( 19 ) United States
`( 12 ) Patent Application Publication ( 10 ) Pub . No .: US 2020/0050686 A1
`Kamalapuram et al .
`( 43 ) Pub . Date :
`Feb. 13 , 2020
`
`US 20200050686A1
`
`IN
`
`( 54 ) DISTRIBUTED SECURITY ANALYSIS FOR
`SHARED CONTENT
`( 71 ) Applicant : Citrix Systems , Inc. , Fort Lauderdale ,
`FL ( US )
`( 72 ) Inventors : Ramanjaneya Reddy Kamalapuram ,
`Bangalore ( IN ) ; Praveen Raja
`Dhanabalan , Bangalore ( IN )
`( 21 ) Appl . No .: 16 / 101,841
`Aug. 13 , 2018
`
`( 22 ) Filed :
`
`Publication Classification
`
`( 51 ) Int . Ci .
`GOOF 1730
`G06F 21/62
`G06F 21/44
`H04L 9/06
`H04L 29/08
`
`( 2006.01 )
`( 2006.01 )
`( 2006.01 )
`( 2006.01 )
`( 2006.01 )
`
`( 52 ) U.S. CI .
`CPC .. GOOF 17/30165 ( 2013.01 ) ; G06F 17/30194
`( 2013.01 ) ; G06F 17/30082 ( 2013.01 ) ; G06F
`21/6218 ( 2013.01 ) ; H04L 2209/38 ( 2013.01 ) ;
`H04L 9/0637 ( 2013.01 ) ; H04L 67/1097
`( 2013.01 ) ; G06F 2221/2141 ( 2013.01 ) ; G06F
`21/44 ( 2013.01 )
`
`( 57 )
`ABSTRACT
`Methods and systems for providing a cost effective and
`robust security solution for shared files stored by file sharing
`software solutions are described herein . The methods and
`systems for generating a ledger associated with shared files ,
`which may include scanning data received from applications
`associated with a number of client devices and from a cloud
`based scanner . An access manager may control file permis
`sions granted to users based on requests for scan data from
`each user device requesting access to a shared file . A
`plurality of different scanning applications may provide data
`that is collected for each shared file to provide a diverse
`analysis of a shared file to increase user confidence in a file
`security status .
`
`107
`
`WAN
`
`( Opt . )
`
`109
`
`101
`
`105
`
`133
`
`LAN
`
`111
`
`PROCESSOR
`
`NETWORK INTERFACE
`
`RAM
`
`ROM
`115
`
`INPUT / OUTPUT
`
`113
`
`103
`
`MEMORY
`OPERATING SYSTEM
`CONTROL LOGIC
`OTHER APPLICATIONS
`
`DB1
`129
`
`DB2
`131
`
`117
`
`119
`
`123
`
`125
`
`127
`
`121
`
`Page 1 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 1 of 8
`
`US 2020/0050686 A1
`
`107
`
`WAN
`
`( Opt.2
`
`109
`
`101
`
`105
`
`133
`
`LAN
`
`PROCESSOR
`
`NETWORK INTERFACE
`
`RAM
`
`ROM
`115
`
`INPUT / OUTPUT
`
`113
`
`103
`
`MEMORY
`OPERATING SYSTEM
`
`CONTROL LOGIC
`
`OTHER APPLICATIONS
`
`DB1
`129
`
`DB2
`131
`
`117
`
`119
`
`123
`
`125
`
`127
`
`121
`
`FIG . 1
`
`Page 2 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 2 of 8
`
`US 2020/0050686 A1
`
`203
`
`PROCESSOR
`
`217
`
`MEMORY
`
`205
`
`207
`
`209
`
`RAM
`
`ROM
`
`INPUT /
`OUTPUT
`MODULE
`
`OPERATING
`SYSTEM
`
`219
`
`APPLICATIONS
`
`DATA
`
`223
`
`LAN INTERFACE ( S )
`
`WAN
`INTERFACE ( S )
`
`227
`
`LAN
`
`225
`
`WAN
`
`229
`
`201 ( 206A )
`
`215
`
`221
`
`206
`
`206n
`
`200
`
`230
`
`WAN
`
`COMPUTER NETWORK
`
`240
`
`WAN
`
`240
`
`240
`
`240
`
`FIG . 2
`
`Page 3 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 3 of 8
`
`US 2020/0050686 A1
`
`301
`
`3320
`
`
`
`VIRTUAL MACHINE C
`
`?
