`
`
`as) United States
`
`
`
`
`
`
`
`
`a2) Patent Application Publication 10) Pub. No.: US 2017/0093917 Al
`
`
`
`
`
`
` Chandraet al. (43) Pub. Date: Mar. 30, 2017
`
`
`
`
`US 20170093917A1
`
`
`
`
`
`
`
`
`(54) CENTRALIZED MANAGEMENT AND
`
`
`ENFORCEMENT OF ONLINE BEHAVIORAL
`
`
`TRACKING POLICIES
`
`
`
`
`
`
`
`
`
`
`(71) Applicant: Fortinet, Inc., Sunnyvale, CA (US)
`
`
`
`
`
`Inventors: Sekhar Sumanth Gorajala Chandra,
`
`
`
`
`Milpitas, CA (US); Liming Wu,
`
`
`Pleasanton, CA (US)
`
`
`
`
`
`(73) Assignee: FORTINET,INC., Sunnyvale, CA
`
`(US)
`(21) Appl. No.: 14/871,106
`
`
`
`
`
`
`
`
`
`Filed:
`Sep. 30, 2015
`
`Publication Classification
`
`(72)
`
`(22)
`
`
`
`(51)
`
`
`
`
`
`Int. CL
`HOAL 29/06
`
`HOAL 29/12
`
`FOAL 29/08
`
`
`
`
`
`
`(2006.01)
`(2006.01)
`(2006.01)
`
`
`
`
`
`ON
`
`
`
`
`(52) U.S. Cl.
`
`
`
`
`
`
`CPC wees FOAL 63/20 (2013.01); HO4E 67/02
`
`
`
`
`(2013.01); HO4L 61/2007 (2013.01); HO4L
`
`
`
`
`67/22 (2013.01); HO4L 63/0236 (2013.01);
`
`
`HOAL 63/0281 (2013.01)
`
`
`
`
`
`
`
`
`(57)
`
`
`
`ABSTRACT
`
`
`
`
`
`
`
`
`
`Systems and methods for manipulating online behavioral
`tracking policies are provided. According to one embodi-
`
`
`
`
`
`
`ment, a hypertext transfer protocol (HTTP) response trans-
`
`
`
`
`
`
`
`
`
`
`
`
`mitted from a webserver to a client is captured by a network
`
`
`
`
`
`
`security device. A status of the client is determined by the
`
`
`
`
`
`
`network security device. An online behavioral
`tracking
`
`
`
`
`
`
`policy associated with theclient is identified by the network
`security device based on the determined status. The identi-
`
`
`
`
`
`
`
`
`
`
`
`
`
`fied online behavioral tracking policy is enforced by the
`
`
`
`
`
`
`network security device by modifying the HTTP response.
`
`
`
`
`
`
`The modified HTTP responseis transmitted by the network
`
`
`
`
`security device to the client.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`i
`
`
`| Web Server
`{2028
`
`
`
`
`
`
`Web Browser
`
`
`
`
`Reverse Proxy
`
`
`410
`140
`
`
`
`
`
`
`150
`
`
`
`
`
`
`Web Analytics
`Server
`
`
`
`Leeneeeeeeene,
`
`
`
`
`
`
`
`i Web Server
`|
`
`
`1206
`
`
`
`
`
`
`
`
`
`
`
`Web Server
`|
`
`
`120¢
`
`
`
`Page 1 of 16
`
`Netskope Exhibit 1007
`
`Page 1 of 16
`
`Netskope Exhibit 1007
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Mar.30, 2017 Sheet 1 of 5
`
`
`
`US 2017/0093917 Al
`
`
`
`JOAIGSGBAA
`
`80Gb
`
`,Oi
`
`
`
`Sondieuydea
`
`IBAIS
`
`OS+
`
`
`
`IBAIGSGaAA
`
`BOET
`
`
`
`IBAIBSGeA\|
`
`GOcti
`
` OTL
`
`
`
`AXOid@SIBADY
`
`OvT
`
`
`
`JaSMOIGJBAA
`
`
`
`
`
`
`
`
`
`
`
`Page 2 of 16
`
`Netskope Exhibit 1007
`
`Page 2 of 16
`
`Netskope Exhibit 1007
`
`
`
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.30, 2017 Sheet 2 of 5
`
`
`
`US 2017/0093917 Al
`
`
`
`HOEAicug
`
`
`
`JOUUOIAYSNIEIS
`
`ANP)Anos
`
`esuana
`
`
`
`JRIOIABUSGaUlUO
`
`gcAjogSuppesy
`
`Ove
`
`
`
`JesOIABUDGSUG
`
`
`
`Japouue3suppeip
`
`6Oia
`
`Page 3 of 16
`
`Netskope Exhibit 1007
`
`Page 3 of 16
`
`Netskope Exhibit 1007
`
`

`

`
`
`
`
`
`
`Patent Application Publication Mar. 30, 2017 Sheet 3 of 5
`
`
`
`US 2017/0093917 Al
`
`
`
`
`
`
`
`This website uses cockies
`
`
`
`
`
`
`
`
`
`
`This website uses cookies to improve user experience. By using our website you
`consent to all cookies in accordance with our Cookie Policy.
