Sequential consistency across a distributed cloud computing network is described. A database includes a primary database and multiple read replica databases. Write queries are transmitted to the primary database, and commit tokens are provided to the read replica databases and the clients. Commit tokens are included in requests from clients. If a request for a read operation received at a read replica database does not include a token that is later than a commit token of the most recent update to the read replica database, the read replica database performs the read operation. If a request for a read operation received at a read replica database includes a token that is later than a commit token of the most recent update to the read replica database, the read replica database delays servicing the read update until it receives an update from the primary database with an updated commit token.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuéesArchitectures de systèmes de bases de données distribuées à cet effet
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Providing online non-downloadable computer software platforms for running, serving, and managing artificial intelligence and large language model (LLM) inference workloads; Providing online non-downloadable computer software platforms for accelerating and optimizing the performance of artificial intelligence and large language model (LLM) inference workloads; Providing temporary use of on-line non-downloadable software and applications for deploying and running artificial intelligence models on an edge computing network
3.
Detecting Application Programming Interface (API) Sequences And Mitigating API Sequence Abuse At The Edge Of A Distributed Cloud Computing Network
A first compute server of a distributed cloud computing network that includes multiple compute servers receives an API request that is directed to an API endpoint. The first compute server determines an identifier that uniquely identifies a session that is associated with the API request. Based on the determined identifier, the first compute server determines which of the compute servers of the distributed cloud computing network is responsible for storing information about previous API operations associated with the determined identifier. The first compute server transmits an API sequence request to the determined compute server. In response, the first compute server receives information that specifies a time-ordered sequence of API operations associated with the determined identifier most recently observed. The first compute server may enforce a rule based at least on a sequence of at least two of the latest API operations.
A method includes receiving, from a pre-processor, an output file, the output file having been created by the pre-processor in response to input of an electronic file to the pre-processor, the electronic file being an attachment to an electronic mail message that is in-transit to a recipient computer on a network, the electronic file being a spreadsheet file, the output file containing features that are created by the pre-processor; receiving, from a machine learning-based classifier, malware classification data, the malware classification data being output by the machine learning-based classifier in response to the machine learning-based classifier determining whether the features are indicators of obfuscation, the data used to create the machine learning-based classifier including output files previously created by the pre-processor; in response to the malware classification data matching a criterion, causing the network to modify, delay, or block transmission of the electronic file to the recipient computer.
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
5.
USING A ZERO-KNOWLEDGE PROOF TO PROVE KNOWLEDGE THAT A WEBSITE VISITOR IS A LEGITIMATE HUMAN USER
A client device receives a challenge request from a server to prove that internet traffic was initiated by a human user through verifying a physical interaction between a human user and a hardware component. The client device causes a prompt to be displayed to perform the physical interaction with the hardware component. A cryptographic attestation is received that includes an attestation signature that is generated after confirmation that the physical interaction was performed with the hardware component. A zero-knowledge proof of the attestation signature is generated and transmitted to the server for verification. The client device receives the requested content responsive to the server verifying the validity of the zero-knowledge proof.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 21/32 - Authentification de l’utilisateur par données biométriques, p. ex. empreintes digitales, balayages de l’iris ou empreintes vocales
H04L 9/14 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes
A method involves receiving data identifying a set of information technology (IT) resources of an IT infrastructure and generating a first IT resource dependency graph using the set of IT resources. First INCLUDES and EXCLUDES configuration data indicating one or more IT resources that should either be included or excluded from an IT resource group is received. Initial selection statuses for IT resources in the first dependency graph are set based on the first INCLUDES and EXCLUDES configuration data. A breadth-first search of the first dependency graph is performed to generate the IT resource group based on the initial selection status for the IT resources in the first dependency graph, and the IT infrastructure is updated or managed using the IT resource group.
Purging resources from a cache in a distributed networked system is described. A compute server of a first data center of the distributed networked system receives a purge request to purge a resource from cache. If the purge request does not include a cache key, the compute server determines whether the purge request is valid, and if valid, purges the resource from cache of the first data center, generates a cache key for the resource, and causes the purge request that includes the generated cache key to be sent to other data centers of the distributed networked system for purging the resource from cache. If the purge request includes a cache key, the compute server skips determining whether the purge request is valid and purges the resource from cache based on the cache key.
G06F 12/08 - Adressage ou affectationRéadressage dans des systèmes de mémoires hiérarchiques, p. ex. des systèmes de mémoire virtuelle
G06F 12/0891 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache utilisant des moyens d’effacement, d’invalidation ou de réinitialisation
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
9.
MANAGING ARTIFICIAL INTELLIGENCE INFERENCE REQUESTS THAT ARE DIRECTED TO AN AI MODEL EXTERNAL TO A DISTRIBUTED CLOUD COMPUTING NETWORK
A compute server of a distributed cloud computing network receives an inference request that is directed to an AI model hosted at a destination external to the distributed cloud computing network. The compute server determines that the inference request satisfies security rules associated with the AI model. Upon determining that the inference request is not answerable from a cache, the compute server transmits the inference request to the AI model hosted at the external destination. The compute server receives an inference response from the AI model in response to the inference request, transmits the inference response, and stores the inference request and the inference response in cache.
A compute server of a distributed cloud computing network receives an inference request that is directed to an AI model hosted at a destination external to the distributed cloud computing network. The compute server determines that the inference request satisfies security rules associated with the AI model. Upon determining that the inference request is not answerable from a cache, the compute server transmits the inference request to the AI model hosted at the external destination. The compute server receives an inference response from the AI model in response to the inference request, transmits the inference response, and stores the inference request and the inference response in cache.
A first compute server of a plurality of compute servers of a distributed cloud computing network receives an inference request. The first compute server determines that the received inference request triggers execution of code at the distributed cloud computing network, where the code is related to an artificial intelligence (AI) application that interacts with the inference request and causes input of the inference request to be run through an AI model. If the AI model is not loaded at the first compute server but is loaded at a second compute server, the inference request is routed to the second compute server for performing the inference operation.
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 67/1014 - Sélection du serveur pour la répartition de charge basée sur le contenu d'une demande
12.
System for cross-domain identity management (SCIM) proxy service
A system for cross-domain identity management (SCIM) proxy service is described. A first SCIM endpoint receives, from a first SCIM client, a first message that includes a SCIM resource. The first SCIM endpoint is associated with a customer of the SCIM proxy service. The SCIM proxy service is configured as a first SCIM service provider for the first SCIM client. The first message is validated. The first SCIM proxy service determines that a third-party application is in scope for the SCIM resource, where the SCIM proxy service is configured as a second SCIM client for the third-party application. The SCIM proxy service transforms the SCIM resource to create a transformed SCIM resource that is applicable for the third-party application. The SCIM proxy service transmits a second message to a second SCIM endpoint of the third-party application, the second message including the transformed SCIM resource.