`
`332B
`
`
`
`VIRTUAL MACHINE B
`
`r
`
`?
`
`332A
`
`330B
`
`GUEST OS B
`
`330A
`GUEST OS A
`
`320
`
`324
`
`
`
`VIRTUAL MACHINE A
`
`
`
`CONTROL PROG .
`
`
`
`TOOLS STACK
`
`
`
`VIRTUALIZATION SERVER
`
`VIRTUAL PROCESSOR C 328C
`VIRTUAL DISK C 326C
`
`VIRTUAL PROCESSOR B 328B
`VIRTUAL DISKB 326B
`VIRTUAL PROCESSOR AT 328A
`VIRTUAL DISKA 326A
`
`302
`
`314
`
`1
`
`1
`
`310 1
`
`FIRMWARE 312
`
`
`
`PHYSICAL MEMORY 316
`
`HYPERVISOR
`
`
`
`OPERATING SYSTEM
`
`
`
`HARDWARE LAYER
`
`308
`
`PHYSICAL PROCESSOR ( S )
`PHYSICAL DEVICE ( S )
`PHYSICAL DISK ( S ) 304
`
`306
`
`movemento
`
`promene
`
`FIG . 3
`
`Page 4 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 4 of 8
`
`US 2020/0050686 A1
`
`414
`
`413
`
`412
`
`411
`
`402
`
`NETWORK ELEMENT A
`
`NETWORK ELEMENT B
`
`NETWORK ELEMENT C
`
`NETWORK
`
`ELEMENT D
`
`STORAGE A
`
`STORAGE B
`
`STORAGE C
`
`STORAGE D
`
`405b
`
`4045
`
`FIG . 4
`
`NETWORK ELEMENT ?
`
`NETWORK ELEMENT B
`
`NETWORK ELEMENT C
`
`NETWORK ELEMENT D
`
`STORAGE A
`
`STORAGE B
`
`STORAGE C
`
`STORAGE D
`
`
`
`MANAGEMENT SERVER 410 ACCESS
`
`MANAGER 410A
`
`403b
`
`4052
`
`404a
`
`403a
`
`401
`
`400
`
`Page 5 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 5 of 8
`
`US 2020/0050686 A1
`
`500
`
`
`
`
`
`Enterprise Resource Set B
`504
`
`
`
`
`
`Enterprise Resource Set C
`504
`
`
`
`
`
`Enterprise Resource Set D
`504
`
`MicroVPNB
`
`562
`
`MicroVPNC
`
`MicroVPN D
`
`
`
`Transport Protocol
`
`
`
`( e.g. cloud , other )
`
`< Exchange AD Traffic- > Single - Sign - On < -Exchange ! AD Traffic- >
`
`554
`
`
`554
`
`
`
`< HTTP / HTTPS Traffic- > Single - Sign - On < HTTP / HTTPS Traffic- >
`
`554
`
`
`
`
`
`
`
`Secure Remote < -Management Traffic- > Single - Sign - on < -Management Traffic- >
`
`572
`
`-570
`-568
`
`Social Integration
`
`Policy Manager
`
`
`Device Manager -524
`
`
`File Sharing
`
`
`
`App Controller
`
`558
`
`-564
`
`508
`
`
`
`Enterprise Services
`
`Authentication
`
`
`
`Threat Detection
`
`588
`
`574
`
`Management
`
`Capability
`
`and Analytics
`
`3
`
`582
`
`580
`
`Applications
`
`App Store 578
`
`
`Pre - wrapped
`
`Applications
`Unwrapped
`
`-584
`
`Development Kit
`Software
`
`560
`
`1 -
`
`--- -- 1
`
`1
`f
`
`FIG . 5
`
`552 OIS VPN
`
`App 01
`
`App D2
`
`Secure Remote
`
`522
`
`MicroVPNC
`550 520
`Application C
`514
`
`Secure Native
`
`
`Launcher MicroVPND
`Secure Application
`
`518
`
`520
`Application A
`514
`
`Secure Native
`
`-520
`
`550
`Secure Native MicroVPNB
`
`
`Application B
`514
`
`530
`
`Application A
`
`General Data
`Secure Data 538 Application A Highly
`
`
`Secure
`Secure
`534
`
`Encryted SQL Lite
`Data
`
`532
`
`Container
`
`Secure Data
`528
`
`$
`
`
`
`Option Dual - Mode
`
`
`
`
`
`540
`
`Unsecured 522
`
`544
`App E 546
`App A
`
`
`
`Personal Data
`
`
`
`Public Internet
`
`548
`
`1
`
`1 1 .
