from a cache, the compute server transmits the inference request to the AI model hosted at the external destination. The compute server receives an inference response from the AI model in response to the inference request, transmits the inference response, and stores the inference request and the inference response in cache.
A first compute server of a plurality of compute servers of a distributed cloud computing network receives an inference request. The first compute server determines that the received inference request triggers execution of code at the distributed cloud computing network, where the code is related to an artificial intelligence (AI) application that interacts with the inference request and causes input of the inference request to be run through an AI model. If the AI model is not loaded at the first compute server but is loaded at a second compute server, the inference request is routed to the second compute server for performing the inference operation.
H04L 67/63 - Routing a service request depending on the request content or context
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
H04L 67/1014 - Server selection for load balancing based on the content of a request
10.
System for cross-domain identity management (SCIM) proxy service
A system for cross-domain identity management (SCIM) proxy service is described. A first SCIM endpoint receives, from a first SCIM client, a first message that includes a SCIM resource. The first SCIM endpoint is associated with a customer of the SCIM proxy service. The SCIM proxy service is configured as a first SCIM service provider for the first SCIM client. The first message is validated. The first SCIM proxy service determines that a third-party application is in scope for the SCIM resource, where the SCIM proxy service is configured as a second SCIM client for the third-party application. The SCIM proxy service transforms the SCIM resource to create a transformed SCIM resource that is applicable for the third-party application. The SCIM proxy service transmits a second message to a second SCIM endpoint of the third-party application, the second message including the transformed SCIM resource.
Inter-process serving of machine learning features from mapped memory for machine learning models is described. ML features are populated in a data structure that is serialized. State data is stored that indicates that reader process(es) are to read from a first memory mapped data file and not a second memory mapped data file. The serialized bytes are stored in the second memory mapped data file and the state data is updated to indicate that the reader process(es) are to read from the second memory mapped data file. A request is received and parsed to prepare keys from attributes of the request. Based on the state data, the serialized bytes are read from the second memory mapped data file that correspond to the keys. The serialized bytes are deserialized and copied to a data structure available to an inference algorithm.
A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.
Sequential consistency across a distributed cloud computing network is described. A database includes a primary database and multiple read replica databases. Write queries are transmitted to the primary database, and commit tokens are provided to the read replica databases and the clients. Commit tokens are included in requests from clients. If a request for a read operation received at a read replica database does not include a token that is later than a commit token of the most recent update to the read replica database, the read replica database performs the read operation. If a request for a read operation received at a read replica database includes a token that is later than a commit token of the most recent update to the read replica database, the read replica database delays servicing the read update until it receives an update from the primary database with an updated commit token.
G06F 16/27 - Replication, distribution or synchronisation of data between databases or within a distributed database systemDistributed database system architectures therefor
A first intermediate key management system (KMS) server of a distributed KMS receives a key lookup service (KLS) query from a KMS client for determining an identity of KMS server(s) that are capable of performing a first operation with a first managed key. The first intermediate KMS server is one of the intermediate KMS servers of the distributed KMS. The first KMS server determines the identity of one or more of the KMS servers that are capable of performing the first operation with the first managed key. The first KMS server transmits a KLS response to the KMS client that includes the identity of the KMS server(s) that are capable of performing the first operation with the first managed key.
An object worker is instantiated at a compute server of a distributed cloud computing network, where the object worker includes a single instantiation of a piece of code that solely controls reading/writing to an object. An external communication policy is associated with the first object worker. If the external communication policy does not allow the object worker to send communications with the object to an asset that is external to the distributed cloud computing network, the communication is prevented from being sent. If the external communication policy allows the object worker to send communications with the object to the asset that is external to the distributed cloud computing network, the communication is sent from the first object worker to the asset.
H04L 67/1097 - Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
A proxy server receives a request from a client network application executing on a client device. The proxy server detects that the request is for a software dependency installation package. The proxy server determines a risk score associated with the software dependency installation package. Based on the risk score associated with the software dependency installation package, the proxy server determines that the software dependency installation package violates a policy. When the software dependency installation package violates the policy, the proxy server blocks the request and stores a log entry in an auditing system including data indicating the blocking of the request.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
18.
SECURING AN APPLICATION OR SERVICE OVER A NETWORK INTERCONNECT USING A DEDICATED EGRESS IP ADDRESS
A first compute server of a distributed cloud computing network receives traffic that is destined for a private application or service running on a server of a customer external of the distributed cloud computing network. That server is connected with the distributed cloud computing network through a network interconnect. One or more policies that are configured for the customer are used to determine whether the traffic is allowed to access the private application or service. The first compute server transmits the traffic to a second compute server of the distributed cloud computing network that has the network interconnect. The second compute server transmits the traffic to the server over the network interconnect using as its source IP address an IP address that is dedicated to the customer.
