HK1168957A

HK1168957A - Systems, methods, and apparatus to monitor mobile internet activity

Info

Publication number: HK1168957A
Application number: HK12109021.0A
Authority: HK
Inventors: A．帕帕寇斯塔斯; M．杨克
Original assignee: 尼尔森（美国）有限公司
Priority date: 2010-08-14
Filing date: 2012-09-14
Publication date: 2013-01-11

Description

System, method and apparatus for monitoring mobile internet activity

Technical Field

The present invention relates generally to monitoring internet activity and, more particularly, to systems, methods and apparatus for monitoring mobile internet activity.

Background

In recent years, methods of accessing internet content have been greatly developed. For example, internet content has previously been accessed primarily through computer systems such as desktop and laptop computers. More recently, handheld mobile devices (e.g., smart phones) have been introduced that allow users to request and browse internet content. Typically, a mobile device requests and receives internet content via a wireless access network (e.g., without limitation, an 802.11g WiFi network).

Drawings

FIG. 1 is a block diagram of an example system that monitors mobile Internet activity.

Fig. 2 and 2A are block diagrams illustrating example request and response flows through the example system of fig. 1.

Fig. 3 is a block diagram of the example proxy server of fig. 1.

Fig. 4 is an example hypertext transfer protocol (HTTP) request received by the example proxy server of fig. 1, 2, and 3.

Fig. 5 and 5A are flowcharts representative of example machine readable instructions that may be executed to implement the example proxy server of fig. 1, 2, 3.

FIG. 6 is a flowchart representative of example machine readable instructions that may be executed to implement the example registrar (registry) of FIG. 1.

FIG. 7 is a block diagram of an example computer that may execute, for example, the machine readable instructions of FIGS. 5, 5A, and/or 6 to implement the example monitors of FIGS. 1, 2, and 3 and/or the example registrar of FIG. 1.

Detailed Description

Mobile monitoring companies desire to obtain information about how users interact with their handheld mobile devices, such as smart phones. In particular, mobile monitoring companies want to monitor internet traffic to and from handheld mobile devices, where exposure to advertisements is monitored, advertising effectiveness is determined, user behavior is determined, purchasing behavior associated with various demographics is identified, and so forth. Some known systems have utilized proxy servers to monitor internet content sent to and from monitored devices.

This known monitoring system implements a proxy server as a hypertext transfer protocol (HTTP) proxy server, communicates with a monitored handheld device through a single port, and requires that the monitored device provide authentication credentials including a username/device name and password that uniquely identify the mobile device included in the present internet communication. These monitoring systems allow mobile monitoring companies to associate internet activity with the mobile device that issued the activity based on a username and password. Internet activity on handheld mobile devices is not limited to use with browsers (e.g.,). For example,andiPad^TMmany third party applications (sometimes referred to as "Apps") that access internet content are supported to perform special functions. Example (b)For example, the weather application may request and display HTTP data from www.weather.com.. These apps typically do not allow unlimited browsing from web site to web site over the internet (although they allow activity within a defined set of web pages). Thus, apps typically provide access to limited data on the internet. Rather, the browser enables the user to access virtually any publicly available site on the internet (subject to limitations such as content blockage) and directly display the content of, for example, the www.weather.com website to the user.

While some applications accessing internet content provide credentials in appropriate response to proxy server requests, many applications, such as the weather application in the previous example, do not currently support proxy server authentication, and thus the application cannot run if the proxy server requests credentials. This may defeat the motivation of the participant and may cause the participant to forgo participation in the surveillance team. Furthermore, the monitoring entity desires to monitor internet activity without affecting the way the user behaves. Application failures due to monitoring techniques are inconsistent with this expectation.

Some example methods of monitoring include using an unauthenticated proxy server on a port uniquely assigned to the participant and/or the handheld mobile device. However, when the handheld mobile device is communicating over a WiFi network, there is likely to be a firewall between the handheld mobile device and the proxy server. For example, many businesses and/or companies use firewalls to prevent malicious and/or unwanted internet content from reaching users of their networks. Firewalls block and/or block malicious and/or unwanted internet content by blocking certain ports. Ports 0 to 1023 are defined by the Internet Assigned Numbers Authority (IANA) as well-known ports that are not disabled for use in case of IANA registration, so that communication through well-known ports is likely to be legitimate communication and, instead, is less likely to be blocked. Internet communications outside of the well-known port range may be determined to be malicious and/or undesirable and, therefore, may be blocked by the firewall. The firewall may block all internet communications from port 1024 to port 65535 if the uniquely assigned port is within the blocking range (e.g., port 1024 to port 65535); the internet communication of the handheld mobile device may be blocked. Because the firewall may be configured to block communications on unregistered ports, some participants (e.g., participants communicating via blocked ports) may experience application failures using the WiFi network. This may defeat the motivation of the participant and may cause the participant to forgo participation in the surveillance team. Furthermore, the monitoring entity desires to monitor internet activity without affecting the way the user behaves. Application failures due to monitoring techniques are inconsistent with this expectation.

To avoid errors inherent in the use of unauthenticated proxy servers (e.g., proxy server ports blocked by firewalls) and authenticated proxy servers (e.g., applications failing to properly respond to requests for authentication credentials), the example system shown in fig. 1 uses an efficient filtering proxy server. An active filtering proxy server monitors internet communications and requests authentication credentials from applications that support proxy server authentication, while allowing unauthenticated internet communications when the internet communications are generated by applications that do not support authentication credentials.