`
`502
`
`510
`
`Managed
`
`
`
`512 Unmanaged
`
`526
`
`Application
`
`542 Virtualization
`Unsecured
`
`Data Container
`
`Page 6 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 6 of 8
`
`US 2020/0050686 A1
`
`608
`
`Exchange
`
`-608
`
`SharePoint
`
`-608
`
`PKI Resources
`
`608
`
`Kerberos Resources
`
`609
`
`Certificate Issuance Service
`
`
`
`Active Directory
`
`OTP
`
`Gateway Services
`
`622
`
`620
`
`606
`
`Logon
`
`Gateway Server
`Certificates
`Policies
`Client Agent Software
`
`602
`
`618
`
`
`
`Managed Applications
`
`
`
`
`
`Secure Network Tunnel
`
`
`
`Secure IPC
`
`612
`
`-614
`610 Wrapped App
`Browser
`610 Mail
`
`610
`
`Keys
`
`-604
`
`FIG . 6
`
`600
`
`
`
`Vault Encryption
`
`
`
`
`
`Private Data Vault
`
`-616
`
`
`App Private Data
`Vault
`
`
`App Private Data
`Vault
`
`
`App Private Data
`Vault
`
`614 !
`
`
`
`
`
`Shared Data Vault
`
`Page 7 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 7 of 8
`
`US 2020/0050686 A1
`
`S701 File Stored in
`Network
`
`S702 Scan File in
`Network / Receive User
`Scan Data
`
`FIG . 7
`
`S703 Scan
`Positive ?
`
`NO S704A Lock
`File
`
`YES
`
`$ 705 File Access -
`Request Scan Data
`
`$ 706 - Scan Data
`Received ?
`
`NO
`
`S707 -
`Read Only
`Access
`
`YES
`
`S708 Scan
`Positive ?
`
`-NO S704B Lock
`File
`
`YES
`
`S709 - Store Scan
`Data / Grant Right
`Permission
`
`Page 8 of 28
`
`Netskope Exhibit 1008
`
`

`

`Patent Application Publication
`
`Feb. 13 , 2020 Sheet 8 of 8
`
`US 2020/0050686 A1
`
`SCANNER B2 823
`
`HOST 813
`
`SCANNER B1 822
`
`HOST 812
`
`SCANNER A 821
`
`
`
`HOST 811
`
`805
`
`804
`
`803
`
`801
`
`800
`
`
`
`
`
`ACCESS MANAGER 830
`
`
`
`
`
`MANAGEMENT SERVER 820
`
`SCANNER C 824
`
`FIG . 8
`
`NETWORK ELEMENT ?.
`
`NETWORK ELEMENT B
`
`NETWORK ELEMENT ?