A method involves receiving, at a Global Resource Catalog (GRC) controller, credentials for one or more target networks within a distributed cloud network. For each target network, the GRC controller uses a respective network access methodology associated with that target network to identify and store a first set of target network resources associated with that network at a GRC database. The GRC controller links or groups a second set of target network resources of the first set of target network resources in the GRC database based on target network resource dependencies determined by the GRC controller. The GRC controller updates the second set of target network resources in the GRC database based on a received event or at a scheduled interval. A distributed cloud network is then updated based on the second set of target network resources stored at the GRC database.
H04L 41/082 - Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.
A request is received from a client device at a first datacenter of a distributed cloud computing network. The first request triggers execution of code at the distributed cloud computing network. The execution of the code includes transmitting additional requests to destination(s) external to the distributed cloud computing network. A second datacenter of the distributed cloud computing network is selected to execute the code, where the selection is based on an optimization goal. The code is executed at the second datacenter. The first datacenter receives a result from the code being executed at the second datacenter. The first datacenter transmits a response to the client device that is based at least in part on the result.
A request is received from a client device at a first datacenter a distributed cloud computing network. The distributed cloud computing network includes multiple datacenters. The received request triggers execution of code at the distributed cloud computing network. The code includes a first function and a second function. A determination is made to execute the first function at the first datacenter and to execute the second function at a second datacenter of the distributed cloud computing network. The first function is executed at the first datacenter to get a first result. The first datacenter causes the second function to be executed at the second datacenter. The first datacenter receives, from the second datacenter, a second result from the execution of the second function. The first datacenter transmits a response to the client device that is based at least in part on the first result and the second result.
A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers respectively. The first and second vector of integers are input into an ML model, which outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold that indicates the raw data is of the type that is malicious.
G06F 30/27 - Design optimisation, verification or simulation using machine learning, e.g. artificial intelligence, neural networks, support vector machines [SVM] or training a model
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
24.
State management and persistent data storage in a distributed cloud computing network
A first compute server of a distributed cloud computing network executes an application that controls reading and writing access to associated persistent data. The first compute server performs a write operation to the persistent data on local storage, notifies a piece of code that controls outgoing messages from the application that the write operation is pending, and transmits write information for the write operation to a set of other compute servers. If an acknowledgement of the write information is received from a quorum of the other compute servers, the application notifies the piece of code that the write operation is confirmed. Periodically the write information is transmitted to an external storage system. If a confirmation that the write information has been written is received from the storage system, the first compute server transmits a write confirmation notice to the other compute servers, which can then delete the write information.
An email verification system is described. The email verification system stores names and associated email addresses. An email is received that has a sender name and a sender email address. If the email verification system determines that the sender name matches a stored name but the sender email address does not match with an email address associated with the stored name, the email is prevented from being transmitted to its recipient unless the email is verified as being legitimate. The email verification system transmits a request to verify the email via a configured verification method. If a response is received that verifies the email as legitimate, the email is delivered; otherwise the email is blocked.
A server receives internet traffic from a client device. The server is one of multiple servers of a distributed cloud computing network which are each associated with a set of server identity(ies) including a server/data center certification identity. The server processes, at layer 3, the internet traffic including participating in a layer 3 DDoS protection service. If the traffic is not dropped by the layer 3 DDoS protection service, further processing is performed. The server determines whether it is permitted to process the traffic at layers 5-7 including whether it is associated with a server/data center certification identity that meets a selected criteria for the destination of the internet traffic. If the server does not meet the criteria, it transmits the traffic to another one of the multiple servers for processing the traffic at layers 5-7.
H04L 67/288 - Distributed intermediate devices, i.e. intermediate devices for interaction with other intermediate devices on the same level
H04L 67/63 - Routing a service request depending on the request content or context
H04L 69/325 - Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the network layer [OSI layer 3], e.g. X.25
A condition exists that triggers an HTTP server to modify one or more HTTP connections for one or more HTTP clients that are connected to the HTTP server. The HTTP server dynamically modifies the one or more HTTP connections including dynamically modifying one or more runtime behaviors for the one or more HTTP connections. For each of the one or more HTTP clients, the HTTP server monitors that HTTP client to determine whether it is complying with the modified one or more runtime behaviors. If one of the one or more HTTP clients is not complying with the modified one or more runtime behaviors, the HTTP server performs a mitigation action on that HTTP client.
A proxy server receives a first request from a first user to access a resource hosted by a cloud-based server. The proxy server inserts a first tenant control header into the first request specifying a tenant identifier. The tenant identifier indicates a tenant permitted to access the resource. The proxy server then transmits the first request with the inserted first tenant control header to the cloud-based server. In response to receiving a first response indicating a rejection of the first request with the inserted first tenant control header, the proxy server transmits the first request again to the cloud-based server but without the first tenant control header. The proxy server then logs the first request as an access request using a non-permitted tenant identifier.
A cloud security proxy is described that is able to process requests for cloud services in order to validate the requests against specified rules and/or policies. The cloud security proxy provides greater security for cloud-based applications while providing developers with greater flexibility in the choice of development tools while maintaining a strong security posture for the organization.
