公开(公告)号：US12238098B1

公开(公告)日：2025-02-25

申请号：US18809098

申请日：2024-08-19

Applicant: CLOUDFLARE, INC.

Inventor： Kenny Johnson ,  Gabriel Andrew Bauman ,  Kyle Hiller ,  Alexander Jay Holland ,  Russell Louis Kerns ,  Jesse Li ,  James Howard Royal ,  Akemi Leigh Davisson

IPC: H04L9/40 ,  G06F21/62

Abstract: A system for cross-domain identity management (SCIM) proxy service is described. A first SCIM endpoint receives, from a first SCIM client, a first message that includes a SCIM resource. The first SCIM endpoint is associated with a customer of the SCIM proxy service. The SCIM proxy service is configured as a first SCIM service provider for the first SCIM client. The first message is validated. The first SCIM proxy service determines that a third-party application is in scope for the SCIM resource, where the SCIM proxy service is configured as a second SCIM client for the third-party application. The SCIM proxy service transforms the SCIM resource to create a transformed SCIM resource that is applicable for the third-party application. The SCIM proxy service transmits a second message to a second SCIM endpoint of the third-party application, the second message including the transformed SCIM resource.

公开(公告)号：US12224987B2

公开(公告)日：2025-02-11

申请号：US18478191

申请日：2023-09-29

Applicant: CLOUDFLARE, INC.

Inventor： Vikram Grover ,  Petre Gabriel Gabor ,  Nicholas Mikhail Robert

IPC: H04L9/40 ,  G06F30/27 ,  H04L41/16

Abstract: A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers respectively. The first and second vector of integers are input into an ML model, which outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold that indicates the raw data is of the type that is malicious.

公开(公告)号：US20240396713A1

公开(公告)日：2024-11-28

申请号：US18433124

申请日：2024-02-05

Applicant: CLOUDFLARE, INC.

Inventor： Derek Chamorro ,  Michael Pak

IPC: H04L9/08

Abstract: A first intermediate key management system (KMS) server of a distributed KMS receives a key lookup service (KLS) query from a KMS client for determining an identity of KMS server(s) that are capable of performing a first operation with a first managed key. The first intermediate KMS server is one of the intermediate KMS servers of the distributed KMS. The first KMS server determines the identity of one or more of the KMS servers that are capable of performing the first operation with the first managed key. The first KMS server transmits a KLS response to the KMS client that includes the identity of the KMS server(s) that are capable of performing the first operation with the first managed key.

公开(公告)号：US20240264877A1

公开(公告)日：2024-08-08

申请号：US18362721

申请日：2023-07-31

Applicant: CLOUDFLARE, INC.

Inventor： Michael Hart ,  Alyson Cabral ,  Kenton Taylor Varda

IPC: G06F9/50

CPC classification number: G06F9/5072 ,  G06F9/505

Abstract: A request is received from a client device at a first datacenter a distributed cloud computing network. The distributed cloud computing network includes multiple datacenters. The received request triggers execution of code at the distributed cloud computing network. The code includes a first function and a second function. A determination is made to execute the first function at the first datacenter and to execute the second function at a second datacenter of the distributed cloud computing network. The first function is executed at the first datacenter to get a first result. The first datacenter causes the second function to be executed at the second datacenter. The first datacenter receives, from the second datacenter, a second result from the execution of the second function. The first datacenter transmits a response to the client device that is based at least in part on the first result and the second result.

公开(公告)号：US20240259347A1

公开(公告)日：2024-08-01

申请号：US18478191

申请日：2023-09-29

Applicant: CLOUDFLARE, INC.

Inventor： Vikram Grover ,  Petre Gabriel Gabor ,  Nicholas Mikhail Robert

IPC: H04L9/40 ,  G06F30/27 ,  H04L41/16

CPC classification number: H04L63/0263 ,  G06F30/27 ,  H04L41/16 ,  H04L63/1416

Abstract: A machine learning (ML) based web application firewall (WAF) is described. Transformation(s) are applied to raw data including normalizing and generating a signature over the normalized data. The signature and the normalized data are vectorized to create a first and second vector of integers respectively. The first and second vector of integers are input into an ML model that uses a multiple stage process including a first stage that operates on the first vector of integers to identify candidate signature tokens that are commonly associated with different classes of attack, and a second stage that operates on the candidate signature tokens and the second vector of integers and conditions attention on the second vector of integers on the candidate signature tokens. The ML model outputs a score that indicates a probability of the raw data being of a type that is malicious. A traffic processing rule is enforced that instructs a WAF to block traffic when the score is above a threshold that indicates the raw data is of the type that is malicious.