`
`
`
`
`
`
`
`
`
`ba |
`
`
`
`
`f Read more
`
`
`lagree
`
`
`
`
`
`
`FIG. 3A
`
`
`
`consant to ail cookies in accordance with our Cookies Policy.
`
`This website uses cookies
`
`
`
`
`
`
`
`
`
`
`
`
`
`This website uses cookies to improve user experience. By using our website you
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 3B
`
`
`
` Gopyright © 2015 All Rights Reserved. | Terms of Service | Privacy
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 3C
`
`
`
` Copyright © 2015 All Rights Reserved. | Terms of Service | Privacy | Cact
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 3D
`
`Page 4 of 16
`
`Netskope Exhibit 1007
`
`Page 4 of 16
`
`Netskope Exhibit 1007
`
`

`

`
`
`
`
`
`
`Patent Application Publication Mar. 30, 2017 Sheet 4 of 5
`
`Start
`
`
`
`Establish connections with a client and a web
`
`
`
`
`
`
`server
`
`
`
`
`IReceive HTTP traffic between the client and the
`
`
`
`
`
`web server
`
`
`
`
`
`Determine a status ofthe client
`
`
`
`
`
`
`
`
`
`
`Determine a web tracking policy based on the
`status
`
`
`
`
`
`
`
`
`
`
`
`
`Enforce the web tracking policy on the HTTP
`traffic
`
`
`
`
`
`
`US 2017/0093917 Al
`
`
`404
`
`402
`
`
`
`
`403
`
`
`404
`
`405
`
`
`
`
`408
`
`
`407
`
`408
`
`
`
`HTTP traffic
`
`Transmit the HTTP traffic to its destination
`
`
`
`
`
`
`
`
`
`
`
`
`Receive a selection of cookie policy fromthe
`client
`
`
`
`
`
`
`
`
`
`Enforce the selecied cookie policy on further
`
`
`
`
`
`Page 5 of 16
`
`Netskope Exhibit 1007
`
`Page 5 of 16
`
`Netskope Exhibit 1007
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.30, 2017 Sheet 5 of 5
`
`
`
`US 2017/0093917 Al
`
`
`
`SHesO1SSseAJuQ-pesy
`
`G2oGete
`sdlAeqAIOWSI
`
`
`
`AJOWSWyUe
`
`
`
`00S
`
`uy
`
`JOSS80014
`
`
`
`SOS
`
`
`
`uoleoiunwwo0y
`
`(s)Mog
`
`ors
`
`S‘Sls
`
`Ors
`
`
`
`
`
`ealaegabeio0iseusexg
`
`Page 6 of 16
`
`Netskope Exhibit 1007
`
`Page 6 of 16
`
`Netskope Exhibit 1007
`
`
`

`

`
`
`US 2017/0093917 Al
`
`
`
`Mar. 30, 2017
`
`
`
`
`
`
`
`
`
`
`
`different countries. For a company that has a large number
`
`
`
`
`
`
`
`
`of webservers, it is difficult to maintain online behavioral
`
`
`
`
`
`
`
`
`tracking policies at each web servers in order to comply with
`
`
`
`
`
`
`
`all potential current and future regulations. Therefore,
`it
`
`
`
`
`
`
`would be helpful to have a centralized mechanism or a proxy
`
`
`
`
`
`
`
`
`
`to manage the online behavioral tracking policies for all
`
`
`
`
`servers within a corporate network.
`SUMMARY
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Systems and methodsare described for centralized
`[0007]
`
`
`
`
`
`
`managementof online behavioral tracking policies. Accord-
`
`
`
`
`
`
`
`ing to one embodiment, a hypertext
`transfer protocol
`
`
`
`
`
`
`
`(HTTP) response transmitted from a web serverto a client
`
`
`
`
`
`
`
`is captured by a network security device. A status of the
`
`
`
`
`
`
`
`
`
`client is determined by the network security device. An
`
`
`
`
`
`
`
`
`online behavioral tracking policy associated with the client
`
`
`
`
`
`
`
`
`
`is identified by the network security device based on the
`
`
`
`
`
`
`
`determined status. The identified online behavioral tracking
`
`
`
`
`
`
`
`policy is enforced by the network security device by modi-
`
`
`
`
`
`
`
`
`fying the HTTP response. The modified HTTP responseis
`
`
`
`
`
`
`
`transmitted by the network security device to the client.
`
`
`
`
`
`
`
`[0008] Other features of embodiments of the present
`
`
`
`
`
`
`invention will be apparent from the accompanying drawings
`
`
`
`
`
`
`
`and from the detailed description that follows.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`[0009] Embodiments of the present invention are illus-
`
`
`
`
`
`
`
`
`trated by way of example, and not by wayoflimitation, in
`
`
`
`
`
`
`
`the figures of the accompanying drawings and in whichlike
`reference numerals refer to similar elements and in which:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 1 illustrates an exemplary network architec-
`[0010]
`
`
`
`
`
`
`
`
`ture in accordance with an embodiment of the present
`invention.