An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Systems and methods are disclosed for performing multi-party, split-key authentication in cryptography. In certain embodiments, a system may comprise a key broker configured to receive a request for a root certificate, generate a secret key based on the request, generate the root certificate based on the secret key, split the secret key into a plurality of shards, provide a first shard of the plurality of shards to an agent, and delete the first shard at the key broker. The key broker may further receive a partially signed client certificate signed with the first shard, generate a fully signed client certificate based on the partially signed client certificate and a second shard of the plurality of shards, and issue the fully signed client certificate.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.
H04L 51/212 - Monitoring or handling of messages using filtering or selective blocking
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
34.
Network layer performance and security provided by a distributed cloud computing network
A first computing device of a distributed cloud computing network receives an IP packet that is destined to an origin server of an origin network. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate an encapsulated packet, where the outer packet has a source IP address that is advertised as an anycast IP address at the distributed cloud computing network, and a destination IP address of an origin router of the origin network. The encapsulated packet is transmitted to the origin router.
A server transmits to a third-party application a request for a resource that is received from a client. The server receives an authentication request from the client device that has been generated by the third-party application. The server transmits an identity provider selection page to the client device that allows the client device to select an identity provider. The server causes the client device to transmit a second authentication request to a selected identity provider. The server receives an authentication response that was generated by the identity provider that includes the identity of the user. The server enforces access rule(s) including identity-based rule(s) and/or non-identity based rule(s). If the user is permitted to access the third-party application, the server causes an authentication response to be transmitted from the client device to the third-party application that indicates the user has successfully authenticated.
A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.
A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.
Methods, systems, and techniques for application isolation by remote-enabling applications are provided. Example embodiments provide an Adaptive Rendering Application Isolation System (“ARAIS”), which transparently enables applications to run in an isolated execution environment yet be rendered locally in a manner that facilitates preventing theft of sensitive information while allowing users to interact with any third-party application or website via the local environment without overburdening available bandwidth or computational resources by, in some cases, evaluating only select information responsive only to select events, as compared to whitelist/blacklist techniques, monitoring all information provided by the user, or other techniques. The ARAIS typically includes an orchestrator server that comprises one or more of a sensitive-information theft-prevention logic engine, information-theft prevention engines, or a rules engine. These components cooperate to deliver isolation-ready technology with sensitive-information theft prevention to client applications.
G06F 16/957 - Browsing optimisation, e.g. caching or content distillation
G06F 9/451 - Execution arrangements for user interfaces
G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
An email is received that is from an email sender. From the email, the display name of the email sender, an email address of the email sender, and an email domain of the email sender, is extracted. A score is determined for the email based on at least: the extracted display name of the email sender, the extracted email address of the email sender, and the extracted email domain of the email sender, where the score indicates a probability that the email is from a legitimate sender. Message content of the email is input into multiple classifiers each corresponding to a particular message type. The message type of the email is determined based on output of the classifiers. Based on at least the determined score for the email and the determined message type of the email, a determination is made whether the email is associated with a BEC attack.
A remote browsing session is initiated between a remote browser client executing on a client device and a remote browser host executing on a remote browser server. The remote browser host receives from the client device, encrypted remote browser data of remote browser data that affects the remote browser session. The remote browser client does not have access to a decryption key for the encrypted remote browser data. The encrypted remote browser data is decrypted to reveal the remote browser data. The remote browser host is configured with the remote browser data. The remote browser host manages updates to the remote browser data during the remote browsing session. Periodically, updates to the remote browser data are encrypted and transmitted to the remote browser client for storage.
A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.
A compute server receives a request that triggers execution of a code piece out of multiple code pieces. A single process at the compute server executes the code piece, which is run in an isolated execution environment. Each other code piece runs in other isolated execution environments respectively and executed by the single process. The code piece, when executed, modifies a response to the request. The response is generated based at least in part on the executed code piece. The generated response is transmitted.
G06F 9/448 - Execution paradigms, e.g. implementations of programming paradigms
G06F 9/455 - EmulationInterpretationSoftware simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
Purging resources from a cache in a distributed networked system is described. A first data center of the distributed networked system receives a purge request to purge a resource from cache. If the purge request does not include a cache key, the first data center determines whether the purge request is valid, and if valid, purges the resource from cache of the first data center, generates a cache key for the resource, and causes the purge request that includes the generated cache key to be sent to other data centers of the distributed networked system for purging the resource from cache. If the purge request includes a cache key, the first data center skips determining whether the purge request is valid and purges the resource from cache based on the cache key.
G06F 12/08 - Addressing or allocationRelocation in hierarchically structured memory systems, e.g. virtual memory systems
G06F 12/0891 - Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches using clearing, invalidating or resetting means
G06F 12/14 - Protection against unauthorised use of memory
44.