Inter-process serving of machine learning features from mapped memory for machine learning models is described. ML features are populated in a data structure that is serialized. State data is stored that indicates that reader process(es) are to read from a first memory mapped data file and not a second memory mapped data file. The serialized bytes are stored in the second memory mapped data file and the state data is updated to indicate that the reader process(es) are to read from the second memory mapped data file. A request is received and parsed to prepare keys from attributes of the request. Based on the state data, the serialized bytes are read from the second memory mapped data file that correspond to the keys. The serialized bytes are deserialized and copied to a data structure available to an inference algorithm.
A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.
Sequential consistency across a distributed cloud computing network is described. A database includes a primary database and multiple read replica databases. Write queries are transmitted to the primary database, and commit tokens are provided to the read replica databases and the clients. Commit tokens are included in requests from clients. If a request for a read operation received at a read replica database does not include a token that is later than a commit token of the most recent update to the read replica database, the read replica database performs the read operation. If a request for a read operation received at a read replica database includes a token that is later than a commit token of the most recent update to the read replica database, the read replica database delays servicing the read update until it receives an update from the primary database with an updated commit token.
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuéesArchitectures de systèmes de bases de données distribuées à cet effet
A first intermediate key management system (KMS) server of a distributed KMS receives a key lookup service (KLS) query from a KMS client for determining an identity of KMS server(s) that are capable of performing a first operation with a first managed key. The first intermediate KMS server is one of the intermediate KMS servers of the distributed KMS. The first KMS server determines the identity of one or more of the KMS servers that are capable of performing the first operation with the first managed key. The first KMS server transmits a KLS response to the KMS client that includes the identity of the KMS server(s) that are capable of performing the first operation with the first managed key.
An object worker is instantiated at a compute server of a distributed cloud computing network, where the object worker includes a single instantiation of a piece of code that solely controls reading/writing to an object. An external communication policy is associated with the first object worker. If the external communication policy does not allow the object worker to send communications with the object to an asset that is external to the distributed cloud computing network, the communication is prevented from being sent. If the external communication policy allows the object worker to send communications with the object to the asset that is external to the distributed cloud computing network, the communication is sent from the first object worker to the asset.
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p. ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
Systems and methods are disclosed for zero trust authentication. In certain embodiments, a method may comprise providing, from a client computing system to an identity provider (IdP) authority, an authentication nonce value generated by hashing a random value hashed along with a public key of the client computing system, and receiving, at the client computing system from the IdP authority, an authorization token including the authentication nonce value signed by a secret key of the IdP authority. The method may further comprise providing a message including the authorization token from the client computing system to a target computing system via an intermediary co-signer (ICS) configured to authenticate the message.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
20.
POLICY-BASED BLOCKING OF VULNERABLE SOFTWARE INSTALLATIONS USING A PROXY
A proxy server receives a request from a client network application executing on a client device. The proxy server detects that the request is for a software dependency installation package. The proxy server determines a risk score associated with the software dependency installation package. Based on the risk score associated with the software dependency installation package, the proxy server determines that the software dependency installation package violates a policy. When the software dependency installation package violates the policy, the proxy server blocks the request and stores a log entry in an auditing system including data indicating the blocking of the request.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
21.
SECURING AN APPLICATION OR SERVICE OVER A NETWORK INTERCONNECT USING A DEDICATED EGRESS IP ADDRESS
A first compute server of a distributed cloud computing network receives traffic that is destined for a private application or service running on a server of a customer external of the distributed cloud computing network. That server is connected with the distributed cloud computing network through a network interconnect. One or more policies that are configured for the customer are used to determine whether the traffic is allowed to access the private application or service. The first compute server transmits the traffic to a second compute server of the distributed cloud computing network that has the network interconnect. The second compute server transmits the traffic to the server over the network interconnect using as its source IP address an IP address that is dedicated to the customer.
A method involves receiving, at a Global Resource Catalog (GRC) controller, credentials for one or more target networks within a distributed cloud network. For each target network, the GRC controller uses a respective network access methodology associated with that target network to identify and store a first set of target network resources associated with that network at a GRC database. The GRC controller links or groups a second set of target network resources of the first set of target network resources in the GRC database based on target network resource dependencies determined by the GRC controller. The GRC controller updates the second set of target network resources in the GRC database based on a received event or at a scheduled interval. A distributed cloud network is then updated based on the second set of target network resources stored at the GRC database.
H04L 41/082 - Réglages de configuration caractérisés par les conditions déclenchant un changement de paramètres la condition étant des mises à jour ou des mises à niveau des fonctionnalités réseau
H04L 47/70 - Contrôle d'admissionAllocation des ressources
23.
Enforcing security policies in a zero trust security framework using a behavioral score
A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.
A request is received from a client device at a first datacenter of a distributed cloud computing network. The first request triggers execution of code at the distributed cloud computing network. The execution of the code includes transmitting additional requests to destination(s) external to the distributed cloud computing network. A second datacenter of the distributed cloud computing network is selected to execute the code, where the selection is based on an optimization goal. The code is executed at the second datacenter. The first datacenter receives a result from the code being executed at the second datacenter. The first datacenter transmits a response to the client device that is based at least in part on the result.
A request is received from a client device at a first datacenter a distributed cloud computing network. The distributed cloud computing network includes multiple datacenters. The received request triggers execution of code at the distributed cloud computing network. The code includes a first function and a second function. A determination is made to execute the first function at the first datacenter and to execute the second function at a second datacenter of the distributed cloud computing network. The first function is executed at the first datacenter to get a first result. The first datacenter causes the second function to be executed at the second datacenter. The first datacenter receives, from the second datacenter, a second result from the execution of the second function. The first datacenter transmits a response to the client device that is based at least in part on the first result and the second result.
A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers respectively. The first and second vector of integers are input into an ML model, which outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold that indicates the raw data is of the type that is malicious.
G06F 30/27 - Optimisation, vérification ou simulation de l’objet conçu utilisant l’apprentissage automatique, p. ex. l’intelligence artificielle, les réseaux neuronaux, les machines à support de vecteur [MSV] ou l’apprentissage d’un modèle
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
27.