`
`NETWORK ELEMENT
`
`STORAGE C
`
`STORAGE
`
`STORAGE A
`
`STORAGE 8
`
`sy
`
`Page 9 of 28
`
`Netskope Exhibit 1008
`
`

`

`US 2020/0050686 A1
`
`1
`
`Feb. 13 , 2020
`
`DISTRIBUTED SECURITY ANALYSIS FOR
`SHARED CONTENT
`
`FIELD
`[ 0001 ] Aspects described herein generally relate to com
`puters , networking , hardware , and software , cryptography ,
`and security measures in place therein . More specifically ,
`one or more aspects of the disclosure relate to cloud file
`management services , and in particular , relate to distributed
`security analysis for shared file content uploaded into a
`cloud file management system .
`BACKGROUND
`[ 0002 ] As computers have become ubiquitously intercon
`nected , the race between attackers and security experts has
`intensified . A variety of different security tools are available
`from various companies . As new attacks are developed ,
`security experts try to create and update their analyzers to
`address the latest vulnerability footprints . These updates
`may include patches that need to be downloaded and / or
`installed by different host systems .
`[ 0003 ]
`It is common for cloud services , which may aid file
`sharing services across a cloud network , to perform security
`analysis of files stored in the cloud to ensure safety of the
`enterprise . Security analyzers and / or scanners may also be
`implemented in various enterprise hosts based on a company
`policy .
`[ 0004 ] As security policies are enforced at different stages
`in an enterprise , different systems accessing the same file
`will have different types and levels of security analysis
`applied . Each of those security tools may recognize only a
`certain portion or subset of issues . Further , for each of the
`different security tools or applications , as implemented on a
`distributed network of hosts , different updates or patches
`may or may not have been applied . As such , each of the
`security tools may not be updated to address the latest
`vulnerabilities . For example , a first company might capture
`the footprint of a first new security issue earlier than a
`second company , while the second company may capture the
`footprint of a second new security issue earlier than the first
`company . In addition , a first user of the product of the first
`company may have applied all of the updates from the first
`company , while a second user of the product of the first
`company may not have updated their product in several days
`or weeks . Thus , there is no assurance that each different
`security scanner has or can identify a particular threat .
`SUMMARY
`[ 0005 ] The following presents a simplified summary of
`various aspects described herein . This summary is not an
`extensive overview , and is not intended to identify required
`or critical elements or to delineate the scope of the claims .
`The following summary merely presents some concepts in a
`simplified form as an introductory prelude to the more
`detailed description provided below .
`[ 0006 ] To overcome limitations described above , and to
`overcome other limitations that will be apparent upon read
`ing and understanding the present specification , aspects
`described herein are directed towards a method including
`storing , by a first user device , a shared file in a shared
`network storage system ; receiving , by the network storage
`system and from the first user device , scan data associated
`with the shared file ; generating , by the network storage
`
`system , a ledger associated with the shared file , wherein the
`ledger comprises the scan data associated with the shared
`file ; receiving , at the network storage system , scan data from
`one or more additional user devices ; determining , by the
`network storage system , that the shared file is a valid file to
`share with users of the network storage system based on the
`scan data from one or more of the first user device and the
`one or more additional user devices ; updating , by the
`network storage system and in response to the receipt of scan
`data from the one or more additional user devices , the ledger
`of the shared file in the network storage system ; and pro
`viding , by the network storage system and based on the
`determination , permission to access the shared file to the one
`or more additional user devices .
`[ 0007 ] The methods may include sending , from the net
`work storage system and to the one or more additional user
`devices , a request for a scanner credential from the one or
`more additional user devices ; receiving , at the network
`storage system , the scanner credential from the one or more
`additional user devices ; authenticating , by the network stor
`age system , an additional user device scanner based on the
`scanner credential received from the one or more additional
`user devices ; receiving , from one or more of the first user
`device and the one or more additional user devices , scan
`data ; analyzing the scan data for an indicator that the shared
`file includes one or more of signatures of known exploits ,
`malware , or viruses ; and determining that shared file is valid
`based on the indicator of the scan data . The methods may
`include obtaining , by the network storage system , policy
`information associated with the shared file ; preventing ,
`based on the policy information associated with the shared
`file , write access to the shared file until policy conditions
`have been met ; generating a blockchain associated with the
`shared file ; adding to the blockchain based on scan data of
`the one or more additional user devices and a hash related to
`scan data of at least one of the first user device or the
`network storage system ; scanning , by the network storage
`system , the shared file with a security application to generate
`the scan data ; associating , by the network storage system ,
`the scan data with the ledger of the shared file ; weighting , by
`the network storage system , the scan data based on a type
`scanning ; and determining , based on the weighted scan data ,
`a relative confidence value of the shared file .