When an application of a client device requests internet content, the application embeds a user agent field in the content request. The user agent field indicates the application that is requesting the content. For example, if the browser application is to request internet content, the user agent field identifies the content server for which the browser application is requesting the content. If the application is known to respond to the authentication request, the monitoring system of FIG. 1 determines whether a valid certificate is provided upon receiving the request from the application. If a valid certificate is provided, the monitoring system forwards the request to the internet content provider identified by the request. Alternatively, if the application is known to not respond to the authentication request, upon receiving the request from the application, the monitoring system forwards the request to the internet content provider identified by the request.

Applications are being developed every day, and therefore new user agent identifiers are constantly being generated. For example, once a new version of an application is released, a new user agent identifier may identify the version of the application requesting the internet content. In order to correctly identify the application responding to the authentication request, the user agent is matched with an application whose authentication capabilities are known. For example, if a new version of the browser application is released and includes a new user agent identifier, the user agent identifier of the previous version of the browser application may substantially match the user agent identifier of the new version. If the previous version of the browser application supports authentication, it is likely that the next version will also support authentication, and therefore authentication credentials are required.

The monitoring system may then record some or all of the data requested and/or received by the client device and/or the data itself. Data identification and/or the data itself (e.g., web page content) are collectively referred to herein as "session data". The session data is recorded in association with the participants through a certificate through which the session data is transmitted. Based on the recorded session data and the recorded credentials, the monitoring system can uniquely identify sites visited by the particular participant and how the participant interacted with their mobile device, while avoiding disruption of service to the participant.

Fig. 1 is a block diagram of an example system 100 for monitoring mobile internet activity. The example system monitors internet traffic to and/or from handheld mobile devices (e.g., the first client device 110 is associated with the first participant 115 and the second client device 130 is associated with the second participant 135). The monitored internet traffic between the monitoring devices (e.g., client device 110 and client device 130) and the internet site (internet content provider 170 is shown) is sent to the example monitoring system 100. As shown in fig. 1, the traffic passes through a wireless (e.g., WiFi) communication system (e.g., internet service provider 145 and communication links 120, 140). The example monitoring system 100 includes a registrar 155, a storage database 160, and a proxy server 165.

The example first and second client devices 110, 130 of fig. 1 are handheld mobile devices. Although the first client device 110 is illustrated asThe second client device 130 is a flip phone, but any other type of device may be used. For example, other types of phones, laptops, desktops, Personal Digital Assistants (PDAs), netbooks, or tablet computers (e.g.,iPad^TM). The first and second client devices 110, 130 may implement any mobile operating system and may implement any type of hardware and/or form factor. In the illustrated example, the first and second client devices 110, 130 are mobile devices and communicate via first and second wireless communication links 120, 140.

The illustrated first and second communication links 120, 140 are WiFi communication links. However, any type of communication method and/or system may additionally or alternatively be used, e.g., an ethernet connection, a bluetooth connection, a cellular connection, and so on. Further, the first and second communication links 120, 140 illustrated in fig. 1 implement WiFi connectivity via the Institute of Electrical and Electronics Engineering (IEEE)802.11g standard. However, any other communication system and/or protocol may be used, such as IEEE802.11n, IEEE802.11b, and so forth.

The illustrated first and second participants 115, 135 are participants participating in a monitoring service. Although the example system of fig. 1 is a participant-based system, non-participant and/or mixed participant systems may alternatively be used. In the illustrated participant system, demographic information is obtained from a user as the user joins and/or registers with a group. Demographic information may be obtained from the user through telephone access by having the user complete an online survey or the like. Additionally or alternatively, participants may be contacted and/or recruited using any desired methodology (e.g., random selection, statistical selection, phone requests, internet advertisements, surveys, shopping mall advertisements, etc.).

In the illustrated example, the firstAnd second participants 115, 135 are associated with the first and second client devices 110, 130, respectively. In the illustrated example, the client devices 110, 130 are owned, leased, or otherwise belong to their respective participants. The illustrated monitoring entity does not provide a client device. In other systems, participants are provided with client devices to join the group. Although in the illustrated example, both the first and second client devices 110, 130 are associated with a single participant, the first and second client devices 110, 130 may alternatively be associated with multiple participants. For example, a home may have one client device that may be shared among multiple users. When the client device is a cellular telephone and then when the client device is a portable computer (e.g.,iPad^TM) When this happens, sharing of client devices is generally uncommon.

The illustrated internet service provider 145 provides wireless internet services to the first and second client devices 110, 130 via the communication links 120, 140. In the illustrated example, wireless services are provided over a WiFi connection. However, the internet service provider 145 may provide internet services through any other type of connection. Further, the internet service provider 145 may implement WiFi connectivity via the IEEE802.11 g standard. However, any other communication system and/or protocol may be used. In practice, the internet service provider 145 is sometimes referred to as a local access point and provides a local area network to the client devices. In the illustrated example, the internet service provider includes a firewall that blocks all ports (ports 1024 to 65535) that are not within the well-known port range defined by IANA. However, the port blocked by the firewall may be any other port and may vary from internet service provider to internet service provider. For example, the security policy of a corporate network (e.g., at an office or store) firewall may be more restrictive and block more ports than the security policy of a public network (e.g., a radio access network at a public location, such as a coffee shop host).

In the illustrated example, the monitoring system 100 is shown as a multi-way computing system, however, the monitoring system 100 may consist essentially of a single computing system. In the illustrated example, the monitoring system 100 includes a registrar 155, a storage database 160, and a proxy server 165. However, additional structures may be implemented to accomplish one or more portions of the functions implemented by registrar 155, storage database 160, and/or proxy server 165, and/or other functions.