`
`
`
`
`
`
`
`
`FIG. 2 illustrates exemplary functional units of a
`[0011]
`
`
`
`
`
`
`
`reverse proxy in accordance with an embodiment of the
`
`
`present invention.
`
`
`
`
`
`
`FIG. 3A-3D illustrate exemplary cookie banners
`[0012]
`
`
`
`
`
`
`and privacy/cookie policy links of web pages in accordance
`
`
`
`
`with embodiments of the present invention.
`
`
`
`
`
`
`[0013]
`FIG. 4 is a flow diagram illustrating a method for
`
`
`
`
`
`
`enforcing online behavioral tracking policies by a reverse
`
`
`
`
`
`
`proxy in accordance with an embodiment of the present
`invention.
`
`
`
`
`
`
`
`
`FIG. 5 is an exemplary computer system in which
`[0014]
`
`
`
`
`
`
`
`or with which embodiments of the present invention may be
`utilized.
`
`
`
`
`
`
`
`
`
`CENTRALIZED MANAGEMENT AND
`
`
`
`ENFORCEMENT OF ONLINE BEHAVIORAL
`
`
`TRACKING POLICIES
`
`
`
`
`
`COPYRIGHT NOTICE
`
`
`
`
`
`
`
`
`
`
`
`
`
`to
`that
`is subject
`[0001] Contained herein is material
`
`
`
`
`
`
`
`copyright protection. The copyright owner has no objection
`
`
`
`
`
`
`
`to the facsimile reproduction of the patent disclosure by any
`
`
`
`
`
`
`
`person as it appears in the Patent and Trademark Office
`
`
`
`
`
`
`
`
`
`patentfiles or records, but otherwise reserves all rights to the
`
`
`
`
`
`
`copyright whatsoever. Copyright © 2015, Fortinet, Inc.
`BACKGROUND
`
`
`
`
`
`Field
`[0002]
`
`
`
`
`
`
`[0003] Embodiments of the present invention generally
`
`
`
`
`
`
`
`relate to the field of network security techniques. In particu-
`
`
`
`
`
`
`
`
`lar, various embodiments relate to the manipulation by
`
`
`
`
`
`
`firewalls of the usage of online behavioral tracking tools by
`
`
`
`
`
`
`
`
`servers (e.g., web servers and/or web analytics servers) so as
`
`
`
`
`
`
`
`
`to protect the privacy of network users in accordance with
`
`
`
`
`
`online communication privacy regulations of the country in
`
`
`
`
`
`which the user is geographically located.
`
`
`
`
`
`[0004] Description of the Related Art
`
`
`
`
`
`
`
`[0005] Network users’ online activities may be tracked by
`
`
`
`
`
`
`
`online behavioral tracking tools, such as Hypertext Transfer
`
`
`
`
`
`
`
`
`
`Protocol (HTTP) cookies, web beacons and the like. An
`
`
`
`
`
`
`
`
`
`HTTP cookie is a small piece of data sent from a web server
`to a browser when the browser accesses the website. The
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HTTP cookie may bestored at the user’s client machine.
`
`
`
`
`
`
`
`
`
`
`Every time the user loads the website again, the browser
`sends the HTTP cookie ofthe website back to the web server
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`to notify the website of the user’s previous activity. HTTP
`
`
`
`
`
`
`cookies are designed to be a reliable mechanism for websites
`
`
`
`
`
`
`
`to rememberstateful information. When everything is work-
`
`
`
`
`
`
`
`
`
`ing correctly, cookies cannot carry viruses and cannotinstall
`
`
`
`
`
`
`
`malware on the host computer; however, tracking cookies
`
`
`
`
`
`
`
`and especially third-party tracking cookies are commonly
`
`
`
`
`
`
`used as ways to compile long-term records of individuals’
`
`
`
`
`
`
`
`browsing histories. The potential privacy concerns have
`
`
`
`
`
`
`
`
`prompted European, U.S. and other countries’ law makers to
`
`
`
`
`
`
`
`
`
`take action to restrict the usage of HTTP cookies and other
`
`
`
`
`
`
`
`online tracking tools. The online communication privacy
`
`
`
`
`
`
`
`
`
`regulations (e.g., digital privacy laws or cookie laws) of
`
`
`
`
`
`
`
`
`various countries differ concerning the usage of online
`
`
`
`
`
`
`
`behavioral tracking tools, such as HTTP cookies. Regula-
`
`
`
`
`
`
`
`
`tions of some countries require an explicit consent from a
`
`
`
`
`
`
`
`
`
`user before a web server can use cookies, while other
`
`
`
`
`
`
`
`countries allow implicit consent. Further, regulations of
`
`
`
`
`
`
`
`some countries require a cookie bannerto be displayed at the
`
`
`
`
`
`
`
`
`top of a web page to show the cookie policy of the website,
`
`
`
`
`
`
`
`
`while others require only the availability of a link to a cookie
`
`policy.