Authoritative Domain Name System (DNS) Server Responding to DNS Requests With IP Addresses Selected from a Larger Pool Of IP Addresses
An authoritative domain name system (DNS) server receives DNS requests for domains. The authoritative DNS server transmits DNS responses to the DNS requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first DNS response can include IP addresses different from IP addresses included in a second DNS response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may select the IP addresses to include in DNS responses to the DNS requests using a round-robin process.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.
Isolating suspicious email links is described. An email security service receives an email that includes a link that refers to an external resource. A first suspicious link determination is performed to determine whether the link is suspicious. If the link is suspicious, the link is rewritten to refer to the email security and the email is delivered to the recipient. A request from a client device is received responsive to the link being opened. A second suspicious link determination is performed to determine whether the link is suspicious. If the link is suspicious, an interstitial page is transmitted to the client device that includes an option that, when selected, causes the first link to be opened in a remote browser isolation session.
A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.
Traffic is received at a distributed cloud computing network. The traffic originates from a computing device using a mobile data connection. The traffic is associated with an identifier that identifies a SIM of the computing device. Using the SIM identifier, an identity for identity-based policy enforcement at the distributed cloud computing network is determined. The identity is uniquely associated with the SIM identifier. An identity-based policy that is applicable for the received traffic for the determined identity is determined. The identity-based policy is enforced.
A condition exists that triggers an HTTP server to modify one or more HTTP connections for one or more HTTP clients that are connected to the HTTP server. The HTTP server dynamically modifies the one or more HTTP connections including dynamically modifying one or more HTTP connection resource parameters for the one or more HTTP connections. For each of the one or more HTTP clients, the HTTP server monitors that HTTP client to determine whether it is complying with the modified one or more HTTP connection resource parameters. If one of the one or more HTTP clients is not complying with the modified one or more HTTP connection resource parameters, the HTTP server closes an HTTP connection to that HTTP client.
Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.
A first compute server of a distributed cloud computing network receives a request from a first client device for an object to be handled by an object worker that includes a single instantiation of a piece of code that solely controls reading and writing access to the first object. A determination is made that the object worker is instantiated for the object and is currently running in the first compute server, and the piece of code processes the first request. The first compute server receives a message to be processed by the first object worker from a second compute server. The message includes a second request for the object from a second client device connected to the second compute server. The piece of code processes the message and transmits a reply to the second compute server.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
Computer software and firmware for monitoring and
controlling online traffic to computer servers; computer
software for wireless content delivery; computer anti-virus
software. Computer security services in the nature of providing
authentication, issuance, validation and revocation of
digital certificates; computer security services, namely,
restricting unauthorized access to computer networks;
computer services, namely, monitoring, testing, analyzing,
and reporting on the internet traffic control and content
control of the web sites of others; computer virus
protection services; data conversion of computer program
data or information, other than physical conversion; data
conversion of electronic information; parking domain names
for others, namely, providing computer servers for
electronic storage of domain name addresses.
53.
Traffic load balancing between a plurality of points of presence of a cloud computing infrastructure
Methods and system of traffic load balancing between a plurality of Points of Presence (PoP) of a cloud computing infrastructure are described. A first PoP of multiple PoPs of cloud computing infrastructure that provides a cloud computing service receives a packet. The packet includes as a destination address an anycast address advertised by the first PoP for reaching the cloud computing service. The first PoP identifies a network address of a second PoP that is different from the first PoP. The first PoP forwards the packets as an encapsulated packet to the second PoP to be processed in the second PoP according to the cloud computing service.
A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.
H04L 51/212 - Monitoring or handling of messages using filtering or selective blocking
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
H04L 9/06 - Arrangements for secret or secure communicationsNetwork security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
55.
Distributed key management system with a key lookup service
A first intermediate key management system (KMS) server of a distributed KMS receives a key lookup service (KLS) query from a KMS client for determining an identity of KMS server(s) that are capable of performing a first operation with a first managed key. The first intermediate KMS server is one of the intermediate KMS servers of the distributed KMS. The first KMS server determines the identity of one or more of the KMS servers that are capable of performing the first operation with the first managed key. The first KMS server transmits a KLS response to the KMS client that includes the identity of the KMS server(s) that are capable of performing the first operation with the first managed key.
Inter-process serving of machine learning features from mapped memory for machine learning models is described. ML features are populated in a data structure that is serialized. State data is stored that indicates that reader process(es) are to read from a first memory mapped data file and not a second memory mapped data file. The serialized bytes are stored in the second memory mapped data file and the state data is updated to indicate that the reader process(es) are to read from the second memory mapped data file. A request is received and parsed to prepare keys from attributes of the request. Based on the state data, the serialized bytes are read from the second memory mapped data file that correspond to the keys. The serialized bytes are deserialized and copied to a data structure available to an inference algorithm.
A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.