In the example of fig. 1, the registrar 155 receives registration information from the participants 115, 135 and stores records identifying the participants 115, 135 and/or their respective client devices 110, 130. In the illustrated example, the received registration information includes statistical information. However, any other information may additionally or alternatively be collected. The registration information may include, for example, information identifying the model of the mobile device associated with the participant, a mail address associated with the participant, an email address associated with the participant, a telephone number associated with the mobile device, a unique identifier of the participant and/or the mobile device (e.g., a combination or derivative of the social security number of the participant, the telephone number of the mobile device, the zip code of the participant and/or any information related to the participant and/or the mobile device), the age of the participant, the gender of the participant, the ethnicity of the participant, the income of the participant, where the participant generally wants to use their device, how long the participant owns their device, the educational level of the participant, and/or any other information related to the participant and/or the mobile device.

In the illustrated example, the registrar 155 receives the registration data via an electronic interface (e.g., by the participant entering the data into a form at a website or answering survey questions at a website). However, the registrar may receive the registration data in other ways. For example, the registrar may receive the registration data through a personal conversation (over the phone or in person), a phone interface, direct mail, purchase list, and so forth. Although the illustrated registrar 155 is an electronic system, the registrar 155 may alternatively be implemented manually by a person or group of persons collecting and entering registration data into the storage database 160.

Upon receiving the registration data, the illustrated registrar 155 generates a record associating the enrollee and device identifier information with the collected statistical information. The registrar 155 may also assign unique alphanumeric identifiers to participants or devices. The identifier may be based on, for example, a serial number of the client device. The record is stored in a storage database 160. In the illustrated example, the registrar 155 also assigns unique credentials to the participants 115, 135 and/or client devices 110, 130 and stores the credentials within the records (or in association with the records of that participant and/or client device). As mentioned above, in addition to assigning and storing certificates, the registrar may also assign and store other identifiers. For example, the registrar may assign and store identifiers of client devices and/or participants. The participant or client device identifiers may be the same as the certificate, or they may be different from the certificate. Further, when storing the certificate in the storage database 160, the registrar may encode and/or encrypt the certificate to provide security and/or anonymity to the enrollee.

In addition to assigning and storing certificates, the illustrated registrar 155 also generates configuration documents. In the illustrated example, the configuration document indicates that the participant configured the client device. In the illustrated example, the indication document is an email message. However, any other type of indication document may additionally or alternatively be used. For example, a Portable Document Format (PDF) file and/orThe document is sent to the participant as an attachment to an email message. Moreover, profiles may be custom generated for particular types of mobile devices based on the model of the mobile device, also received by the registrar as part of the registration data.

Alternatively, the configuration document may include an electronically readable file indicating the settings that the mobile device application contains within the configuration document. In some examples, the configurationA document is an extensible markup language (XML) file that implements a property list (referred to herein as plist) file that includes configuration data such as certificates, port numbers, and internet proxy addresses used by the respective participants and/or client devices. However, any other type of document may be generated, such as Comma Separated (CSV) files, Portable Document Format (PDF) documents, video files, audio files, and the like,Documents, and the like. In the illustrated example, the configuration document is signed using a public/private key structure. However, the configuration may alternatively not be flagged. If the profile is not flagged, it may be presented to the participant as an invalid profile, which may cause the participant to abandon participation in the group. The configuration document is sent to the corresponding client device (e.g., via an email message with an attachment or with a file link). The client device may then interpret the data in the configuration file to apply the data (e.g., certificate and internet proxy address) to subsequent communications of the mobile device. In the illustrated example, the profile causes the mobile device to send all internet traffic to the internet address of the proxy server 165 and specify in this communication the credentials assigned to the client device. As a result, all internet communications to and/or from the mobile device are directed to the proxy server 165 and can, upon authentication, be identified or associated with a particular client device. In the illustrated example, the method comprisesiPad^TMPlist files are implemented for interpretation. However, the mobile device may be any other type of mobile device and may receive any type of profile.

Although in the example of fig. 1, the configuration document is an indication document that the participant is instructing to configure the client device to communicate with the proxy server 165. However, the configuration document may additionally or alternatively be an electronic document that may be interpreted by the client device to automatically configure the client device to communicate internet-related messages to the proxy server 165. The profile may thus instruct the participant how to apply the data stored in the profile or may instruct the participant how to directly apply the data stored in the profile to the client device.

As mentioned above in the illustrated example, the configuration document is sent to the participants via email messages. However, any other manner of sending the profile to the participant may additionally or alternatively be used. For example, an email message containing a hyperlink to the configuration document may be sent, the configuration document may be sent to the participant via a Short Message Service (SMS) message, the configuration document may be sent to the participant via mail, and/or a telephone call may be initiated to the participant to instruct the participant to configure the client device.

Finally, registrar 155 sends the configuration document to the participants and/or client devices. In the illustrated example, the configuration document is provided via an electronic mail (email) message. The email message includes a hyperlink to download the configuration document to the client device. However, any other method of sending a profile may additionally or alternatively be used. For example, the configuration document may be sent as an attachment to an email message, registrar 155 may send a Short Message Service (SMS) message including a link or internet address architecture representation of the client device downloadable configuration document, may send a direct mail to the participant including the configuration document and/or including an electronic medium containing the configuration document, may initiate a telephone call to verbally instruct the participant how to configure the client device, and so on.