State management and persistent data storage in a distributed cloud computing network
A first compute server of a distributed cloud computing network executes an application that controls reading and writing access to associated persistent data. The first compute server performs a write operation to the persistent data on local storage, notifies a piece of code that controls outgoing messages from the application that the write operation is pending, and transmits write information for the write operation to a set of other compute servers. If an acknowledgement of the write information is received from a quorum of the other compute servers, the application notifies the piece of code that the write operation is confirmed. Periodically the write information is transmitted to an external storage system. If a confirmation that the write information has been written is received from the storage system, the first compute server transmits a write confirmation notice to the other compute servers, which can then delete the write information.
An email verification system is described. The email verification system stores names and associated email addresses. An email is received that has a sender name and a sender email address. If the email verification system determines that the sender name matches a stored name but the sender email address does not match with an email address associated with the stored name, the email is prevented from being transmitted to its recipient unless the email is verified as being legitimate. The email verification system transmits a request to verify the email via a configured verification method. If a response is received that verifies the email as legitimate, the email is delivered; otherwise the email is blocked.
A server receives internet traffic from a client device. The server is one of multiple servers of a distributed cloud computing network which are each associated with a set of server identity(ies) including a server/data center certification identity. The server processes, at layer 3, the internet traffic including participating in a layer 3 DDoS protection service. If the traffic is not dropped by the layer 3 DDoS protection service, further processing is performed. The server determines whether it is permitted to process the traffic at layers 5-7 including whether it is associated with a server/data center certification identity that meets a selected criteria for the destination of the internet traffic. If the server does not meet the criteria, it transmits the traffic to another one of the multiple servers for processing the traffic at layers 5-7.
H04L 67/288 - Dispositifs intermédiaires distribués, c.-à-d. dispositifs intermédiaires pour l'interaction avec d'autres dispositifs intermédiaires de même niveau
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
H04L 69/325 - Protocoles de communication intra-couche entre entités paires ou définitions d'unité de données de protocole [PDU] dans la couche réseau [couche OSI 3], p. ex. X.25
A condition exists that triggers an HTTP server to modify one or more HTTP connections for one or more HTTP clients that are connected to the HTTP server. The HTTP server dynamically modifies the one or more HTTP connections including dynamically modifying one or more runtime behaviors for the one or more HTTP connections. For each of the one or more HTTP clients, the HTTP server monitors that HTTP client to determine whether it is complying with the modified one or more runtime behaviors. If one of the one or more HTTP clients is not complying with the modified one or more runtime behaviors, the HTTP server performs a mitigation action on that HTTP client.
H04L 67/142 - Gestion des états de session pour les protocoles sans étatÉtats des sessions de signalisationSignalisation des états de sessionMécanismes de conservation d’état
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
H04L 67/143 - Interruption ou inactivation de sessions, p. ex. fin de session contrôlée par un événement
31.
Logging access types based on inserting tenant control headers into requests
A proxy server receives a first request from a first user to access a resource hosted by a cloud-based server. The proxy server inserts a first tenant control header into the first request specifying a tenant identifier. The tenant identifier indicates a tenant permitted to access the resource. The proxy server then transmits the first request with the inserted first tenant control header to the cloud-based server. In response to receiving a first response indicating a rejection of the first request with the inserted first tenant control header, the proxy server transmits the first request again to the cloud-based server but without the first tenant control header. The proxy server then logs the first request as an access request using a non-permitted tenant identifier.
A cloud security proxy is described that is able to process requests for cloud services in order to validate the requests against specified rules and/or policies. The cloud security proxy provides greater security for cloud-based applications while providing developers with greater flexibility in the choice of development tools while maintaining a strong security posture for the organization.
An edge server of a distributed edge compute and routing service receives a tunnel connection request from a tunnel client residing on an origin server, that requests a tunnel be established between the edge server and the tunnel client. The request identifies the hostname that is to be tunneled. An IP address is assigned for the tunnel. DNS record(s) are added or changed that associate the hostname with the assigned IP address. Routing rules are installed in the edge servers of the distributed edge compute and routing service to reach the edge server for the tunneled hostname. The edge server receives a request for a resource of the tunneled hostname from another edge server that received the request from a client, where the other edge server is not connected to the origin server. The request is transmitted from the edge server to the origin server over the tunnel.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 67/1017 - Sélection du serveur pour la répartition de charge basée sur un mécanisme à tour de rôle
H04L 67/1031 - Commande du fonctionnement des serveurs par un répartiteur de charge, p. ex. en ajoutant ou en supprimant de serveurs qui servent des requêtes
H04L 61/5007 - Adresses de protocole Internet [IP]
Systems and methods are disclosed for performing multi-party, split-key authentication in cryptography. In certain embodiments, a system may comprise a key broker configured to receive a request for a root certificate, generate a secret key based on the request, generate the root certificate based on the secret key, split the secret key into a plurality of shards, provide a first shard of the plurality of shards to an agent, and delete the first shard at the key broker. The key broker may further receive a partially signed client certificate signed with the first shard, generate a fully signed client certificate based on the partially signed client certificate and a second shard of the plurality of shards, and issue the fully signed client certificate.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 9/06 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p. ex. système DES
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
37.
Network layer performance and security provided by a distributed cloud computing network
A first computing device of a distributed cloud computing network receives an IP packet that is destined to an origin server of an origin network. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate an encapsulated packet, where the outer packet has a source IP address that is advertised as an anycast IP address at the distributed cloud computing network, and a destination IP address of an origin router of the origin network. The encapsulated packet is transmitted to the origin router.
A server transmits to a third-party application a request for a resource that is received from a client. The server receives an authentication request from the client device that has been generated by the third-party application. The server transmits an identity provider selection page to the client device that allows the client device to select an identity provider. The server causes the client device to transmit a second authentication request to a selected identity provider. The server receives an authentication response that was generated by the identity provider that includes the identity of the user. The server enforces access rule(s) including identity-based rule(s) and/or non-identity based rule(s). If the user is permitted to access the third-party application, the server causes an authentication response to be transmitted from the client device to the third-party application that indicates the user has successfully authenticated.
A request is received from a client device over a Virtual Private Network (VPN) tunnel. The request is received at a first one of a plurality of edge servers of a distributed cloud computing network. A destination of the request is determined and an optimized route for transmitting the request toward an origin server is determined. The optimized route is based at least in part on probe data between edge servers of the distributed cloud computing network. The request is transmitted to a next hop as defined by the optimized route.
H04L 12/721 - Procédures de routage, p.ex. routage par le chemin le plus court, routage par la source, routage à état de lien ou routage par vecteur de distance
H04L 29/12 - Dispositions, appareils, circuits ou systèmes non couverts par un seul des groupes caractérisés par le terminal de données
H04L 45/02 - Mise à jour ou découverte de topologie
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
40.
Isolating internet-of-things (IoT) devices using a secure overlay network
A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.