09 - Scientific and electric apparatus and instruments
42 - Scientific, technological and industrial services, research and design
Goods & Services
(1) Computer software and firmware for monitoring and controlling online traffic to computer servers; computer software for wireless content delivery; computer anti-virus software. (1) Computer security services in the nature of providing authentication, issuance, validation and revocation of digital certificates; computer security services, namely, restricting unauthorized access to computer networks; computer services, namely, monitoring, testing, analyzing, and reporting on the internet traffic control and content control of the web sites of others; computer virus protection services; data conversion of computer program data or information, other than physical conversion; data conversion of electronic information; parking domain names for others, namely, providing computer servers for electronic storage of domain name addresses.
Providing virtual private network (VPN) services, namely, private and secure electronic communications over a private or public computer network; Providing secure and private access for users to the internet; Providing electronic telecommunication connections to enable users of computers and mobile computing devices to securely connect to a remote server in order to allow for secure and private transmission and receipt of data and communications over the internet; Electronic data transmission; Electronic transmission of data through a secure and private connection over the internet featuring encryption; Providing user access to global computer networks; Computer network services, namely, providing network communication services in the nature of transmission of voice, audio, visual images and data by data networks and providing access to global computer networks
Providing virtual private network (VPN) services, namely, private and secure electronic communications over a private or public computer network; Providing secure and private access for users to the internet; Providing electronic telecommunication connections to enable users of computers and mobile computing devices to securely connect to a remote server in order to allow for secure and private transmission and receipt of data and communications over the internet; Electronic data transmission; Electronic transmission of data through a secure and private connection over the internet featuring encryption; Providing user access to global computer networks; Computer network services, namely, providing network communication services in the nature of transmission of voice, audio, visual images and data by data networks and providing access to global computer networks; Peer-to-peer network computer services, namely, electronic transmission of audio, video, data, and documents among computers
61.
Cloud-based security service that includes external evaluation for accessing a third-party application
A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.
A server receives from a client device that is executing a web browser application a request to initiate a remote application in the server. The server instantiates an instance of the remote application. The server intercepts draw commands associated with the remote application instance. The server provides the draw commands to the client to cause the web browser application to render portion(s) of output based on the draw commands. The server receives an input event from the web browser application. The server provides the client one or more draw commands based on the input event to cause the web browser application to render portion(s) of output based on those draw commands.
G06F 16/957 - Browsing optimisation, e.g. caching or content distillation
G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
G06F 9/451 - Execution arrangements for user interfaces
A client device instantiates an isolator application. A request to instantiate a remote application in a server device is sent by the isolator application instance. The isolator application instance receives, from the remote application instance, draw commands and position information that correspond to the draw commands. The isolator application instance renders one or more portions of output based on the draw commands and the position information.
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 11/36 - Prevention of errors by analysis, debugging or testing of software
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
A server receives from a client device that is executing a client application a request to initiate a remote application in the server. The server instantiates an instance of the remote application. The server intercepts draw commands associated with the remote application instance. The server provides the draw commands to the client to cause the client application to render portion(s) of output based on the draw commands. The server receives an input event from the client application. The server provides the client one or more draw commands based on the input event to cause the client application to render portion(s) of output based on those draw commands.
G06F 16/957 - Browsing optimisation, e.g. caching or content distillation
G06F 16/958 - Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
G06F 21/71 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
G06F 9/451 - Execution arrangements for user interfaces
A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers that are input into an ML model that includes a first stage that operates on the first vector of integers to identify candidate signature tokens that are commonly associated with different classes of attack, and a second stage that operates on the candidate signature tokens and the second vector of integers and conditions attention on the second vector of integers on the candidate signature tokens. The ML model outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold.
G06F 30/27 - Design optimisation, verification or simulation using machine learning, e.g. artificial intelligence, neural networks, support vector machines [SVM] or training a model
H04L 41/16 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
66.
Method and system for determining a path maximum transmission unit (MTU) between endpoints of a generic routing encapsulation (GRE) tunnel
A method of path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device (ND) transmits, to a destination ND that is a second endpoint of the GRE tunnel, a first outer packet including a first inner packet, where the first inner packet includes a first inner header that is used to deliver the first inner packet to the source network device, a first inner GRE header, and a first payload. The source ND receives the first inner packet. The source ND transmits a second outer packet including a second inner packet that includes a second payload that has a size greater than a size of the first payload. The source ND determines that the second inner packet is not received and determines a path MTU between the source ND and the destination ND based on a size of the first and the second outer packets.
A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 47/74 - Admission controlResource allocation measures in reaction to resource unavailability
H04L 51/42 - Mailbox-related aspects, e.g. synchronisation of mailboxes
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 67/561 - Adding application-functional data or data for application control, e.g. adding metadata
H04L 67/568 - Storing data temporarily at an intermediate stage, e.g. caching
H04L 69/40 - Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
H04L 61/59 - Network arrangements, protocols or services for addressing or naming using proxies for addressing
68.