`[ 0008 ]
`In some aspects , the network storage system may
`include a cloud network storage system , and the ledger may
`stored in the same cloud network storage system as the
`shared file . In other aspects , providing permission to access
`the shared file to the one or more additional user devices
`may be based on the relative confidence value of the shared
`file , and the scan data may include scanner type data
`indicating a type of scanner and scanner update data indi
`cating any updates the scanner has applied .
`[ 0009 ]
`In addition , in some examples , aspects of the
`disclosure may include an apparatus or system that may
`include a network interface , at least one processor , and a
`tangible computer memory storing computer - executable
`instructions that , when executed by the at least one proces
`sor , cause the apparatus or system to perform one or more of
`the following : store a shared file
`in a network storage
`system ; requesting , from a first device , scan data associated
`with the shared file ; generate a ledger associated with the
`shared file , wherein the ledger comprises the scan data
`associated with the shared file ; receive a request from a
`second user device to access the shared file stored on the
`
`Page 10 of 28
`
`Netskope Exhibit 1008
`
`

`

`US 2020/0050686 A1
`
`2
`
`Feb. 13 , 2020
`
`network storage system ; in response to receiving the request
`to access the shared file , request scan data from the second
`user device ; update , based on a response to the request for
`scan data from the second user device , the ledger of the
`shared file in the network storage system ; transmit , based on
`a positive result in the scan data from the second user device ,
`write permission for the shared file to the second user
`device ; receive , from a third user device , a second request to
`access the shared file stored on the network storage system ;
`in response to receiving the second request to access the
`shared file , request scan data from the third user device ;
`update , based on a response to the requesting scan data from
`the third user device , the ledger of the shared file in the
`network storage system ; deny , based on a negative result in
`the scan data from the third user device , write permission for
`the shared file to the third user device ; obtain policy infor
`mation associated with the shared file ; prevent , based on the
`policy information associated with the shared file , write
`access to the shared file until policy conditions have been
`met ; scan of the shared file with a security application of a
`cloud storage system to generate the scan data ; associate the
`scan data with the ledger of the shared file ; weight the scan
`data based on a type scanning ; and determine a relative
`confidence that the shared file is secure . In some aspects , the
`scan data may include scanner type data indicating a type of
`scanner and scanner update data indicating any updates the
`scanner has applied .
`[ 0010 ] In additional examples , non - transitory computer
`executable instructions , when executed by the computer
`processor , may cause the system to perform one or more of
`the following : store a shared file in a network storage
`system ; requesting , from a first device , scan data associated
`with the shared file ; generate a ledger associated with the
`shared file , wherein the ledger comprises the scan data
`associated with the shared file ; receive a request from a
`second user device to access the shared file stored on the
`network storage system ; in response to receiving the request
`to access the shared file , request scan data from the second
`user device ; update , based on a response to the request for
`scan data from the second user device , the ledger of the
`shared file in the network storage system ; transmit , based on
`a positive result in the scan data from the second user device ,
`write permission for the shared file to the second user
`device ; receive , at the network storage system and from a
`third user device , a second request to access the shared file
`stored on the network storage system ; in response to receiv
`ing the second request to access the shared file , request scan
`data from the third user device ; update , based on a response
`to the requesting scan data from the third user device , the
`ledger of the shared file in the network storage system ; deny ,
`based on a negative result in the scan data from the third user
`device , write permission for the shared file to the third user
`device ; obtain policy information associated with the shared
`file ; and prevent , based on the policy information associated
`with the shared file , write access to the shared file until
`policy conditions have been met . In some aspects , the scan
`data may include scanner type data indicating a type of
`scanner and scanner update data indicating any updates the
`scanner has applied .