Methods, systems, and techniques for application isolation by remote-enabling applications are provided. Example embodiments provide an Adaptive Rendering Application Isolation System (“ARAIS”), which transparently enables applications to run in an isolated execution environment yet be rendered locally in a manner that facilitates preventing theft of sensitive information while allowing users to interact with any third-party application or website via the local environment without overburdening available bandwidth or computational resources by, in some cases, evaluating only select information responsive only to select events, as compared to whitelist/blacklist techniques, monitoring all information provided by the user, or other techniques. The ARAIS typically includes an orchestrator server that comprises one or more of a sensitive-information theft-prevention logic engine, information-theft prevention engines, or a rules engine. These components cooperate to deliver isolation-ready technology with sensitive-information theft prevention to client applications.
G06F 16/957 - Optimisation de la navigation, p. ex. mise en cache ou distillation de contenus
G06F 9/451 - Dispositions d’exécution pour interfaces utilisateur
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
G06F 21/71 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information
G06F 40/14 - Documents en configuration arborescente
H04L 67/131 - Protocoles pour jeux, simulations en réseau ou réalité virtuelle
An email is received that is from an email sender. From the email, the display name of the email sender, an email address of the email sender, and an email domain of the email sender, is extracted. A score is determined for the email based on at least: the extracted display name of the email sender, the extracted email address of the email sender, and the extracted email domain of the email sender, where the score indicates a probability that the email is from a legitimate sender. Message content of the email is input into multiple classifiers each corresponding to a particular message type. The message type of the email is determined based on output of the classifiers. Based on at least the determined score for the email and the determined message type of the email, a determination is made whether the email is associated with a BEC attack.
A remote browsing session is initiated between a remote browser client executing on a client device and a remote browser host executing on a remote browser server. The remote browser host receives from the client device, encrypted remote browser data of remote browser data that affects the remote browser session. The remote browser client does not have access to a decryption key for the encrypted remote browser data. The encrypted remote browser data is decrypted to reveal the remote browser data. The remote browser host is configured with the remote browser data. The remote browser host manages updates to the remote browser data during the remote browsing session. Periodically, updates to the remote browser data are encrypted and transmitted to the remote browser client for storage.
A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.
A compute server receives a request that triggers execution of a code piece out of multiple code pieces. A single process at the compute server executes the code piece, which is run in an isolated execution environment. Each other code piece runs in other isolated execution environments respectively and executed by the single process. The code piece, when executed, modifies a response to the request. The response is generated based at least in part on the executed code piece. The generated response is transmitted.
G06F 9/448 - Paradigmes d’exécution, p. ex. implémentation de paradigmes de programmation
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/50 - Gestion des services réseau, p. ex. en assurant une bonne réalisation du service conformément aux accords
H04L 67/00 - Dispositions ou protocoles de réseau pour la prise en charge de services ou d'applications réseau
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
H04L 67/53 - Services réseau en utilisant des fournisseurs tiers de services
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
Purging resources from a cache in a distributed networked system is described. A first data center of the distributed networked system receives a purge request to purge a resource from cache. If the purge request does not include a cache key, the first data center determines whether the purge request is valid, and if valid, purges the resource from cache of the first data center, generates a cache key for the resource, and causes the purge request that includes the generated cache key to be sent to other data centers of the distributed networked system for purging the resource from cache. If the purge request includes a cache key, the first data center skips determining whether the purge request is valid and purges the resource from cache based on the cache key.
G06F 12/08 - Adressage ou affectationRéadressage dans des systèmes de mémoires hiérarchiques, p. ex. des systèmes de mémoire virtuelle
G06F 12/0891 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache utilisant des moyens d’effacement, d’invalidation ou de réinitialisation
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
47.
Authoritative domain name system (DNS) server responding to DNS requests with IP addresses selected from a larger pool of IP addresses
An authoritative domain name system (DNS) server receives DNS requests for domains. The authoritative DNS server transmits DNS responses to the DNS requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first DNS response can include IP addresses different from IP addresses included in a second DNS response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may select the IP addresses to include in DNS responses to the DNS requests using a round-robin process.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.
Isolating suspicious email links is described. An email security service receives an email that includes a link that refers to an external resource. A first suspicious link determination is performed to determine whether the link is suspicious. If the link is suspicious, the link is rewritten to refer to the email security and the email is delivered to the recipient. A request from a client device is received responsive to the link being opened. A second suspicious link determination is performed to determine whether the link is suspicious. If the link is suspicious, an interstitial page is transmitted to the client device that includes an option that, when selected, causes the first link to be opened in a remote browser isolation session.
Traffic is received at a distributed cloud computing network. The traffic originates from a computing device using a mobile data connection. The traffic is associated with an identifier that identifies a SIM of the computing device. Using the SIM identifier, an identity for identity-based policy enforcement at the distributed cloud computing network is determined. The identity is uniquely associated with the SIM identifier. An identity-based policy that is applicable for the received traffic for the determined identity is determined. The identity-based policy is enforced.
H04W 8/26 - Adressage ou numérotation de réseau pour support de mobilité
H04W 8/18 - Traitement de données utilisateur ou abonné, p. ex. services faisant l'objet d'un abonnement, préférences utilisateur ou profils utilisateurTransfert de données utilisateur ou abonné
A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.
A condition exists that triggers an HTTP server to modify one or more HTTP connections for one or more HTTP clients that are connected to the HTTP server. The HTTP server dynamically modifies the one or more HTTP connections including dynamically modifying one or more HTTP connection resource parameters for the one or more HTTP connections. For each of the one or more HTTP clients, the HTTP server monitors that HTTP client to determine whether it is complying with the modified one or more HTTP connection resource parameters. If one of the one or more HTTP clients is not complying with the modified one or more HTTP connection resource parameters, the HTTP server closes an HTTP connection to that HTTP client.
H04L 67/142 - Gestion des états de session pour les protocoles sans étatÉtats des sessions de signalisationSignalisation des états de sessionMécanismes de conservation d’état
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
H04L 67/143 - Interruption ou inactivation de sessions, p. ex. fin de session contrôlée par un événement
53.
SECURE PRIVATE TRAFFIC EXCHANGE IN A UNIFIED NETWORK SERVICE
Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.
A first compute server of a distributed cloud computing network receives a request from a first client device for an object to be handled by an object worker that includes a single instantiation of a piece of code that solely controls reading and writing access to the first object. A determination is made that the object worker is instantiated for the object and is currently running in the first compute server, and the piece of code processes the first request. The first compute server receives a message to be processed by the first object worker from a second compute server. The message includes a second request for the object from a second client device connected to the second compute server. The piece of code processes the message and transmits a reply to the second compute server.