The registrar 155 of fig. 1 is implemented by a processor executing instructions, but it could alternatively be implemented by an ASIC, DSP, FPGA or other circuit. The storage database 160 receives and stores identifiers from the registrar 155 that associate the participants 115, 135 with the client devices 110, 130. Additionally, the storage database 160 receives and stores monitoring data from the proxy server 165. When the credentials are provided, the monitoring data is associated with the respective participant and/or client device via authentication credentials for the respective monitored internet traffic. The storage database 160 can also store data without identifiers and/or measurement data. For example, updated software and/or updated firmware of any component of the monitoring system 100 may be stored in the storage database 160. In addition, the storage database 160 can store information that enables the registry 155 to generate configuration documents. For example, the storage database 160 may store registration information such as the model number of the client device 110, 130. Additionally, the storage database 160 may store statistical data collected by the registrar 155.

The storage database 160 may be any device for storing data, such as flash memory, magnetic media, optical media, and the like. Moreover, the data stored in the storage database 160 may be in any data format, such as binary data, comma separated data, tab separated data, Structured Query Language (SQL) structures, and so forth. Although in the illustrated example, the storage database map is shown as a single database, the storage database 160 may be implemented by multiple databases.

The illustrated proxy server 165 receives requests from the client devices 110, 130 via the wireless internet service provider 145. The requests of the client devices 110, 130 are received by the proxy server 165, since the configuration document has been applied to the respective client device instructing the client device to send all subsequent requests via the proxy server 165. In the illustrated example, the proxy server 165 receives the internet content request via at least one well-known port (e.g., port 0 through port 1023). By using only well-known ports, it is unlikely that internet communications will be blocked by a firewall. Although a single proxy server 165 is used in the illustrated example, any number of proxy servers may represent the proxy server 165 of FIG. 1. Since the only limiting factor on the number of participants that can be served is the processing power of the proxy server 165, the size of the group can be expanded by using additional proxy servers at other internet addresses. Additional proxy servers at other internet addresses may be implemented by the same proxy server 165 or by multiple proxy servers. For example, the proxy server 165 may have multiple internet addresses assigned to the network interfaces (e.g., virtual interfaces) of the proxy server 165, or the proxy server 165 may have multiple network interfaces, each with an internet address. Although in the illustrated example, only ports used within the well-known range of ports are used, any other ports may additionally or alternatively be used. For example, ports within a registered port range and/or a dynamic and/or private port range may potentially be used to receive internet content requests from participants. In scenarios where a team monitoring system, such as monitoring system 100, is being tested, a typical team will include at least six participants. In schemes using ongoing teams, teams of at least 1500 participants in size may be used.

Upon receiving a request from a client device 110, 130, the proxy server 165 retrieves the requested internet content from the internet content provider 170 (or from a local cache if, for example, it has been previously requested and stored). To identify the participant associated with the request, the proxy server 165 determines whether the request originated from an application that supports proxy server authentication. If it is identified that the application supports proxy authentication, proxy server 165 determines whether a certificate is provided. If no credentials are provided, the proxy server 165 requests credentials from the requesting device. If a certificate is provided, the proxy server associates the request with the participant via the certificate.

Typically, the port used by the proxy server to communicate with the content provider 170 is limited to hypertext transfer protocol (HTTP) data that appears through port 80. Upon obtaining the requested internet content from the internet content provider 170, the content is forwarded to the requesting client device 110, 130 through the assigned port in the illustrated example. Additionally or alternatively, the content is forwarded to the requesting client device 110, 130 through a port other than the assigned port (e.g., port 80).

The illustrated proxy server 165 stores the request for internet content originating from the client device 110, 130 and/or a portion of this request in the storage database 160 in association with the certificate with which the request was received. In storing the request, the proxy server 165 may additionally store other identifiers, such as an identifier of the client device 110, 130, an identifier of the participant 115, 135, and/or a certificate provided by the client device 110, 130. Additionally or alternatively, proxy server 165 may store a portion of the internet content in storage database 160. For example, the proxy server 165 may store the main portion of the web page sent to the client device 110, 130. In another example, proxy server 165 may store identifiers of advertisements that appear on a web page sent to a customer. This is particularly useful in the case of web site recurring advertising. Additionally or alternatively, the proxy server 165 may store characteristics of the response, such as the HTTP header, a status code of the HTTP header, a content type of the HTTP header, and so forth.

The internet content provider 170 provides content to customers via the internet. In the illustrated example, the proxy server 165 acts as an intermediary for the client devices 110, 130 and, thus, is a client of the internet content provider 170. Internet content is often provided through port 80 because most internet content is data in HTTP format. However, any other port may be used to provide internet content. For example, File Transfer Protocol (FTP) data may be sent through port 21, HTTP over Secure Socket Layer (SSL) may be sent through port 443, and so on.

The internet content provider 170 may be any provider. For example, the internet content provider 170 may include a web page server that formats web pages as hypertext markup language (HTML) content. Alternatively, the internet content provider 170 may be an application server that provides application content to applications that access internet content. The application content may be formatted as HTML, XML, or any other protocol or port that may be used to return the content to the requestor. In some examples, the application data is implemented in a protocol specific to an application requesting internet content (e.g., a weather application as described above).

FIG. 2 is a block diagram 200 illustrating an example request and response flow through the example system of FIG. 1. The block diagram 200 of fig. 2 illustrates communications between a mobile device 205, a local network 230, a firewall 232, a proxy server 165, a storage database 160, the internet 240, and an internet content provider 170. The mobile device 205 represents any of the client devices 110, 130 and includes a device network subsystem 210, a browser application 215, an application 220 for accessing internet content, and a user interface 225. Additionally, the block diagram illustrates a first request 235, a second request 245, a first response 250, and a second response 255.

Device network subsystem 210 provides a framework for sending and receiving content. Device network subsystem 210 may be implemented by an application processor, a software system that facilitates network communications, a browser engine, a baseband processor that transmits network traffic, and/or any other system that provides a framework for transmitting and receiving content. In the illustrated example, the device network subsystem is composed ofA network library provided in the operating system. However, any other library, system, or program may additionally or alternatively be used.