`
`
`
`
`
`
`
`
`
`In order to comply with the disparate online com-
`[0006]
`
`
`
`
`
`
`munication privacy regulations of multiple countries, a web
`
`
`
`
`
`
`
`
`server may introduce scripts within a home page of an
`
`
`
`
`
`
`
`
`enterprise’s website in order to display an appropriate
`
`
`
`
`
`
`
`
`
`cookie banner to a first time visitor to the website, for
`
`
`
`
`
`
`
`
`
`example. The web server may introduce scripts to imple-
`
`
`
`
`
`
`
`
`ment different kinds of cookie banners depending upon the
`
`
`
`
`
`
`geographic locations of the visitors in order to comply with
`
`
`
`
`
`
`the regulations of the visitors’ countries. The administrator
`
`
`
`
`
`
`
`
`of the web server may maintain multiple cookie policies as
`
`
`
`
`
`
`
`
`well as cookie banners to comply with the regulations of
`
`DETAILED DESCRIPTION
`
`
`
`
`
`
`
`
`
`
`
`Systems and methods are described for managing
`[0015]
`
`
`
`
`
`
`
`online behavioral
`tracking policies. According to one
`
`
`
`
`
`
`embodiment, a reverse proxy or a network security device
`
`
`
`
`
`
`implementing a reverse proxy captures a Hypertext Transfer
`
`
`
`
`
`
`
`Protocol (HTTP) response that is transmitted from a web
`
`
`
`
`
`
`
`server to a client. The reverse proxy determinesa status of
`
`
`
`
`
`
`
`
`the client and determines an online behavioral
`tracking
`
`
`
`
`
`
`
`
`
`policy associated with the client based on one or more
`
`
`
`
`
`
`characteristics or a status (e.g., a physical or geographical
`
`
`
`
`
`
`
`
`location) of the client. The reverse proxy applies the online
`
`
`
`
`
`
`
`
`behavioral tracking policy to the HTTP response(e.g., by
`
`
`
`
`
`
`
`removing one or more non-compliant HTTP cookies or one
`
`
`
`
`
`
`
`
`or more non-compliant scripts from the HTTP response
`
`
`
`
`
`
`
`and/or by embedding one or more compliant HTTP cookies
`
`
`
`
`
`
`
`
`and/or one or more compliant scripts within the HTTP
`
`Page 7 of 16
`
`Netskope Exhibit 1007
`
`Page 7 of 16
`
`Netskope Exhibit 1007
`
`

`

`
`
`US 2017/0093917 Al
`
`
`
`Mar. 30, 2017
`
`
`
`
`
`
`
`
`
`
`
`
`
`response) and transmits the revised HTTP response to the
`client in order to ensure online communications between the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`client and web server (and any analytics relating thereto or
`
`
`
`
`
`
`
`
`usage thereof) are in compliance with the online communi-
`
`
`
`
`
`
`
`cation privacy regulations of the country in which the client
`
`
`
`is physically located.
`
`
`
`
`
`
`
`[0016]
`In the following description, numerous specific
`
`
`
`
`
`
`
`
`details are set forth in order to provide a thorough under-
`
`
`
`
`
`standing of embodiments of the present invention. It will be
`
`
`
`
`
`
`
`
`apparent, however, to one skilled in the art that embodiments
`
`
`
`
`
`
`
`
`of the present invention may be practiced without some of
`
`
`
`
`
`
`
`
`these specific details. In other instances, well-knownstruc-
`
`
`
`
`
`
`
`
`tures and devices are shown in block diagram form.
`
`
`
`
`
`
`[0017] Embodiments of the present invention include vari-
`
`
`
`
`
`
`
`
`
`ous steps, which will be described below. The steps may be
`
`
`
`
`
`performed by hardware components or may be embodiedin
`
`
`
`
`
`machine-executable instructions, which may be used to
`
`
`
`
`
`cause a general-purpose or special-purpose processor pro-
`
`
`
`
`
`
`
`
`grammed with the instructions to perform the steps. Alter-
`
`
`
`
`
`
`natively, the steps may be performed by a combination of
`
`
`
`
`
`
`hardware, software, firmware and/or by human operators.