`[ 0011 ]
`In view of the foregoing , the different security
`measures employed by a plurality of systems accessing a
`shared file may be leveraged to save costs and / or provide a
`
`robust security system . These and additional aspects will be
`appreciated with the benefit of the disclosures discussed in
`further detail below .
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`[ 0012 ]
`A more complete understanding of aspects
`described herein and the advantages thereof may be acquired
`by referring to the following description in consideration of
`the accompanying drawings , in which like reference num
`bers indicate like features , and wherein :
`[ 0013 ] FIG . 1 depicts an illustrative computer system
`architecture that may be used in accordance with one or
`more illustrative aspects described herein .
`[ 0014 ] FIG . 2 depicts an illustrative remote - access system
`architecture that may be used in accordance with one or
`more illustrative aspects described herein .
`[ 0015 )
`FIG . 3 depicts an illustrative virtualized ( hypervi
`sor ) system architecture that may be used in accordance with
`one or more illustrative aspects described herein .
`[ 0016 ] FIG . 4 depicts an illustrative cloud - based system
`architecture that may be used in accordance with one or
`more illustrative aspects described herein .
`[ 0017 ] FIG . 5 depicts an illustrative enterprise mobility
`management system .
`[ 0018 ] FIG . 6 depicts another illustrative enterprise mobil
`ity management system .
`[ 0019 ] FIG . 7 depicts an illustrative flowchart for file
`processing by an access manager for the network storage
`system
`[ 0020 ] FIG . 8 depicts another illustrative network storage
`system with independent distributed scanners .
`DETAILED DESCRIPTION
`In the following description of the various embodi
`[ 0021 ]
`ments , reference is made to the accompanying drawings
`identified above and which form a part hereof , and in which
`is shown by way of illustration various embodiments in
`which aspects described herein may be practiced . It is to be
`understood that other embodiments may be utilized and
`structural and functional modifications may be made without
`departing from the scope described herein . Various aspects
`are capable of other embodiments and of being practiced or
`being carried out in various different ways .
`[ 0022 ] As a general introduction to the subject matter
`described in more detail below , aspects described herein are
`directed towards controlling remote access to resources at an
`enterprise computing system using applications at host
`devices and mobile applications at mobile computing
`devices . As different systems accessing the same file will
`have different types and levels of security analysis applied ,
`each system may recognize only a certain portion or subset
`of potential issues . Further , different updates or patches may
`or may not have been applied to each instance of the
`different security tools or applications . As such , each of the
`security tools may not be updated to address the latest
`vulnerabilities .
`[ 0023 ] By utilizing different scanning services of different
`devices and applications , a more robust analysis of file
`security and validity may be provided to each network
`device accessing a shared file . An access manager may
`perform a validation process that determines whether an
`application requesting access to a file stored in enterprise
`resources has provided scan data related to the file to be
`
`Page 11 of 28
`
`Netskope Exhibit 1008
`
`

`

`US 2020/0050686 A1
`
`3
`
`Feb. 13 , 2020
`
`accessed . The scan data may include data to the accurately
`identify the particular scanner application and version of the
`scanner application performing the scan . The access man
`ager may gather additional scan data from a plurality of
`hosts and mobile devices requesting access to the file stored
`on the enterprise resource and enhance robustness of the
`security mechanisms used to protect those enterprise
`resources . As a result , individuals associated with the enter
`prise may advantageously access files stored on enterprise
`resources with increased confidence .
`[ 0024 ]
`It is to be understood that the phraseology and
`terminology used herein are for the purpose of description
`and should not be regarded as limiting . Rather , the phrases
`and terms used herein are to be given their broadest inter
`pretation and meaning . The use of “ including ” and “ com
`prising ” and variations thereof is meant to encompass the
`items listed thereafter and equivalents thereof as well as
`additional items and equivalents thereof . The use of the
`terms “ mounted , " " connected , " " coupled , " " positioned , ”
`“ engaged ” and similar terms , is meant to include both direct
`and indirect mounting , connecting , coupling , positioning
`and engaging .