H04L 67/1095 - Réplication ou mise en miroir des données, p. ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
H04L 67/00 - Dispositions ou protocoles de réseau pour la prise en charge de services ou d'applications réseau
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software and firmware for monitoring and
controlling online traffic to computer servers; computer
software for wireless content delivery; computer anti-virus
software. Computer security services in the nature of providing
authentication, issuance, validation and revocation of
digital certificates; computer security services, namely,
restricting unauthorized access to computer networks;
computer services, namely, monitoring, testing, analyzing,
and reporting on the internet traffic control and content
control of the web sites of others; computer virus
protection services; data conversion of computer program
data or information, other than physical conversion; data
conversion of electronic information; parking domain names
for others, namely, providing computer servers for
electronic storage of domain name addresses.
56.
Traffic load balancing between a plurality of points of presence of a cloud computing infrastructure
Methods and system of traffic load balancing between a plurality of Points of Presence (PoP) of a cloud computing infrastructure are described. A first PoP of multiple PoPs of cloud computing infrastructure that provides a cloud computing service receives a packet. The packet includes as a destination address an anycast address advertised by the first PoP for reaching the cloud computing service. The first PoP identifies a network address of a second PoP that is different from the first PoP. The first PoP forwards the packets as an encapsulated packet to the second PoP to be processed in the second PoP according to the cloud computing service.
H04L 67/1008 - Sélection du serveur pour la répartition de charge basée sur les paramètres des serveurs, p. ex. la mémoire disponible ou la charge de travail
H04L 45/00 - Routage ou recherche de routes de paquets dans les réseaux de commutation de données
H04L 47/122 - Prévention de la congestionRécupération de la congestion en détournant le trafic des entités congestionnées
H04L 67/1001 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour accéder à un serveur parmi une pluralité de serveurs répliqués
A computer-implemented method, executed by one or more email detection computers, receives from a computer network, a first email message from a first sender account to a first recipient account and having a plurality of attributes. The method determines that the first email message is a phishing email, extracts a subset of attributes, normalizes transformable attributes, and generates a hash representation from fixed attributes and the normalized transformable attributes, stores the hash representation in a database, receives a second email message, and determines that the second email message is a phishing email based on the stored hash representation.
H04L 51/212 - Surveillance ou traitement des messages utilisant un filtrage ou un blocage sélectif
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 9/06 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p. ex. système DES
58.
Distributed key management system with a key lookup service
A first intermediate key management system (KMS) server of a distributed KMS receives a key lookup service (KLS) query from a KMS client for determining an identity of KMS server(s) that are capable of performing a first operation with a first managed key. The first intermediate KMS server is one of the intermediate KMS servers of the distributed KMS. The first KMS server determines the identity of one or more of the KMS servers that are capable of performing the first operation with the first managed key. The first KMS server transmits a KLS response to the KMS client that includes the identity of the KMS server(s) that are capable of performing the first operation with the first managed key.
Inter-process serving of machine learning features from mapped memory for machine learning models is described. ML features are populated in a data structure that is serialized. State data is stored that indicates that reader process(es) are to read from a first memory mapped data file and not a second memory mapped data file. The serialized bytes are stored in the second memory mapped data file and the state data is updated to indicate that the reader process(es) are to read from the second memory mapped data file. A request is received and parsed to prepare keys from attributes of the request. Based on the state data, the serialized bytes are read from the second memory mapped data file that correspond to the keys. The serialized bytes are deserialized and copied to a data structure available to an inference algorithm.
A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Computer software and firmware for monitoring and controlling online traffic to computer servers; computer software for wireless content delivery; computer anti-virus software. (1) Computer security services in the nature of providing authentication, issuance, validation and revocation of digital certificates; computer security services, namely, restricting unauthorized access to computer networks; computer services, namely, monitoring, testing, analyzing, and reporting on the internet traffic control and content control of the web sites of others; computer virus protection services; data conversion of computer program data or information, other than physical conversion; data conversion of electronic information; parking domain names for others, namely, providing computer servers for electronic storage of domain name addresses.
Providing virtual private network (VPN) services, namely, private and secure electronic communications over a private or public computer network; Providing secure and private access for users to the internet; Providing electronic telecommunication connections to enable users of computers and mobile computing devices to securely connect to a remote server in order to allow for secure and private transmission and receipt of data and communications over the internet; Electronic data transmission; Electronic transmission of data through a secure and private connection over the internet featuring encryption; Providing user access to global computer networks; Computer network services, namely, providing network communication services in the nature of transmission of voice, audio, visual images and data by data networks and providing access to global computer networks
Providing virtual private network (VPN) services, namely, private and secure electronic communications over a private or public computer network; Providing secure and private access for users to the internet; Providing electronic telecommunication connections to enable users of computers and mobile computing devices to securely connect to a remote server in order to allow for secure and private transmission and receipt of data and communications over the internet; Electronic data transmission; Electronic transmission of data through a secure and private connection over the internet featuring encryption; Providing user access to global computer networks; Computer network services, namely, providing network communication services in the nature of transmission of voice, audio, visual images and data by data networks and providing access to global computer networks; Peer-to-peer network computer services, namely, electronic transmission of audio, video, data, and documents among computers
64.
Cloud-based security service that includes external evaluation for accessing a third-party application
A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.
A server receives from a client device that is executing a web browser application a request to initiate a remote application in the server. The server instantiates an instance of the remote application. The server intercepts draw commands associated with the remote application instance. The server provides the draw commands to the client to cause the web browser application to render portion(s) of output based on the draw commands. The server receives an input event from the web browser application. The server provides the client one or more draw commands based on the input event to cause the web browser application to render portion(s) of output based on those draw commands.
G06F 16/957 - Optimisation de la navigation, p. ex. mise en cache ou distillation de contenus
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
G06F 21/71 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information
G06F 9/451 - Dispositions d’exécution pour interfaces utilisateur
G06F 40/14 - Documents en configuration arborescente
H04L 67/131 - Protocoles pour jeux, simulations en réseau ou réalité virtuelle
66.
Remoting application across a network using draw commands with an isolator application
A client device instantiates an isolator application. A request to instantiate a remote application in a server device is sent by the isolator application instance. The isolator application instance receives, from the remote application instance, draw commands and position information that correspond to the draw commands. The isolator application instance renders one or more portions of output based on the draw commands and the position information.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
G06F 11/36 - Prévention d'erreurs par analyse, par débogage ou par test de logiciel
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
G06F 21/71 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information
A server receives from a client device that is executing a client application a request to initiate a remote application in the server. The server instantiates an instance of the remote application. The server intercepts draw commands associated with the remote application instance. The server provides the draw commands to the client to cause the client application to render portion(s) of output based on the draw commands. The server receives an input event from the client application. The server provides the client one or more draw commands based on the input event to cause the client application to render portion(s) of output based on those draw commands.