The browser application 215 and the application 220 that accesses internet content are applications that are executed by a processor of the mobile device 205. The browser application 215 requests HTTP internet content from the internet content provider 170 and renders the HTTP content for display. Additionally or alternatively, the browser application may request and present HTTP internet content. In some examples, the browser application is composed ofTo be implemented. However, any other application may alternatively be used. For example, a pocket internet explorer may be used. In some examples, the HTTP internet content is HTML content. However,the content may be presented in any format that may be provided by the browser application 215.

The application 220 that accesses the internet content may be any application on the mobile device that requests the internet content. For example, the application 220 accessing internet content may be a weather application provided by www.weather.com accessing internet content. The internet content provider 170 providing www.weather.com with content may respond to content requests with HTML data. However, any other type of data may be included in the content request. For example, an internet content provider 170 providing www.weather.com content may provide an XML file containing a compressed weather forecast. Additionally or alternatively, the application 220 accessing internet content may request media, such as photos, videos, audio, and so forth. Typically, the application 220 accessing internet content is limited to a small amount of information to be displayed. For example, a weather application cannot display sports news. Although browser 215 or application 220 accessing internet content may, in some devices, for exampleContent requests are initiated, but are formatted and sent by device network subsystem 210 based on system wide settings that control the routing and/or address (e.g., a particular port to proxy server 165) of these requests.

The illustrated user interface 225 provides a display to a user and receives input from the user. The user interface 225 may include hardware, a graphics library, and/or a graphics driver for displaying content to the participant, and include hardware, an input library, and/or an input driver for receiving input from the participant. Each or both of the browser application 215 and the application 220 accessing internet content may utilize a user interface to display content and receive input.

The local network 230 is controlled by the internet content provider 145. In the illustrated example, local network 230 is an Internet Protocol (IP) version 4(IPv4) based network. However, any other network technology may additionally or alternatively be implemented. For example, local network 230 may implement the IP version 6(IPv6) protocol. Further, the illustrated local network 230 is implemented using the communication links 120, 140. Although a WiFi connection is illustrated, any other communication method may additionally or alternatively be used, for example, ethernet, cellular, etc. In addition, local network 230 is shown as a public network. However, the network may be a private network.

The illustrated firewall 232 applies a security policy to the request and responds through the firewall 232. In some examples, firewall 232 may only allow communication through well-known ports (e.g., ports 0-1023) because ports may represent known protocols without security risks. If communications on a port are not allowed to pass through the firewall 232, then communications cannot be sent from the requesting client device to the proxy server 165.

The proxy server 165 receives the internet content request 235 from the mobile device, obtains the content by sending a second request 245 to the corresponding content provider 170, receives the content from the content provider's 170 response 250, and forwards the content to the mobile device 205 via the second response 255. In the illustrated example, proxy server 165 stores the characteristics and/or identifiers of the requests and/or responses in storage database 160. These characteristics and/or identifiers may be, for example, a timestamp of the request and/or response, an IP address of the client, a user agent of the request, a status code of the response, a content type of the response, and so forth. However, the proxy server 165 may additionally store the responsive internet content in the storage database 160. In forwarding the request, proxy server 165 translates the port of the request, as described below in conjunction with FIG. 2A.

The illustrated internet 240 is a public network. However, a private network may be used instead. For example, an internal network of an organization and/or company is used to determine how members of the organization and/or employees of the company utilize internal web content through mobile devices.

The illustrated example illustrates a single requested communication flow. The first request 235 is sent from the mobile device 205 to the proxy server 165 through the local network 230 and across a firewall. The first request 235 uses a port that is not prohibited by the firewall 232 and requires HTTP content (e.g., the request requires content provided through port 80). However, the requested content may be requested through any port. For example, the request may require File Transfer Protocol (FTP) content and may appear through port 21. Upon receiving the first request 235, the proxy server 165 stores some or all of the request in the storage database 160 and generates a second request 245. As shown in FIG. 2A, the second request 245 is effectively a translation of the first address. The second request 245 is directed to the internet content provider 170 identified in the first request 235. The illustrated second request 245 is sent via the internet 240 through the port 80 because the content identified by the first request 235 will be provided through the port 80. The internet content provider 170 responds to the second request 245 with a first response 250. The proxy server 165 receives the first response 250 through the port 80, stores some or all of the request in the storage database 160, and forwards the contents of the first response 250 as a second response 255 to the mobile device 205 through the port assigned to the mobile device 205.

FIG. 2A is a block diagram 201 illustrating an example request and response flow through the example system of FIG. 1. Block diagram 201 includes proxy server 165, internet content provider 170, mobile device 205, carrier network 230, and internet 240. The block diagram 201 additionally includes a first request 235, a second request 245, a first response 250, and a second response 255. Further, the illustrated requests and responses are represented by HPPT request and response headers. The first request 235 is represented by a first HTTP request header 236 and the second request 245 is represented by a second HTTP request header 246. The first response 250 is represented by a first HTTP response header 251 and the second response 255 is represented by a second HTTP response header 256.

The first HTTP request header 236 is a header of a GET request generated by the mobile device 205. In the illustrated example, the internet content provider 170 is identified by an absolute Uniform Resource Locator (URL) identified in the first row of the first HTTP request header 236, and the address and uniquely assigned port of the proxy server 165 is identified by the "Host" row of the first HTTP request header 236. The host identified in the illustrated example is proxy.monitoring entity.com, and the port on which the request was obtained is 80. However, any other address and any other port identifying proxy server 165 may alternatively be used. For example, the address identifying the proxy server 165 may be an Internet Protocol (IP) address of the proxy server 165. In the illustrated example, the absolute URL of the Internet resource is "http:// www.google.com". However, any other URL may additionally or alternatively be used.