`[ 0025 ] Computing Architecture
`[ 0026 ] Computer software , hardware , and networks may
`be utilized in a variety of different system environments ,
`including standalone , networked , remote - access ( also
`known as remote desktop ) , virtualized , and / or cloud - based
`environments , among others . FIG . 1 illustrates one example
`of a system architecture and data processing device that may
`be used to implement one or more illustrative aspects
`described herein in a standalone and / or networked environ
`ment . Various network nodes 103 , 105 , 107 , and 109 may be
`interconnected via a wide area network ( WAN ) 101 , such as
`the Internet . Other networks may also or alternatively be
`used , including private intranets , corporate networks , local
`area networks ( LAN ) , metropolitan area networks ( MAN ) ,
`wireless networks , personal networks ( PAN ) , and the like .
`Network 101 is for illustration purposes and may be
`replaced with fewer or additional computer networks . A
`local area network 133 may have one or more of any known
`LAN topology and may use one or more of a variety of
`different protocols , such as Ethernet . Devices 103 , 105 , 107 ,
`and 109 and other devices ( not shown ) may be connected to
`one or more of the networks via twisted pair wires , coaxial
`cable , fiber optics , radio waves , or other communication
`media .
`[ 0027 ] The term “ network " as used herein and depicted in
`the drawings refers not only to systems in which remote
`storage devices are coupled together via one or more com
`munication paths , but also to stand - alone devices that may
`be coupled , from time to time , to such systems that have
`storage capability . Consequently , the term “ network ”
`includes not only a “ physical network ” but also a " content
`network , ” which is comprised of the data attributable to a
`single entity which resides across all physical networks .
`( 0028 ] The components may include data server 103 , web
`server 105 , and client computers 107 , 109. Data server 103
`provides overall access , control and administration of data
`bases and control software for performing one or more
`illustrative aspects describe herein . Data server 103 may be
`connected to web server 105 through which users interact
`with and obtain data as requested . Alternatively , data server
`103 may act as a web server itself and be directly connected
`to the Internet . Data server 103 may be connected to web
`
`server 105 through the local area network 133 , the wide area
`network 101 ( e.g. , the Internet ) , via direct or indirect con
`nection , or via some other network . Users may interact with
`the data server 103 using remote computers 107 , 109 , e.g. ,
`using a web browser to connect to the data server 103 via
`one or more externally exposed web sites hosted by web
`server 105. Client computers 107 , 109 may be used in
`concert with data server 103 to access data stored therein , or
`may be used for other purposes . For example , from client
`device 107 a user may access web server 105 using an
`Internet browser , as is known in the art , or by executing a
`software application that communicates with web server 105
`and / or data server 103 over a computer network ( such as the
`Internet ) .
`[ 0029 ] Servers and applications may be combined on the
`same physical machines , and retain separate virtual or
`logical addresses , or may reside on separate physical
`machines . FIG . 1 illustrates just one example of a network
`architecture that may be used , and those of skill in the art
`will appreciate that the specific network architecture and
`data processing devices used may vary , and are secondary to
`the functionality that they provide , as further described
`herein . For example , services provided by web server 105
`and data server 103 may be combined on a single server .
`[ 0030 ] Each component 103 , 105 , 107 , 109 may be any
`type of known computer , server , or data processing device .
`Data server 103 , e.g. , may include a processor 111 control
`ling overall operation of the data server 103. Data server 103
`may further include random access memory ( RAM ) 113 ,
`read only memory ( ROM ) 115 , network interface 117 ,
`input / output interfaces 119 ( e.g. , keyboard , mouse , display ,
`printer , etc. ) , and memory 121. Input / output ( I / O ) 119 may
`include a variety of interface units and drives for reading ,
`writing , displaying , and / or printing data or files . Memory
`121 may further store operating system software 123 for
`controlling overall operation of the data processing device
`103 , control logic 125 for instructing data server 103 to
`perform aspects described herein , and other application
`software 127 providing secondary , support , and / or other
`functionality which may or might not be used in conjunction
`with aspects described herein . The control logic may also be
`referred to herein as the data server software 125. Function
`ality of the data server software may refer to operations or
`decisions made automatically based on rules coded into the
`control logic , made manually by a user providing input into
`the system , and / or a combination of automatic processing
`based on user input ( e.g. , queries , data updates , etc. ) .