G06F 16/957 - Optimisation de la navigation, p. ex. mise en cache ou distillation de contenus
G06F 16/958 - Organisation ou gestion de contenu de sites Web, p. ex. publication, conservation de pages ou liens automatiques
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
G06F 21/71 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information
G06F 9/451 - Dispositions d’exécution pour interfaces utilisateur
G06F 40/14 - Documents en configuration arborescente
H04L 67/131 - Protocoles pour jeux, simulations en réseau ou réalité virtuelle
A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers that are input into an ML model that includes a first stage that operates on the first vector of integers to identify candidate signature tokens that are commonly associated with different classes of attack, and a second stage that operates on the candidate signature tokens and the second vector of integers and conditions attention on the second vector of integers on the candidate signature tokens. The ML model outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold.
G06F 30/27 - Optimisation, vérification ou simulation de l’objet conçu utilisant l’apprentissage automatique, p. ex. l’intelligence artificielle, les réseaux neuronaux, les machines à support de vecteur [MSV] ou l’apprentissage d’un modèle
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
69.
Method and system for determining a path maximum transmission unit (MTU) between endpoints of a generic routing encapsulation (GRE) tunnel
A method of path MTU determination in Generic Routing Encapsulation (GRE) tunnel is presented. A source network device (ND) transmits, to a destination ND that is a second endpoint of the GRE tunnel, a first outer packet including a first inner packet, where the first inner packet includes a first inner header that is used to deliver the first inner packet to the source network device, a first inner GRE header, and a first payload. The source ND receives the first inner packet. The source ND transmits a second outer packet including a second inner packet that includes a second payload that has a size greater than a size of the first payload. The source ND determines that the second inner packet is not received and determines a path MTU between the source ND and the destination ND based on a size of the first and the second outer packets.
A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 15/16 - Associations de plusieurs calculateurs numériques comportant chacun au moins une unité arithmétique, une unité programme et un registre, p. ex. pour le traitement simultané de plusieurs programmes
H04L 47/74 - Mesures pour pallier la non-disponibilité des ressources
H04L 51/42 - Aspects liés aux boîtes aux lettres, p. ex. synchronisation des boîtes aux lettres
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/5007 - Adresses de protocole Internet [IP]
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
H04L 67/146 - Marqueurs pour l'identification sans ambiguïté d'une session particulière, p. ex. mouchard de session ou encodage d'URL
H04L 67/56 - Approvisionnement des services mandataires
H04L 67/561 - Ajout de données fonctionnelles à l’application ou de données de commande de l’application, p. ex. métadonnées
H04L 67/568 - Stockage temporaire des données à un stade intermédiaire, p. ex. par mise en antémémoire
H04L 69/40 - Dispositions, protocoles ou services de réseau indépendants de la charge utile de l'application et non couverts dans un des autres groupes de la présente sous-classe pour se remettre d'une défaillance d'une instance de protocole ou d'une entité, p. ex. protocoles de redondance de service, état de redondance de protocole ou redirection de service de protocole
H04L 61/59 - Utilisation de mandataires pour l’adressage
71.
Establishing a cryptographic tunnel between a first tunnel endpoint and a second tunnel endpoint where a private key used during the tunnel establishment is remotely located from the second tunnel endpoint
A responder device receives, from an initiator device, a request to initiate a cryptographic tunnel between the initiator device and the responder device. The responder device does not include a static private key to be used in an asymmetric cryptography algorithm when establishing the tunnel. The responder device transmits a request to a key server that has access to the static private key and receives a response that is based on at least a result of at least one cryptographic operation using the static private key. The responder device receives from the key server, or generates, a transport key(s) for the responder device to use for sending and receiving data on the cryptographic tunnel. The responder device transmits a response to the initiator device that includes information for the initiator device to generate a transport key(s) that it is to use for sending and receiving data on the cryptographic tunnel.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Providing online non-downloadable computer software platforms for database optimization and acceleration, namely, enabling third party cloud computing applications to cache database data queries; Providing temporary use of online non-downloadable software development tools for database optimization and acceleration, namely, providing database connection pooling for third-party cloud computing applications; Software as a service (SAAS) services featuring software for use in database optimization and acceleration, namely, caching database data queries in a cloud computing environment and for managing database connection pools
73.
Unified network service that connects multiple disparate private networks and end user client devices operating on separate networks
A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g., user devices of the customer and/or server devices of the customer) of the organization while using address space that potentially overlaps with other customers of the distributed cloud computing network.
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Platform as a service (PAAS) featuring computer software platforms for use in enabling third-party users to store, deploy and manage executable software applications; Providing temporary use of on-line non-downloadable software development tools for third-party development of custom software applications; Software as a service (SAAS) services featuring software for use in enabling third-party users to store, deploy and manage executable software applications
75.
Isolating internet-of-things (IoT) devices using a secure overlay network
A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.
A server of a distributed cloud computing network receives, over a tunnel established between a customer-premises equipment and the compute server, traffic from an Internet-of-Things (IoT) device that is connected to the CPE. The server enforces an egress traffic policy to determine whether the traffic is permitted to be transmitted to the destination. If the traffic is not permitted to be transmitted to the destination, the server drops the traffic. If the traffic is permitted to be transmitted to the destination, the server transmits the traffic to the destination.
A request is received from a client device at a first datacenter of a distributed cloud computing network. The first request triggers execution of code at the distributed cloud computing network. The execution of the code includes transmitting additional requests to destination(s) external to the distributed cloud computing network. A second datacenter of the distributed cloud computing network is selected to execute the code, where the selection is based on an optimization goal. The code is executed at the second datacenter. The first datacenter receives a result from the code being executed at the second datacenter. The first datacenter transmits a response to the client device that is based at least in part on the result.
An email verification system is described. The email verification system stores names and associated email addresses. An email is received that has a sender name and a sender email address. If the email verification system determines that the sender name matches a stored name but the sender email address does not match with an email address associated with the stored name, the email is prevented from being transmitted to its recipient unless the email is verified as being legitimate. The email verification system transmits a request to verify the email via a configured verification method. If a response is received that verifies the email as legitimate, the email is delivered; otherwise the email is blocked.
A server establishes a secure session with a client device where a private key used in the handshake is stored in a different server. An encrypted connection is established between the first server and the second server. A message is received from the client device that initiates a procedure to establish the secure session between the client device and the first server. As part of this procedure, the first server transmits over the encrypted connection a request to the second server to use the private key. The first server receives, over the encrypted connection, a response to the request that includes a result of the use of the private key. The first server uses the result during the procedure to establish the secure session.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
80.