The proxy server 165 receives the first content request 235 and generates a second content request 245. The second content request 245 is represented by a second HTTP request header 246. In the illustrated example, the second HTTP request header 246 is a GET request indicating to "HTTP:// www.google.com" and is sent through port 80 because no other port is identified except for port 80. The content requested from "http:// www.google.com/" in the illustrated example is "/". The proxy server generates the contents of the second request by examining the first request 235. For example, the proxy server 165 identifies that the content requested by the first request 235 is "http:// www.google.com/", determines that the port to be translated is port 80 (identified by http:// and), determines that the identified internet content provider 170 is "http:// www.google.com," and determines that the web page requested from the internet content provider is "/". The second content request 245 is sent through port 80 because the proxy server 165 determines that the requested content is HTTP content and does not specify an alternative port number. Alternatively, the content identified by the first content request 235 may be content provided on a port other than port 80. In that example, the absolute URL of the first HTTP request header 236 identifies the contents of the request as "HTTP:// www.google.com: 1234/", to convey that the content identified by the request is provided on port 1234. In addition, proxy server 165 will generate a second HTTP request header 246 and include port 1234 (e.g., www.google.com: 1234) on the identified host.

The internet content provider 170 receives the second content request 245 and responds to the request with a first response 250. The first response 250 is sent to the proxy server 165. In the illustrated example, the first response is sent through port 80 because it is a response to the content request obtained by port 80. However, any other port may be used to send the first response to proxy server 165. The proxy server 165 receives the first response 250 and determines the correct port on which to send the second response 255. In the illustrated example, the proxy server 165 determines the port on which to send the second response by associating the first response 250 with the first request 235 via the second request 245. In such an example, proxy server 165 may identify first request 235 generated on port 80 and, therefore, a second response will be sent on port 80. However, any other method of determining the port through which to send the second response may additionally or alternatively be used. Also, the response may be sent through a port other than the port assigned to the mobile device 205.

Fig. 3 is a block diagram of the example proxy server 165 of fig. 1. The example proxy server 165 includes a request and response port 305, a request server 310, an internet content handler 315, a content collector 320, and an internet port 325. The request and response port 305 receives requests and sends responses to and/or from the client devices 110, 130. The request received by port 305 is passed to request server 310. The content collector 320 sends requests and receives responses from the internet content provider 170 via the internet port 325. The internet content processor 315 stores the requested (or a portion thereof) and/or retrieved content (or a portion thereof or an identifier associated therewith) in the storage database 160.

The illustrated request and response ports 305 are Transmission Control Protocol (TCP) ports and/or User Datagram Protocol (UDP) ports. However, any other port-based system may additionally or alternatively be used. The illustrated request and response port is port 80 because port 80 is typically used for HTTP content and is not typically blocked by most firewalls. However, a port may be, for example, any other port, such as a port within a well-known defined port range (ranging from port 0 to port 1023) and/or a port within a registered port range (ranging from port 1024 to port 49151).

The illustrated request server 310 receives requests from the request and response port 305 and performs port translation if necessary. Port translation may be unnecessary in the event of a proxy server going through the same port host on which the host requests content. For example, if the proxy server resides on port 80 and the content request requires content (e.g., HTTP content) to be provided on port 80, no port translation will occur. First, the request is examined to determine the target port intended for communication with the internet content provider 170. For example, in many cases, the request will require HTTP content, and the destination port is identified as port 80. However, any other destination port may be used. For example, FTP traffic may be switched to port 21. The content collector 320 is responsible for collecting the content identified in the request (e.g., by sending the converted request to the corresponding content provider). Once the content is collected, the requesting server 310 performs another port conversion on the received content response to produce a converted response and sends the converted response to the client device through the port assigned to the requesting client device.

In addition to converting the port requesting the internet content, the requesting server also checks the requesting user agent identifier. If the user agent identifier identifies an application that supports authentication, the requesting server 305 determines whether the request provides a valid credential. If a valid certificate is not provided, the requesting server 305 requests the certificate from the client device. If a valid credential is provided, the request server 305 provides the request to the content collector 320.

The illustrated internet content handler 315 determines whether a certificate associated with the request is available and stores the request in the storage database 160 in association with the certificate to uniquely identify the client device. In some cases, the certificate may not be stored. For example, when the user agent indicates that an application requesting internet content does not support proxy authentication, no credentials are requested. Thus, some of the content requests stored in the storage database 160 may not uniquely identify the calling client device 110, 130, and/or alternatively, the internet content processor 315 may use certificates to determine and store participant IDs and/or client device IDs generated by the registrar 155 upon registration. In the illustrated example, the internet content processor 315 stores requests for content. However, the internet content handler 315 may store less than the entire request, the sign of the request, and so on, as is tabulated in fig. 3. Additionally or alternatively, the internet content processor 315 can store the content provided in the response and/or the segments and/or portions of the content provided in the response in the storage database 160. For example, the internet content processor 315 may store advertisements sent to the client device in the storage database 160.

The illustrated content collector 320 requests content identified by the internet content request. In particular, the content collector 320 generates a second request via one of the ports 305 to collect the requested internet content using the internet address of the content requested in the request. The content collector 320 sends the second request through the internet port 325. The illustrated internet ports 325 are Transmission Control Protocol (TCP) ports and/or User Datagram Protocol (UDP) ports. However, any other port-based system may additionally or alternatively be used. The illustrated internet port requires HTTP traffic (e.g., port 80). However, any other port may be used. For example, port 21 may be used for File Transfer Protocol (FTP) traffic.