Establishing a cryptographic tunnel between a first tunnel endpoint and a second tunnel endpoint where a private key used during the tunnel establishment is remotely located from the second tunnel endpoint
A responder device receives, from an initiator device, a request to initiate a cryptographic tunnel between the initiator device and the responder device. The responder device does not include a static private key to be used in an asymmetric cryptography algorithm when establishing the tunnel. The responder device transmits a request to a key server that has access to the static private key and receives a response that is based on at least a result of at least one cryptographic operation using the static private key. The responder device receives from the key server, or generates, a transport key(s) for the responder device to use for sending and receiving data on the cryptographic tunnel. The responder device transmits a response to the initiator device that includes information for the initiator device to generate a transport key(s) that it is to use for sending and receiving data on the cryptographic tunnel.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
42 - Scientific, technological and industrial services, research and design
Goods & Services
Providing online non-downloadable computer software platforms for database optimization and acceleration, namely, enabling third party cloud computing applications to cache database data queries; Providing temporary use of online non-downloadable software development tools for database optimization and acceleration, namely, providing database connection pooling for third-party cloud computing applications; Software as a service (SAAS) services featuring software for use in database optimization and acceleration, namely, caching database data queries in a cloud computing environment and for managing database connection pools
70.
Unified network service that connects multiple disparate private networks and end user client devices operating on separate networks
A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.
42 - Scientific, technological and industrial services, research and design
Goods & Services
Platform as a service (PAAS) featuring computer software platforms for use in enabling third-party users to store, deploy and manage executable software applications; Providing temporary use of on-line non-downloadable software development tools for third-party development of custom software applications; Software as a service (SAAS) services featuring software for use in enabling third-party users to store, deploy and manage executable software applications
72.
Isolating internet-of-things (IoT) devices using a secure overlay network
A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.
A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.
A request is received from a client device at a first datacenter of a distributed cloud computing network. The first request triggers execution of code at the distributed cloud computing network. The execution of the code includes transmitting additional requests to destination(s) external to the distributed cloud computing network. A second datacenter of the distributed cloud computing network is selected to execute the code, where the selection is based on an optimization goal. The code is executed at the second datacenter. The first datacenter receives a result from the code being executed at the second datacenter. The first datacenter transmits a response to the client device that is based at least in part on the result.
An email verification system is described. The email verification system stores names and associated email addresses. An email is received that has a sender name and a sender email address. If the email verification system determines that the sender name matches a stored name but the sender email address does not match with an email address associated with the stored name, the email is prevented from being transmitted to its recipient unless the email is verified as being legitimate. The email verification system transmits a request to verify the email via a configured verification method. If a response is received that verifies the email as legitimate, the email is delivered; otherwise the email is blocked.
A server establishes a secure session with a client device where a private key used in the handshake is stored in a different server. An encrypted connection is established between the first server and the second server. A message is received from the client device that initiates a procedure to establish the secure session between the client device and the first server. As part of this procedure, the first server transmits over the encrypted connection a request to the second server to use the private key. The first server receives, over the encrypted connection, a response to the request that includes a result of the use of the private key. The first server uses the result during the procedure to establish the secure session.
H04L 9/32 - Arrangements for secret or secure communicationsNetwork security protocols including means for verifying the identity or authority of a user of the system
77.
Non-HTTP layer 7 protocol applications running in the browser
A server receives from a browser executing on a client device an HTTP request. The server transmits a response to the HTTP request to the browser. The response includes code that when executed by the browser, executes a non-HTTP layer 7 protocol client that communicates with a non-HTTP layer 7 protocol service at an external network. The server receives, from the non-HTTP layer 7 protocol client executing in the browser, data related to the non-HTTP layer 7 protocol service. The server proxies the data related to the non-HTTP layer 7 protocol service over a layer 4 tunnel that is interfaced with the non-HTTP layer 7 protocol service. The server logs event data received from the non-HTTP layer 7 protocol client executing in the browser.
Managing the loading of third-party tools on a website is described. Configuration is received for loading the third-party tools. An intermediary server receives a request for a page that is hosted at an origin server. The intermediary server retrieves the page and modifies the page including automatically including a third-party tool manager to the retrieved page. The third-party tool manager includes a set of one or more client-side scripts that, when executed by the client network application, collects, and transmits information to the intermediary server for loading the third-party tools. The intermediary server loads the third-party tools based on the received information and the configuration. The intermediary server causes event data to be transmitted to third-party tool servers that correspond with the third-party tools.
Methods and apparatuses for enabling compatibility between multiple versions of an application programming interface (API) are described. When a first API request is received at a compute server, the compute server determines whether the first API request is of a first version of an API that is different from a second version of the API used in an origin server to which the first API request is destined. In response to determining that the first API request is of the first version of the API that is different from the second version of the API used in the origin server to which the first API request is destined, an API compatibility enabler is executed to convert the first API request into a second API request in the second version of the API. The second API request is fulfilled instead of the first API request.