Non-HTTP layer 7 protocol applications running in the browser
A server receives from a browser executing on a client device an HTTP request. The server transmits a response to the HTTP request to the browser. The response includes code that when executed by the browser, executes a non-HTTP layer 7 protocol client that communicates with a non-HTTP layer 7 protocol service at an external network. The server receives, from the non-HTTP layer 7 protocol client executing in the browser, data related to the non-HTTP layer 7 protocol service. The server proxies the data related to the non-HTTP layer 7 protocol service over a layer 4 tunnel that is interfaced with the non-HTTP layer 7 protocol service. The server logs event data received from the non-HTTP layer 7 protocol client executing in the browser.
Managing the loading of third-party tools on a website is described. Configuration is received for loading the third-party tools. An intermediary server receives a request for a page that is hosted at an origin server. The intermediary server retrieves the page and modifies the page including automatically including a third-party tool manager to the retrieved page. The third-party tool manager includes a set of one or more client-side scripts that, when executed by the client network application, collects, and transmits information to the intermediary server for loading the third-party tools. The intermediary server loads the third-party tools based on the received information and the configuration. The intermediary server causes event data to be transmitted to third-party tool servers that correspond with the third-party tools.
Methods and apparatuses for enabling compatibility between multiple versions of an application programming interface (API) are described. When a first API request is received at a compute server, the compute server determines whether the first API request is of a first version of an API that is different from a second version of the API used in an origin server to which the first API request is destined. In response to determining that the first API request is of the first version of the API that is different from the second version of the API used in the origin server to which the first API request is destined, an API compatibility enabler is executed to convert the first API request into a second API request in the second version of the API. The second API request is fulfilled instead of the first API request.
Traffic optimization in virtual private networks (VPNs) is described. A client device establishes a first VPN connection with a first server according to a first VPN route configuration that specifies a first VPN route to the first server. Flow(s) of traffic is forwarded through the first VPN connection to the first server. The client device receives a second VPN route configuration that specifies a second VPN route to a second server of the plurality of servers for establishing a second VPN connection, where the second VPN connection satisfies a set of traffic optimization criteria. The client device establishes the second VPN connection with the second server according to the second VPN route configuration. Traffic is forwarded through the second VPN connection to the second server.
A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.
In an embodiment, a computer-implemented method includes receiving, from a pre-processor, an output file; where the output file is created by the pre-processor in response to input of an electronic file to the pre-processor; where the electronic file is an attachment to a message that is in-transit to a recipient computer on a network; where the output file contains features that are created by the pre-processor analyzing one or more sub-features of the electronic file; receiving, from a machine learning-based classifier, malware classification data that indicates whether the electronic file does or does not contain malware; where the malware classification data is output by the machine learning-based classifier in response to the machine learning-based classifier determining that the features are or are not indicators of obfuscation; where data used to create the machine learning-based classifier includes output files previously created by the pre-processor; in response to the malware classification data matching a criterion, causing the network to modify, delay, or block transmission of the electronic file to the recipient computer.
A request from a client device is received at a first one of a plurality of compute nodes at a first one of a plurality of data centers of a distributed cloud computing network. A destination of the request is determined. An optimized route for transmitting the request toward an origin server that corresponds with the destination of the request is determined, where the optimized route is based on at least in part on probe data between data centers of the distributed cloud computing network for a plurality of transit connections, and where the optimized route has an IP address that encodes an identification of which of the plurality of transit connections is to be used to deliver the request. The request is transmitted to a next hop as defined by the optimized route over the identified one of the plurality of transit connections.
A compute server receives a first request from a client device that triggers execution of a first third-party code piece. The first request is directed to a first zone. A single process at the compute server executes the first third-party code piece. As a result of executing the first third-party code piece, a second request is generated that triggers execution of a second third-party code piece. The second request is directed to a second zone. The single process executes the second third-party code piece. A response is generated to the first request based at least in part on the executed first third-party code piece and the executed second third-party code piece. The generated response is transmitted to the client device.
G06F 9/448 - Paradigmes d’exécution, p. ex. implémentation de paradigmes de programmation
H04L 67/00 - Dispositions ou protocoles de réseau pour la prise en charge de services ou d'applications réseau
H04L 67/02 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP]
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
H04L 67/53 - Services réseau en utilisant des fournisseurs tiers de services
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
G06F 21/53 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par exécution dans un environnement restreint, p. ex. "boîte à sable" ou machine virtuelle sécurisée
H04L 41/50 - Gestion des services réseau, p. ex. en assurant une bonne réalisation du service conformément aux accords
88.
Implementing a tiered cache topology with anycast networks
A control server receives probe data from a plurality of data centers indicating measured latencies with a first IP address associated with an origin server. The control server sums the measured latencies of a first data center having a lowest measured latency and a second data center. When the sum is below a threshold value, the control server determines the IP address to be an anycast IP address and selects a proper subset of the plurality of data centers as proxying data centers for other data centers in the plurality of data centers. When the sum is not below the threshold value, the control server determines the IP address to not be an anycast IP address and selects the first data center having the lowest measure latencies as the proxying data center for other data centers in the plurality of data centers.
A GRE tunnel is configured between multiple computing devices of a distributed cloud computing network and a single origin router of the origin network. The GRE tunnel has a first GRE endpoint that has an IP address that is shared among the computing devices of the distribute cloud computing network and a second GRE endpoint that has a publicly routable IP address of the origin router. A first computing device receives an IP packet from a client that is destined to an origin server. The first computing device processes the received IP packet and encapsulates the IP packet inside an outer packet to generate a GRE encapsulated packet whose source address is the first GRE endpoint and the destination address is the second GRE endpoint. The GRE encapsulated packet is transmitted over the GRE tunnel to the single origin router.
A server transmits to a third-party application a request for a resource that is received from a client. The server receives an authentication request from the client device that has been generated by the third-party application. The server transmits an identity provider selection page to the client device that allows the client device to select an identity provider. The server causes the client device to transmit a second authentication request to a selected identity provider. The server receives an authentication response that was generated by the identity provider that includes the identity of the user. The server enforces access rule(s) including identity-based rule(s) and/or non-identity based rule(s). If the user is permitted to access the third-party application, the server causes an authentication response to be transmitted from the client device to the third-party application that indicates the user has successfully authenticated.
An intermediary server receives a request from a client that identifies an asset that is handled by an origin server. The intermediary server generates an informational response that includes one or more link header fields that reference one or more pieces of content respectively that are predicted by the intermediary server to be linked within a final response for the asset. The intermediary server transmits the generated informational response to the client prior to a final response for the request. The intermediary server transmits the request to the origin server and receives a final response to the request. The intermediary server transmits the final response to the request to the client.