Fig. 4 is an example hypertext transfer protocol (HTTP) request 400 as received by the example proxy server 165 of fig. 1, 2, 3. The example HTTP request 400 includes a user agent identifier 405. In the illustrated example, HTTP request 400 is a GET request of www.google.com, as identified by the first and second lines. In addition, the user agent identifier 405 willIs identified as the requesting application. However, any other application may request internet content andidentified by the user agent identifier 405. In the illustrated example, the version identifier of the user agent identifier 405 suggests sending the requestVersion isThe use of (a); furthermore, it is possible to provide a liquid crystal display device,is sending the request. In another example, an application accessing the internet, such as a weather application, may send a user agent identifier 405, the user agent identifier 405 suggesting that the application sending the request is a weather application.

Although an example manner of implementing the proxy server 165 of fig. 1 has been illustrated in fig. 1 and 3, one or more of the components, processors and/or devices illustrated in fig. 3 may be combined, separated, rearranged, omitted, eliminated and/or implemented in any other way. Further, the request and response port 305, the request server 310, the internet content processor 315, the content collector 320, the internet port 325, and/or, more generally, the proxy server 165 illustrated in fig. 3 and/or the registrar 155 illustrated in fig. 1 may be implemented by hardware, software, firmware, and/or any combination of hardware, software, and/or firmware. Thus, for example, any of the example request and response port 305, the example request server 310, the example internet content processor 315, the example content collector 320, the example internet port 325, and/or, more generally, the example proxy server 165 may be implemented by one or more circuits, programmed processors, Application Specific Integrated Circuits (ASICs), Programmable Logic Devices (PLDs), and/or Field Programmable Logic Devices (FPLDs), among others. When any of the appended device claims are understood to cover a purely software and/or firmware implementation, at least one of the example request and response port 305, the example request server 310, the example internet content processor 315, the example content collector 320, the example internet port 325, the example proxy server 165, the example registrar 155, and/or the storage database 160 are therefore expressly defined to include hardware and/or a computer-readable medium such as a memory storing software and/or firmware, a DVD, a CD, etc. Additionally, the proxy server 165 illustrated in fig. 1 and 3 may include one or more components, processors, and/or devices in addition to or in place of those illustrated in fig. 3, and/or may include any or all of the various illustrated components, processors, and devices.

A flowchart representative of example machine readable instructions to implement proxy server 165 of fig. 1 and/or 3 is shown in fig. 5 and 5A. Further, a flowchart representative of example machine readable instructions to implement registrar 155 of fig. 1 is shown in fig. 6. In these examples, the machine-readable instructions comprise a program for execution by a processor, such as the processor 712 shown in the example computer 700 discussed below in connection with fig. 7. The program may be embodied in software stored on a computer-readable medium such as a CD-ROM, a floppy disk, a hard disk, a Digital Versatile Disk (DVD), or a memory associated with the processor 712, but the entire program and/or parts thereof could alternatively be executed by a device other than the processor 712 and/or embodied in firmware or dedicated hardware. Further, while the example program is described with reference to the flowcharts illustrated in fig. 5, 5A, and 6, any other method of implementing the example proxy server 165 and/or the example registrar 155 may alternatively be used. For example, the order of execution of the blocks may be changed, and/or some of the blocks described may be changed, eliminated, or combined.

As mentioned above, the example processes of fig. 5, 5A, and 6 may be implemented using encoded instructions (e.g., computer readable instructions) stored on a tangible computer readable medium, such as a hard disk drive, a flash memory, a Read Only Memory (ROM), a Compact Disc (CD), a Digital Versatile Disc (DVD), a cache memory, a Random Access Memory (RAM), and/or any other storage medium where information may be stored for any length of time (e.g., for extended periods of time, permanently, brief instances, for temporarily buffering, and/or for buffering of the information). The term tangible computer readable medium as used herein is expressly defined to include any type of computer readable memory and to exclude broadcast signals. Additionally or alternatively, the example processes of fig. 5, 5A, and 6 may be implemented using encoded instructions (e.g., computer readable instructions) stored on a non-transitory computer readable medium such as a hard disk drive, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache memory, a random-access memory, and/or any other storage medium in which information may be stored for any duration (e.g., for extended periods of time, permanently, brief instances, for temporarily buffering, and/or for buffering the information). The term non-transitory computer readable medium, as used herein, is expressly defined to include any type of computer readable medium and to exclude broadcast signals.

Fig. 5 is a flow diagram representative of example machine readable instructions 500 that may be executed to implement the example proxy server of fig. 1, 2, 3. The process of FIG. 5 begins at block 505, where the example computer readable instructions 500 begin execution. First, the requesting server 310 of the proxy server 165 waits for a content request (block 505). In the illustrated example, request server 310 simply waits for a content request on port 80. However, the requesting server 310 may wait for content requests on any port, or the requesting server 310 may wait for content requests on multiple ports. Next, the request server 310 receives a content request (block 510). Since multiple content requests may be received at substantially the same time, the content requests may be processed in parallel to reduce the time taken to respond to the requests. However, the content request may be handled in any other way. For example, content requests may be processed sequentially.