`
`
`
`
`
`
`
`[0018] Embodiments of the present
`invention may be
`
`
`
`
`
`
`
`provided as a computer program product, which may
`
`
`
`
`
`include a machine-readable storage medium tangibly
`
`
`
`
`
`
`embodying thereon instructions, which may be used to
`
`
`
`
`
`
`
`program a computer(or other electronic devices) to perform
`
`
`
`
`
`
`
`
`a process. The machine-readable medium may include, but
`
`
`
`
`
`
`
`
`
`
`is not limited to, fixed (hard) drives, magnetic tape, floppy
`
`
`
`
`
`
`
`diskettes, optical disks, compact disc read-only memories
`
`
`
`
`
`(CD-ROMs), and magneto-optical disks, semiconductor
`
`
`
`
`
`
`
`memories, such as ROMs, PROMs, random access memo-
`
`
`
`
`
`
`ries (RAMs), programmable read-only memories (PROMs),
`
`
`
`
`
`
`erasable PROMs (EPROMs), electrically erasable PROMs
`
`
`
`
`
`
`
`(EEPROMs), flash memory, magnetic or optical cards, or
`
`
`
`
`
`
`other type of media/machine-readable medium suitable for
`
`
`
`
`
`
`storing electronic instructions (e.g., computer programming
`
`
`
`
`
`
`
`code, such as software or firmware). Moreover, embodi-
`
`
`
`
`
`
`
`ments of the present invention may also be downloaded as
`
`
`
`
`
`
`
`
`one or more computer program products, wherein the pro-
`
`
`
`
`
`
`gram may be transferred from a remote computer to a
`
`
`
`
`
`
`requesting computer by way of data signals embodied in a
`
`
`
`
`
`
`carrier wave or other propagation medium via a communi-
`
`
`
`
`
`
`cation link (e.g., a modem or network connection).
`
`
`
`
`
`
`
`[0019]
`In various embodiments,the article(s) of manufac-
`
`
`
`
`
`
`
`
`ture (e.g., the computer program products) containing the
`
`
`
`
`
`
`
`computer programming code may be used by executing the
`
`
`
`
`
`
`
`code directly from the machine-readable storage medium or
`
`
`
`
`
`
`
`
`by copying the code from the machine-readable storage
`
`
`
`
`
`
`medium into another machine-readable storage medium
`
`
`
`
`
`
`
`
`(e.g., a hard disk, RAM,etc.) or by transmitting the code on
`a network for remote execution. Various methods described
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`herein may be practiced by combining one or more machine-
`
`
`
`
`
`
`
`
`readable storage media containing the code according to the
`
`
`
`
`
`
`
`present invention with appropriate standard computer hard-
`
`
`
`
`
`
`
`
`ware to execute the code contained therein. An apparatus for
`
`
`
`
`
`
`practicing various embodiments of the present invention
`
`
`
`
`
`
`
`
`
`
`may involve one or more computers (or one or more
`
`
`
`
`
`
`
`processors within a single computer) and storage systems
`
`
`
`
`
`
`containing or having network access to computer program(s)
`
`
`
`
`
`
`
`codedin accordance with various methods described herein,
`
`
`
`
`
`
`
`and the methodsteps of the invention could be accomplished
`
`
`
`
`
`
`by modules, routines, subroutines, or subparts of a computer
`
`
`program product.
`
`this
`
`
`
`
`
`
`
`
`
`[0020] Notably, while embodiments of the present inven-
`
`
`
`
`
`
`
`tion may be described using modular programming termi-
`
`
`
`
`
`
`nology, the code implementing various embodiments of the
`
`
`
`
`
`
`
`
`present invention is not so limited. For example, the code
`
`
`
`
`
`
`
`may reflect other programming paradigms and/or styles,
`
`
`
`
`
`
`including, but not limited to object-oriented programming
`
`
`
`
`
`
`(OOP), agent oriented programming, aspect-oriented pro-
`
`
`
`
`
`gramming, attribute-oriented programming (@OP), auto-
`
`
`
`
`
`matic programming, dataflow programming, declarative
`
`
`
`
`
`programming, functional programming, event-driven pro-
`
`
`
`
`
`
`gramming, feature oriented programming, imperative pro-
`
`
`
`
`
`gramming, semantic-oriented programming, functional pro-
`
`
`
`
`
`gramming, genetic programming,
`logic programming,
`
`
`
`
`
`
`pattern matching programming andthelike.
`
`Terminology
`
`
`
`
`
`
`[0021] Brief definitions of terms used throughout
`
`
`
`
`application are given below.
`
`
`
`
`
`
`
`If the specification states a component or feature
`[0022]
`
`
`
`
`
`
`
`“may”, “can”, “could”, or “might” be included or have a
`
`
`
`
`
`
`characteristic, that particular component or feature is not
`
`
`
`
`
`
`required to be included or have the characteristic.
`
`
`
`
`
`
`
`[0023] The phase “security device” generally refers to a
`
`
`
`
`
`hardware device or appliance configured to be coupled to a
`
`
`
`
`
`
`
`
`network and to provide one or more of data privacy, pro-
`
`
`
`
`
`
`
`tection, encryption and security. The network security
`
`
`
`
`
`
`
`
`device can be a device providing one or more of the
`
`
`
`
`
`
`following features: network firewalling, VPN, antivirus,
`
`
`
`
`
`
`
`
`intrusion prevention (IPS), content filtering, data leak pre-
`
`
`
`
`
`vention, antispam, antispyware,
`logging, reputation-based
`
`
`
`
`
`
`
`protections, event correlation, network access control, vul-
`
`
`
`
`
`
`
`nerability management. load balancing andtraffic shaping—
`
`
`
`
`
`
`
`that can be deployed individually as a point solution or in
`
`
`
`
`
`
`various combinations as a unified threat management
`
`
`
`
`
`
`(UTM)solution. Non-limiting examples of network security
`
`
`
`
`
`
`
`devices include proxy servers, firewalls, VPN appliances,
`
`
`
`
`
`
`gateways, UTM appliances andthelike.