Traffic optimization in virtual private networks (VPNs) is described. A client device establishes a first VPN connection with a first server according to a first VPN route configuration that specifies a first VPN route to the first server. Flow(s) of traffic is forwarded through the first VPN connection to the first server. The client device receives a second VPN route configuration that specifies a second VPN route to a second server of the plurality of servers for establishing a second VPN connection, where the second VPN connection satisfies a set of traffic optimization criteria. The client device establishes the second VPN connection with the second server according to the second VPN route configuration. Traffic is forwarded through the second VPN connection to the second server.
A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.
In an embodiment, a computer-implemented method includes receiving, from a pre-processor, an output file; where the output file is created by the pre-processor in response to input of an electronic file to the pre-processor; where the electronic file is an attachment to a message that is in-transit to a recipient computer on a network; where the output file contains features that are created by the pre-processor analyzing one or more sub-features of the electronic file; receiving, from a machine learning-based classifier, malware classification data that indicates whether the electronic file does or does not contain malware; where the malware classification data is output by the machine learning-based classifier in response to the machine learning-based classifier determining that the features are or are not indicators of obfuscation; where data used to create the machine learning-based classifier includes output files previously created by the pre-processor; in response to the malware classification data matching a criterion, causing the network to modify, delay, or block transmission of the electronic file to the recipient computer.
A request from a client device is received at a first one of a plurality of compute nodes at a first one of a plurality of data centers of a distributed cloud computing network. A destination of the request is determined. An optimized route for transmitting the request toward an origin server that corresponds with the destination of the request is determined, where the optimized route is based on at least in part on probe data between data centers of the distributed cloud computing network for a plurality of transit connections, and where the optimized route has an IP address that encodes an identification of which of the plurality of transit connections is to be used to deliver the request. The request is transmitted to a next hop as defined by the optimized route over the identified one of the plurality of transit connections.
A compute server receives a first request from a client device that triggers execution of a first third-party code piece. The first request is directed to a first zone. A single process at the compute server executes the first third-party code piece. As a result of executing the first third-party code piece, a second request is generated that triggers execution of a second third-party code piece. The second request is directed to a second zone. The single process executes the second third-party code piece. A response is generated to the first request based at least in part on the executed first third-party code piece and the executed second third-party code piece. The generated response is transmitted to the client device.
H04L 67/53 - Network services using third party service providers
H04L 67/63 - Routing a service request depending on the request content or context
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
H04L 41/50 - Network service management, e.g. ensuring proper service fulfilment according to agreements
85.
Implementing a tiered cache topology with anycast networks
A control server receives probe data from a plurality of data centers indicating measured latencies with a first IP address associated with an origin server. The control server sums the measured latencies of a first data center having a lowest measured latency and a second data center. When the sum is below a threshold value, the control server determines the IP address to be an anycast IP address and selects a proper subset of the plurality of data centers as proxying data centers for other data centers in the plurality of data centers. When the sum is not below the threshold value, the control server determines the IP address to not be an anycast IP address and selects the first data center having the lowest measure latencies as the proxying data center for other data centers in the plurality of data centers.
A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.
A server transmits to a third-party application a request for a resource that is received from a client. The server receives an authentication request from the client device that has been generated by the third-party application. The server transmits an identity provider selection page to the client device that allows the client device to select an identity provider. The server causes the client device to transmit a second authentication request to a selected identity provider. The server receives an authentication response that was generated by the identity provider that includes the identity of the user. The server enforces access rule(s) including identity-based rule(s) and/or non-identity based rule(s). If the user is permitted to access the third-party application, the server causes an authentication response to be transmitted from the client device to the third-party application that indicates the user has successfully authenticated.
An intermediary server receives a request from a client that identifies an asset that is handled by an origin server. The intermediary server generates an informational response that includes one or more link header fields that reference one or more pieces of content respectively that are predicted by the intermediary server to be linked within a final response for the asset. The intermediary server transmits the generated informational response to the client prior to a final response for the request. The intermediary server transmits the request to the origin server and receives a final response to the request. The intermediary server transmits the final response to the request to the client.
A server receives internet traffic from a client device. The server is one of multiple servers of a distributed cloud computing network which are each associated with a set of server identity(ies) including a server/data center certification identity. The server processes, at layer 3, the internet traffic including participating in a layer 3 DDoS protection service. If the traffic is not dropped by the layer 3 DDoS protection service, further processing is performed. The server determines whether it is permitted to process the traffic at layers 5-7 including whether it is associated with a server/data center certification identity that meets a selected criteria for the destination of the internet traffic. If the server does not meet the criteria, it transmits the traffic to another one of the multiple servers for processing the traffic at layers 5-7.