A server receives internet traffic from a client device. The server is one of multiple servers of a distributed cloud computing network which are each associated with a set of server identity(ies) including a server/data center certification identity. The server processes, at layer 3, the internet traffic including participating in a layer 3 DDoS protection service. If the traffic is not dropped by the layer 3 DDoS protection service, further processing is performed. The server determines whether it is permitted to process the traffic at layers 5-7 including whether it is associated with a server/data center certification identity that meets a selected criteria for the destination of the internet traffic. If the server does not meet the criteria, it transmits the traffic to another one of the multiple servers for processing the traffic at layers 5-7.
H04L 67/288 - Dispositifs intermédiaires distribués, c.-à-d. dispositifs intermédiaires pour l'interaction avec d'autres dispositifs intermédiaires de même niveau
H04L 69/325 - Protocoles de communication intra-couche entre entités paires ou définitions d'unité de données de protocole [PDU] dans la couche réseau [couche OSI 3], p. ex. X.25
H04L 67/63 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises en acheminant une demande de service en fonction du contenu ou du contexte de la demande
A mobile accelerator system includes point of presences (POPs) that includes an entry POP. The entry POP receives a query to a content server from a mobile device via a dedicated transport channel. The entry POP determines a direct connection score for a direct connection between the mobile device and the content server that does not traverse the mobile accelerator system. The entry POP determines a POP connection score for a connection between the mobile device and the content server through the entry POP and a candidate exit POP. The entry POP determines a dynamic path ranking based on the direct connection score, the POP connection score, and other POP connection score(s) associated with other candidate exit POP(s). The entry POP determines at least a portion of a dynamic path between the mobile device based on the dynamic path ranking and routes data transfers through that dynamic path.
An Internet of Things (IoT) protection service at the network level is described. A secure session is established between an edge server and an IoT client that is requesting to send data to an IoT device. The edge server receives the request from the IoT client over the secure session instead of the IoT device directly because a Domain Name System (DNS) request for a unique fully qualified domain name assigned to the IoT device returns an IP address of the edge server instead of an IP address of the IoT device. The edge server analyzes the request to determine whether to transmit the request to the IoT device, including applying web application firewall rule(s) against the request. If the request does not trigger any rule, then the edge server transmits the request to the IoT device. If the request triggers any rule, then the edge server blocks the request.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 61/5007 - Adresses de protocole Internet [IP]
H04L 67/12 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance
H04L 67/141 - Configuration des sessions d'application
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
For each network resource request received at a server of a cloud-based service, a determination of whether that request originated from a second network resource is made. For each such request where the network resource originated from the second network resource, a referrer indication is logged that indicates the second network resource is a referrer to that network resource. A network resource relevance dataset is generated based on the referrer indications of the second network resources. A relevance metric is associated with each second network resource based on a total number of referrer indications. A search request is received from a client device. Based at least in part on the network resource relevance dataset, search results are determined. The search results are transmitted to the client device.
G06F 3/023 - Dispositions pour convertir sous une forme codée des éléments d'information discrets, p. ex. dispositions pour interpréter des codes générés par le clavier comme codes alphanumériques, comme codes d'opérande ou comme codes d'instruction
96.
Internet protocol security (IPSec) tunnel using anycast at a distributed cloud computing network
An IPSec tunnel request for establishing an IPSec tunnel from a customer router to an anycast IP address of a distributed cloud computing network is received. The same anycast IP address is shared among compute servers of the distributed cloud computing network. A handshake is performed with the customer router from a first compute server including generating security associations for encrypting and decrypting IPSec traffic. The security associations are propagated to each compute server and are used for encrypting and decrypting traffic.
An edge server receives a first request message for transmission to the host device. The edge server determines a first congestion control algorithm based on the first request message, including characteristics of the first request message. The edge server applies the first congestion control algorithm to the transport connection for application to the transmission of the first request message. Subsequently, the edge server receives a second request message for transmission to the host device over the transport connection. Based on the second request message, including characteristics of the second request message, the edge server determines and applies a second congestion control algorithm to the transport connection for application to the transmission of the second request message, wherein the second congestion control algorithm is different from the first congestion control algorithm.
H04L 47/27 - Évaluation ou mise à jour de la taille de la fenêtre, p. ex. en utilisant des informations dérivées de paquets [ACK] d’acquittements
H04L 47/10 - Commande de fluxCommande de la congestion
H04L 47/193 - Commande de fluxCommande de la congestion au niveau des couches au-dessus de la couche réseau au niveau de la couche de transport, p. ex. liée à TCP
H04L 47/283 - Commande de fluxCommande de la congestion par rapport à des considérations temporelles en réponse à des retards de traitement, p. ex. causés par une gigue ou un temps d'aller-retour [RTT]
99.
Secure private traffic exchange in a unified network service
Traffic is received at an interface of a compute server. Identity information associated with the traffic is determined including an identifier of a customer to which the traffic is attributable. An egress policy configured for the first customer is used to determine whether the traffic is allowed to be transmitted to a destination where that destination is a resource of a second customer. If the traffic is allowed to be transmitted, the traffic and identity information is transmitted over a cross-customer GRE tunnel to a namespace of the second costumer on the compute server. An ingress policy configured for the second customer is used to determine whether the traffic is allowed to be transmitted to the destination, and if it is, then the traffic is transmitted.
A first transport protocol connection is established between a first proxy network element and a second proxy network element. The first proxy network element receives from a first Border Gateway Protocol (BGP) client, first BGP data destined to a second BGP client that is connected to the second proxy network element. The first BGP data is transmitted to the second proxy network element through the first transport protocol connection for delivery to the second BGP client. The first proxy network element receives second BGP data destined to the second BGP client. Responsive to determining that the first transport protocol connection is down, the first proxy network element stores the second BGP data and establishes a second transport protocol connection to the second proxy network element. The second BGP data is transmitted to the second proxy network element through the second transport protocol connection.
H04L 69/08 - Protocoles d’interopérabilitéConversion de protocole
H04L 69/329 - Protocoles de communication intra-couche entre entités paires ou définitions d'unité de données de protocole [PDU] dans la couche application [couche OSI 7]
H04L 69/163 - Adaptation dans la bande de l'échange de données TCPProcédures de commande intra-bande
H04W 88/06 - Dispositifs terminaux adapté au fonctionnement dans des réseaux multiples, p. ex. terminaux multi-mode
H04L 67/56 - Approvisionnement des services mandataires