`
`
`
`
`
`
`
`[0024] The phrase “network appliance” generally refers to
`
`
`
`
`
`
`
`
`a specialized or dedicated device for use on a network in
`
`
`
`
`
`
`
`
`virtual or physical
`form. Some network appliances are
`
`
`
`
`
`implemented as general-purpose computers with appropriate
`
`
`
`
`
`
`
`
`software configured for the particular functions to be pro-
`
`
`
`
`
`
`
`
`vided by the network appliance; others include custom
`
`
`
`
`
`
`
`hardware (e.g., one or more custom Application Specific
`
`
`
`
`
`
`Integrated Circuits (ASICs)). Examples of functionality that
`
`
`
`
`
`
`
`may be provided by a network appliance include, but is not
`
`
`
`
`
`
`
`
`limited to, Layer 2/3 routing, content inspection, content
`
`
`
`
`
`
`
`filtering, firewall, traffic shaping, application control, Voice
`
`
`
`
`
`
`
`
`over Internet Protocol (VoIP) support, Virtual Private Net-
`
`
`
`
`
`
`
`working (VPN), IP security (iPSec), Secure Sockets Layer
`
`
`
`
`
`
`(SSL), antivirus, intrusion detection, intrusion prevention,
`
`
`
`
`
`
`
`Web content filtering, spyware prevention and anti-spam.
`
`
`
`
`
`
`
`
`Examples of network appliances include, but are not limited
`
`
`
`
`
`
`
`
`to, network gateways and network security appliances(e.g.,
`
`
`
`
`
`
`
`FORTIGATE family of network security appliances and
`
`
`
`
`
`
`FORTICARRIER family of consolidated security appli-
`
`
`
`
`
`
`ances), messaging security appliances (e.g., FORTIMAIL
`
`
`
`
`
`
`family of messaging security appliances), database security
`
`
`
`
`
`
`and/or compliance appliances (e.g., FORTIDB database
`
`
`
`
`
`
`
`security and compliance appliance), web application firewall
`
`
`
`
`
`
`
`appliances (e.g., FORTIWEB family of web application
`
`
`
`
`
`firewall appliances), application acceleration appliances,
`
`
`
`
`
`
`server load balancing appliances (e.g., FORTIBALANCER
`
`
`
`
`
`
`family of application delivery controllers), vulnerability
`
`Page 8 of 16
`
`Netskope Exhibit 1007
`
`Page 8 of 16
`
`Netskope Exhibit 1007
`
`

`

`
`
`US 2017/0093917 Al
`
`
`
`Mar. 30, 2017
`
`
`
`
`
`
`
`
`
`management appliances (e.g., FORTISCAN family of vul-
`
`
`
`
`
`nerability management appliances), configuration, provi-
`
`
`
`
`
`
`(e.g.,
`sioning, update
`and/or management
`appliances
`
`
`
`
`
`FORTIMANAGERfamily of managementappliances), log-
`
`
`
`
`
`
`
`ging, analyzing and/or reporting appliances (e.g., FOR-
`
`
`
`
`
`
`TIANALYZER family of network security reporting appli-
`
`
`
`
`
`
`ances), bypass appliances (e.g., FORTIBRIDGE family of
`
`
`
`
`
`
`
`bypass appliances), Domain NameServer (DNS) appliances
`
`
`
`
`
`
`
`(e.g., FORTIDNSfamily of DNS appliances), wireless secu-
`
`
`
`
`
`
`
`rity appliances (e.g., FORTIWIFI family of wireless security
`
`
`
`
`
`
`gateways), FORIDDOS, wireless access point appliances
`
`
`
`
`
`
`
`(e.g., FORTIAP wireless access points), switches (e.g.,
`
`
`
`
`
`
`
`FORTISWITCH family of switches) and IP-PBX phone
`
`
`
`
`
`
`system appliances (e.g., FORTIVOICE family of IP-PBX
`
`
`phone systems).
`
`
`
`
`
`
`
`[0025] The terms “connected” or “coupled” and related
`
`
`
`
`
`
`
`
`
`
`terms are used in an operational sense and are not neces-
`
`
`
`
`
`
`
`sarily limited to a direct connection or coupling. Thus, for
`
`
`
`
`
`
`
`
`example, two devices may be coupled directly, or via one or
`
`
`
`
`
`
`more intermediary media or devices. As another example,
`
`
`
`
`
`
`
`
`devices may be coupled in such a waythat information can
`
`
`
`
`
`
`
`
`
`be passed there between, while not sharing any physical
`
`
`
`
`
`
`
`
`connection with one another. Based on the disclosure pro-
`
`
`
`
`
`
`
`
`
`
`vided herein, one of ordinary skill in the art will appreciate
`
`
`
`
`
`
`
`a variety of ways in which connection or coupling exists in
`accordance with the aforementioned definition.