公开(公告)号：US12034726B1

公开(公告)日：2024-07-09

申请号：US18326811

申请日：2023-05-31

Applicant: CLOUDFLARE, INC.

Inventor： Adrian Mateo Maceiras ,  Andrew Kenneth Godfrey Martin

IPC: H04L9/40 ,  G06Q30/01 ,  H04L67/56

CPC classification number: H04L63/10 ,  G06Q30/01 ,  H04L67/56

Abstract: A proxy server receives a first request from a first user to access a resource hosted by a cloud-based server. The proxy server inserts a first tenant control header into the first request specifying a tenant identifier. The tenant identifier indicates a tenant permitted to access the resource. The proxy server then transmits the first request with the inserted first tenant control header to the cloud-based server. In response to receiving a first response indicating a rejection of the first request with the inserted first tenant control header, the proxy server transmits the first request again to the cloud-based server but without the first tenant control header. The proxy server then logs the first request as an access request using a non-permitted tenant identifier.

公开(公告)号：US12028434B2

公开(公告)日：2024-07-02

申请号：US17734944

申请日：2022-05-02

Applicant: CLOUDFLARE, INC.

Inventor： Alex Krivit ,  Rustam Xing Lalkaka ,  Samantha Aki Shugaeva ,  Edward H. Wang ,  Yuchen Wu

IPC: H04L67/5681

CPC classification number: H04L67/5681

Abstract: An intermediary server receives a request from a client that identifies an asset that is handled by an origin server. The intermediary server generates an informational response that includes one or more link header fields that reference one or more pieces of content respectively that are predicted by the intermediary server to be linked within a final response for the asset. The intermediary server transmits the generated informational response to the client prior to a final response for the request. The intermediary server transmits the request to the origin server and receives a final response to the request. The intermediary server transmits the final response to the request to the client.

公开(公告)号：US12026272B2

公开(公告)日：2024-07-02

申请号：US18146459

申请日：2022-12-27

Applicant: CLOUDFLARE, INC.

Inventor： Yair Dovrat ,  Yoav Moshe

IPC: G06F21/62 ,  H04L9/40

CPC classification number: G06F21/6218 ,  H04L63/0428

Abstract: Managing the loading of third-party tools on a website is described. Configuration is received for loading the third-party tools. An intermediary server receives a request for a page that is hosted at an origin server. The intermediary server retrieves the page and modifies the page including automatically including a third-party tool manager to the retrieved page. The third-party tool manager includes a set of one or more client-side scripts that, when executed by the client network application, collects, and transmits information to the intermediary server for loading the third-party tools. The intermediary server loads the third-party tools based on the received information and the configuration. The intermediary server causes event data to be transmitted to third-party tool servers that correspond with the third-party tools.

公开(公告)号：US20240129273A1

公开(公告)日：2024-04-18

申请号：US18392521

申请日：2023-12-21

Applicant: CLOUDFLARE, INC.

Inventor： Marek Przemyslaw Majkowski ,  Braden Michael Ehrat ,  Sergi Isasi ,  Dane Orion Knecht ,  Dina Kozlov ,  Rustam Xing Lalkaka ,  Eric Reeves ,  Oliver Zi-gang Yu

IPC: H04L61/5007

CPC classification number: H04L61/5007

Abstract: A map of IP addresses of a distributed cloud computing network to one or more groupings is stored. The IP addresses are anycast IP addresses for which compute servers of the distributed cloud computing network share. These IP addresses are to be used as source IP addresses when transmitting traffic to destinations external to the cloud computing network. The map is made available to external destinations. Traffic is received at the distributed cloud computing network that is destined to an external destination. An IP address is selected based on the characteristic(s) applicable for the traffic and the map. The distributed cloud computing network transmits the traffic to the external destination using the selected IP address.

公开(公告)号：US11943308B1

公开(公告)日：2024-03-26

申请号：US18148352

申请日：2022-12-29

Applicant: CLOUDFLARE, INC.

Inventor： Lucas Pardue

IPC: H04L67/142 ,  H04L67/02 ,  H04L67/143

CPC classification number: H04L67/142 ,  H04L67/02 ,  H04L67/143

Abstract: A condition exists that triggers an HTTP server to modify one or more HTTP connections for one or more HTTP clients that are connected to the HTTP server. The HTTP server dynamically modifies the one or more HTTP connections including dynamically modifying one or more HTTP connection resource parameters for the one or more HTTP connections. For each of the one or more HTTP clients, the HTTP server monitors that HTTP client to determine whether it is complying with the modified one or more HTTP connection resource parameters. If one of the one or more HTTP clients is not complying with the modified one or more HTTP connection resource parameters, the HTTP server closes an HTTP connection to that HTTP client.