H04L 67/288 - Distributed intermediate devices, i.e. intermediate devices for interaction with other intermediate devices on the same level
H04L 69/325 - Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the network layer [OSI layer 3], e.g. X.25
A mobile accelerator system includes point of presences (POPs) that includes an entry POP. The entry POP receives a query to a content server from a mobile device via a dedicated transport channel. The entry POP determines a direct connection score for a direct connection between the mobile device and the content server that does not traverse the mobile accelerator system. The entry POP determines a POP connection score for a connection between the mobile device and the content server through the entry POP and a candidate exit POP. The entry POP determines a dynamic path ranking based on the direct connection score, the POP connection score, and other POP connection score(s) associated with other candidate exit POP(s). The entry POP determines at least a portion of a dynamic path between the mobile device based on the dynamic path ranking and routes data transfers through that dynamic path.
An Internet of Things (IoT) protection service at the network level is described. A secure session is established between an edge server and an IoT client that is requesting to send data to an IoT device. The edge server receives the request from the IoT client over the secure session instead of the IoT device directly because a Domain Name System (DNS) request for a unique fully qualified domain name assigned to the IoT device returns an IP address of the edge server instead of an IP address of the IoT device. The edge server analyzes the request to determine whether to transmit the request to the IoT device, including applying web application firewall rule(s) against the request. If the request does not trigger any rule, then the edge server transmits the request to the IoT device. If the request triggers any rule, then the edge server blocks the request.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
H04L 67/60 - Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
For each network resource request received at a server of a cloud-based service, a determination of whether that request originated from a second network resource is made. For each such request where the network resource originated from the second network resource, a referrer indication is logged that indicates the second network resource is a referrer to that network resource. A network resource relevance dataset is generated based on the referrer indications of the second network resources. A relevance metric is associated with each second network resource based on a total number of referrer indications. A search request is received from a client device. Based at least in part on the network resource relevance dataset, search results are determined. The search results are transmitted to the client device.
G06F 3/023 - Arrangements for converting discrete items of information into a coded form, e.g. arrangements for interpreting keyboard generated codes as alphanumeric codes, operand codes or instruction codes
93.
Internet protocol security (IPSec) tunnel using anycast at a distributed cloud computing network
An IPSec tunnel request for establishing an IPSec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPSec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.
An edge server receives a first request message for transmission to the host device. The edge server determines a first congestion control algorithm based on the first request message, including characteristics of the first request message. The edge server applies the first congestion control algorithm to the transport connection for application to the transmission of the first request message. Subsequently, the edge server receives a second request message for transmission to the host device over the transport connection. Based on the second request message, including characteristics of the second request message, the edge server determines and applies a second congestion control algorithm to the transport connection for application to the transmission of the second request message, wherein the second congestion control algorithm is different from the first congestion control algorithm.
H04L 47/193 - Flow controlCongestion control at layers above the network layer at the transport layer, e.g. TCP related
H04L 47/283 - Flow controlCongestion control in relation to timing considerations in response to processing delays, e.g. caused by jitter or round trip time [RTT]
96.
Secure private traffic exchange in a unified network service
Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.
A first transport protocol connection is established between a first proxy network element and a second proxy network element. The first proxy network element receives from a first Border Gateway Protocol (BGP) client, first BGP data destined to a second BGP client that is connected to the second proxy network element. The first BGP data is transmitted to the second proxy network element through the first transport protocol connection for delivery to the second BGP client. The first proxy network element receives second BGP data destined to the second BGP client. Responsive to determining that the first transport protocol connection is down, the first proxy network element stores the second BGP data and establishes a second transport protocol connection to the second proxy network element. The second BGP data is transmitted to the second proxy network element through the second transport protocol connection.
Techniques for providing mobile device content delivery acceleration for mobile applications are discussed herein. Some embodiments may provide for a mobile accelerator system including a plurality of point-of-presences (POPs) and a control tower system. The control tower system may be configured to control mobile data transfer acceleration between a mobile device and the content server via the plurality of POPs of the mobile accelerator system. Each mobile application executing on the mobile device may be registered, validated, and then associated with a device POP that forms a dedicated connection with an entry POP of the plurality of POPs. Mobile data transfer acceleration for each mobile application may be selectively activated or deactivated, such as based on user configurations at the application level, domain name level, and/or country level.
A tunnel is established between a first edge server of a distributed edge compute and routing service and a tunnel client residing on an origin server. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the first edge server. The routing rules are based at least in part on traffic information gathered from processing other traffic that traverses the distributed edge compute and routing service. A request for content served by the origin server through the tunnel is received at a second edge server of the distributed edge compute and routing service. A path from the second edge server to the first edge server is determined based on the routing rules. The request is transmitted on the determined path. The first edge server receives the request and transmits the request to the origin server over the tunnel.
H04L 61/4511 - Network directoriesName-to-address mapping using standardised directoriesNetwork directoriesName-to-address mapping using standardised directory access protocols using domain name system [DNS]
Concurrency control in an asynchronous event-loop based program environment is described. A program is implemented with an asynchronous event-loop. A piece of code controls events into the program by preventing events from being delivered to the program while a storage operation is executing except for storage completion events. Those events are prevented from being delivered to the program until the storage operation completes and the program is not executing code.