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 1 illustrates an exemplary network architec-
`[0026]
`
`
`
`
`
`
`ture 100 in accordance with an embodimentof the present
`
`
`
`
`
`
`
`invention. In the present example, network architecture 100
`
`
`
`
`
`
`
`
`includesat least a browser 110, multiple web servers 120a-
`
`
`
`
`
`
`
`
`
`120c, a reverse proxy 140 and a webanalytics server 150.
`
`
`
`
`
`
`
`
`
`The network appliances 110, 120, 140 and 150 may be
`
`
`
`
`
`
`
`connected by a network 130, which may be any type of
`
`
`
`
`
`
`
`network, such as a local area network (LAN), a wireless
`
`
`
`
`
`
`
`LAN,a wide area network (WAN), or the Internet.
`
`
`
`
`
`
`
`[0027] According to HTTP, when browser 110 accesses
`
`
`
`
`
`
`
`
`
`
`web server 120a, for example, for the first time, an HTTP
`
`
`
`
`
`
`
`
`request without an HTTP cookie is sent from browser 110 to
`
`
`
`
`
`
`
`
`web server 120a. In an HTTP response, web server 120a
`
`
`
`
`
`
`
`
`
`may transmit one or more HTTP cookies of web server 120a
`
`
`
`
`
`
`
`
`(within one or more HTTP Set-Cookie headers,
`for
`
`
`
`
`
`
`
`example), e.g., a first-party cookie,
`together with other
`content back to browser 110 in a session between browser
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`110 and web server 120a. Web browser 110 may store the
`
`
`
`
`
`
`
`
`
`HTTP cookie within a local storage when the session with
`
`
`
`
`
`
`
`
`
`the web server is closed. In another example, an HTTP
`
`
`
`
`
`
`
`
`cookie maybecreated locally by a script of web server 120a
`
`
`
`
`
`
`
`
`that is transmitted to browser 110. For example, web server
`
`
`
`
`
`
`
`
`120a may include within the HTTP response scripting
`
`
`
`
`
`
`
`language code (e.g., a JavaScript function) that creates an
`
`
`
`
`
`
`HTTP cookie when run by browser 110.
`
`
`
`
`
`
`
`
`
`[0028]
`In some examples, web server 120a may also
`
`
`
`
`
`
`
`includea script of a third-party, such as analytics server 150,
`
`
`
`
`
`
`
`
`
`in the HTTP response. After the third-party script of ana-
`
`
`
`
`
`
`
`
`lytics server 150 is recetved by browser 110, browser 110
`
`
`
`
`
`
`
`
`mayrun the third-party script and setup a connection with
`
`
`
`
`
`
`
`analytics server 150. A third-party HTTP cookie of analytics
`
`
`
`
`
`
`
`
`server 150 may be transmitted to browser 110 and stored
`
`
`
`locally at browser 110.
`
`
`
`
`
`
`
`
`
`[0029] When browser 110 accesses web server 120a sub-
`
`
`
`
`
`
`
`sequently and a corresponding HTTP cookie is stored within
`
`
`
`
`
`
`
`
`
`browser 110, the HTTP cookie of the web server 120a is
`
`
`
`
`
`
`
`included in a headerfield (e.g., an HTTP Cookie header) of
`
`
`
`
`
`
`
`
`
`an HTTP request and sent to web server 120a automatically.
`
`
`
`
`
`
`
`
`
`When the HTTP request with the HTTP cookie is received
`
`
`
`
`
`
`
`
`
`
`by web server 120a, the HTTP cookie may be parsed thereby
`
`
`
`
`
`
`
`
`allowing web server 120a to determine, for example, that
`
`
`
`
`
`
`
`
`browser 110 is a return visitor and/or restore a previous state
`of the last session with browser 110 based on the HTTP
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cookie. Similar to the first-party HTTP cookie, the third-
`
`
`
`
`
`
`
`
`party HTTP cookie that is stored at browser 110 is included
`
`
`
`
`
`
`
`
`in an HTTP request and transmitted back to analytics server
`
`
`
`
`
`
`
`150 when browser 110 subsequently accesses analytics
`
`
`
`
`
`
`
`
`
`
`server 150. Analytics server 150 may parse the HTTP cookie
`
`
`
`
`
`
`
`
`and the user of the HTTP cookie maybe identified based on
`
`
`
`
`
`
`
`
`the ID field of the cookie. Analytics server 150 may track
`
`
`
`
`
`
`
`users’ web surfing activities by accumulating access histo-
`ries of the users.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0030]
`In the present example, reverse proxy 140 is logi-
`
`
`
`
`
`
`
`
`cally interposed between clients, such as browser 110, and
`
`
`
`
`
`
`
`
`servers, such as web servers 120a-120c and provides for-
`
`
`
`
`
`
`
`
`warding service in the exchange between the clients and the
`
`
`
`
`
`
`
`servers. Reverse proxy 140 mayset up transmission control
`
`
`
`
`
`
`
`
`protocol (TCP) connections separately with browser 110 and
`
`
`
`
`
`
`
`
`
`
`a webserver and relays data between the TCP connections.