`[ 0031 ] Memory 121 may also store data used in perfor
`mance of one or more aspects described herein , including a
`first database ( DB1 ) 129 and a second database ( DB2 ) 131 .
`In some embodiments , the first database may include the
`second database ( e.g. , as a separate table , report , etc. ) . That
`is , the information can be stored in a single database , or
`separated into different logical , virtual , or physical data
`bases , depending on system design . Devices 105 , 107 , and
`109 may have similar or different architecture as described
`with respect to device 103. Those of skill in the art will
`appreciate that the functionality of data processing device
`103 ( or device 105 , 107 , or 109 ) as described herein may be
`spread across multiple data processing devices , for example ,
`to distribute processing load across multiple computers , to
`segregate transactions based on geographic location , user
`access level , quality of service ( QoS ) , etc.
`
`Page 12 of 28
`
`Netskope Exhibit 1008
`
`

`

`US 2020/0050686 A1
`
`4
`
`Feb. 13 , 2020
`
`[ 0032 ] One or more aspects may be embodied in com
`puter - usable or readable data and / or computer - executable
`instructions , such as in one or more program modules ,
`executed by one or more computers or other devices as
`described herein . Generally , program modules include rou
`tines , programs , objects , components , data structures , etc.
`that perform particular tasks or implement particular abstract
`data types when executed by a processor in a computer or
`other device . The modules may be written in a source code
`programming language that is subsequently compiled for
`execution , or may be written in a scripting language such as
`( but not limited to ) HyperText Markup Language ( HTML )
`or Extensible Markup Language ( XML ) . The computer
`executable instructions may be stored on a computer read
`able medium such as a nonvolatile storage device . Any
`suitable computer readable storage media may be utilized ,
`including hard disks , CD - ROMs , optical storage devices ,
`magnetic storage devices , and / or any combination thereof .
`In addition , various transmission ( non - storage ) media rep
`resenting data or events as described herein may be trans
`ferred between a source and a destination in the form of
`electromagnetic waves traveling through signal - conducting
`media such as metal wires , optical fibers , and / or wireless
`transmission media ( e.g. , air and / or space ) . Various aspects
`described herein may be embodied as a method , a data
`processing system , or a computer program product . There
`fore , various functionalities may be embodied in whole or in
`part in software , firmware , and / or hardware or hardware
`equivalents such as integrated circuits , field programmable
`gate arrays ( FPGA ) , and the like . Particular data structures
`may be used to more effectively implement one or more
`aspects described herein , and such data structures are con
`templated within the scope of computer executable instruc
`tions and computer - usable data described herein .
`[ 0033 ] With further reference to FIG . 2 , one or more
`aspects described herein may be implemented in a remote
`access environment . FIG . 2 depicts an example system
`architecture including a computing device 201 in an illus
`trative computing environment 200 that may be used accord
`ing to one or more illustrative aspects described herein .
`Computing device 201 may be used as a server 206a in a
`single - server or multi - server desktop virtualization system
`( e.g. , a remote access or cloud system ) configured to provide
`virtual machines for client access devices . The computing
`device 201 may have a processor 203 for controlling overall
`operation of the server and its associated components ,
`including RAM 205 , ROM 207 , Input / Output ( I / O ) module
`209 , and memory 215 .
`[ 0034 ]
`I / O module 209 may include a mouse , keypad ,
`touch screen , scanner , optical reader , and / or stylus ( or other
`input device ( s ) ) through which a user of computing device
`201 may provide input , and may also include one or more of
`a speaker for providing audio output and one or more of a
`video display device for providing textual , audiovisual ,
`and / or graphical output . Softw