`
`
`
`
`
`
`
`
`Reverse proxy 140 is most commonly used to provide load
`
`
`
`
`
`
`
`balancing, encryption services for scalability and availabil-
`
`
`
`
`
`
`
`
`
`
`ity. In the present example, reverse proxy 140 mayalso be
`
`
`
`
`
`
`
`
`used for manipulating the effect of online behavioral track-
`
`
`
`
`
`
`
`
`
`ing policies implemented by web servers, such as web
`
`
`
`
`
`
`
`
`servers 120a-120c. Reverse proxy 140 may intercept an
`
`
`
`
`
`
`
`
`
`HTTP request from browser 110 and forward it to one of
`
`
`
`
`
`
`
`web servers 120a-120c based on its load balancing policies.
`
`
`
`
`
`
`
`
`If the request from browser 110 is transmitted encrypted by
`
`
`
`
`
`
`
`
`HTTP Secure (HTTPS)protocol, the encrypted request may
`
`
`
`
`
`
`
`
`
`
`be decrypted by reverse proxy 140 and then the HTTP
`
`
`
`
`
`
`
`request may be intercepted by reverse proxy 140. When an
`
`
`
`
`
`
`
`
`HTTPresponseis received from a web server, reverse proxy
`
`
`
`
`
`
`
`140 may apply a corresponding online behavioral tracking
`
`
`
`
`
`
`
`
`policy to the HTTP response based on one or more charac-
`
`
`
`
`
`
`
`
`
`teristics or a status (e.g., the geographic location) of the
`
`
`
`
`
`
`
`
`visitor. After the proper web tracking policy is applied,
`
`
`
`
`
`
`
`
`reverse proxy 140 forwards the revised HTTP response to
`
`
`
`
`
`
`
`browser 110. The HTTP response may be encrypted if
`HTTPSis in use.
`
`
`
`
`
`
`
`
`
`
`[0031] According to one embodiment, the online behav-
`
`
`
`
`
`
`
`
`ioral tracking policy applied to the HTTP response is in
`
`
`
`
`
`
`compliance with online communication privacy regulations
`
`
`
`
`
`
`of the visitor’s country or an option explicitly or implicitly
`
`
`
`
`
`
`
`consented to or selected by the visitor. In such an embodi-
`
`
`
`
`
`
`
`
`
`ment, if the visitor is a first time visitor, reverse proxy 140
`
`
`
`
`
`
`
`
`may determine from which country the visitor is accessing
`
`
`
`
`
`
`
`
`
`the web server and what cookie policy is required by the
`
`
`
`
`
`
`
`country. If the cookie policy of the country requires a cookie
`
`
`
`
`
`
`
`
`
`bannerto be displayed on the web page to warn the user that
`
`
`
`
`
`
`
`
`HTTP cookies may be used by the webserver, reverse proxy
`
`
`
`
`
`
`
`
`
`140 may inject a script within the HTTP response to cause
`
`
`
`
`
`
`
`
`
`the required cookie banner to be displayed by the user’s
`
`
`
`
`
`
`
`
`
`
`browser. If the cookie policy of the country requires an
`
`
`
`
`
`
`
`
`explicit consent from user before any cookie is used, a
`
`
`
`
`
`
`
`
`consent link or button may be included within the cookie
`
`
`
`
`
`
`
`
`
`
`banner. The visitor may click the consent link or button
`shown within the cookie bannerif the visitor consents to the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`usage of HTTP cookies of web servers. The visitor’s selec-
`
`
`
`
`
`
`
`
`
`
`tion may then be sent back to the reverse proxy 140 or web
`
`
`
`
`
`
`
`
`servers 120a-120c. After reverse proxy 140 receives the
`
`
`
`
`
`
`
`
`
`consent of cookie usage from the user, reverse proxy 140
`
`
`
`
`
`
`
`
`may embed HTTP cookies or implement or apply other
`
`Page 9 of 16
`
`Netskope Exhibit 1007
`
`Page 9 of 16
`
`Netskope Exhibit 1007
`
`

`

`
`
`US 2017/0093917 Al
`
`
`
`Mar. 30, 2017
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tracking policies on or to the HTTP response that is to be
`tracking policy database 240
`[0047] Online behavioral
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`sent to browser 110. Exemplary structures and functions of
`may also include corresponding scripts, functions, rules
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`reverse proxy 140 are described in detail below with refer-
`and/or commandsthat are used to implementspecific online
`
`
`
`
`
`
`
`
`
`ence to FIGS. 2, 3 and 4.
`communication privacy regulations and visitors’ options.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`For example, one or more appropriate HTTP cookies and/or
`[0032]
`FIG. 2 illustrates exemplary functional units of a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`scripts may be selected by online behavioral tracking con-
`reverse proxy in accordance with an embodiment of the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`troller 230 based on the status of a particular visitor to the
`invention.
`In this example,
`reverse proxy 200
`present
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`website and may be embedded within an HTTP response by
`includes a proxy module 210, a status monitor 220, an online
`
`
`
`
`
`
`
`
`