The requesting server 310 then determines whether the user agent identifier identifies an application that supports authentication (block 515). In the illustrated example, a predefined set of models (patterns) identifying applications that support authentication are stored in the storage database 160. For example, once a new version of an application is released, the new user agent identifier may identify the version of the application requesting the internet content. In order to correctly identify the application responding to the authentication request, the user agent is matched with an application for which the authentication capability is known. For example, if a new version of the browser application releases and includes a new user agent identifier, the user agent identifier of the previous version of the browser application may substantially match the user agent identifier of the new version. If the previous version of the browser application supports authentication, then it is likely that the next version also supports authentication, and therefore requests authentication credentials. An example user agent model is "safari," and any user agent identifier that contains the term "safari" will be authenticated. However, any other manner or set of models may additionally or alternatively be used. In the illustrated example, the model is updated by an administrator. However, as discussed in connection with fig. 5A, an automatic model generation system may additionally or alternatively be used.

The requesting server 310 attempts to match the user agent identifier to a predefined model and if a model is found that substantially matches the user agent identifier, the requesting server 310 determines whether a credential is associated with the request (block 520). If no valid certificate is associated with the request, the request server 310 sends a valid certificate request to the client device 110, 130 (block 525). The credential request may prompt the participant and/or client device to resend the request with the previous valid credential. If a valid certificate is associated with the request, the certificate is associated with the participant and/or the client device (block 530).

Next, the content collector 320 generates a second request based on the respective one of the requests received at block 510 to obtain the internet content identified in the respective content request (block 535). The content collector 320 collects the requested internet content by sending a second request via the internet port 325. In the illustrated example, the request is sent using port 80. However, any other port may additionally or alternatively be used.

The internet content processor 315 also associates the content request with the corresponding requesting device and stores the association in the storage database 160 (block 540). In the illustrated example, the internet content processor 315 associates the content request with the client device through a certificate associated with the request. In some cases, an application requesting internet content may not support proxy authentication and/or credentials. In those cases, the content request is stored in the storage database without an associated certificate. Additionally, the internet content processor 315 may store the returned content or a portion of the returned content in the storage database 160 (block 540). For example, the internet content processor 315 may store images contained in the return content.

The internet content processor 315 may filter the content stored in the storage database. For example, the internet content processor 315 may only store content requests requesting HTTP content because requests for non-HTTP content cannot be properly parsed when analyzing the information. As another example, the internet content processor 315 may ignore genre content (e.g., cascading genre table (CSS) files) stored in the storage database 160 because the genre content may be limited when analyzing the information.

The request server 310 completes servicing the request from the client device by sending the requested internet content to the client device via the port receiving the content request (block 545). Control returns to block 505 where the requesting server 310 waits for more content requests (block 505).

Fig. 5A is a flow diagram representative of example machine readable instructions 501 that may be executed to implement the example proxy server of fig. 1, 2, 3. The example machine readable instructions 501 of FIG. 5A are similar to the machine readable instructions 500 of FIG. 5. However, in FIG. 5, block 515 determines whether the user agent identifier matches a single list model representing an application that supports authentication, additionally or alternatively more complex algorithms may be used. In the example illustrated in fig. 5A, the request server 310 waits for a content request (block 505) and receives a content request (block 510). In the example illustrated in fig. 5A, the requesting server 310 determines whether the user agent identifier matches an application that does not support proxy server authentication (block 516). Request server 310 may consult a model or set of models stored in storage database 160. If the requesting server determines that the application does not support proxy authentication, control passes to block 535 where the machine-readable instructions 501 perform a process somewhat similar to that of FIG. 5. If the requesting server 310 determines that the user agent identifier does not match the model or models identifying applications that do not support proxy authentication, the requesting server 310 determines whether the user agent identifier matches an application that supports proxy authentication (block 517). As new applications are generated each day to access internet content, new user agent identifiers are always generated. It is not possible to identify a single list of proxy authentication support based on the user agent identifier alone at any given time. Thus, both models or a set of model methods identify proxy authentication support for known user agent identifiers. If the requesting server 310 determines that the application accessing the internet content does not support proxy authentication, control passes to block 520 where the machine-readable instructions 510 complete execution in a manner similar to the machine-readable instructions 500 of fig. 5.

If the user agent identifier is not identified by either block 516 or block 517, control passes to block 550 where the request server 310 determines whether the request provides valid credentials (block 550). If a certificate is provided, the application supports proxy authentication, generates a model and stores in the storage database 160. Subsequent requests that include the special user agent identifier are then identified as supporting proxy server authentication. Control then passes to block 530 where the machine-readable instructions 501 complete execution in a similar manner as the machine-readable instructions 500 of FIG. 5. If a valid certificate is not provided to the request, the requesting server 310 sends a request for a certificate and waits for a response (block 560). The requesting server may wait for a short period of time (e.g., 30 seconds, 1 minute, 3 minutes, etc.) because the participant may be prompted to enter credentials. The requesting server 310 then determines whether a certificate was received in response to the certificate request (block 565). If credentials are received in response to the credential request, the application supports credentials, control proceeds to block 535 where the requesting server 310 stores a model in the storage database 160 that results in subsequent requests from that particular user agent being identified as originating from applications that support proxy server authentication. If no response is received, and possibly the application fails or otherwise fails, the request server 310 stores a model in the storage database 160 indicating that the application does not support proxy server authentication (block 570). Thus, subsequent requests originating from that particular application are not required to provide authentication credentials. Control then passes to block 505 where the request server 310 waits for a content request. Thus, when a new user agent identifier is discovered, proxy authentication is attempted to determine whether the user agent identifier identifies an application that supports the proxy server.

In addition to the exemplary two model or set of model methods shown in fig. 5A, any other type of listing may be performed to control internet communications through proxy server 165. For example, if a user other than a participant attempts to use the proxy server 165 (e.g., maliciously affecting results, changing their internet traffic, etc.), a blocking list is implemented to block users with a certain IP address. Additionally or alternatively, other blocking lists may be implemented. For example, a list of user agents that are not supported by the proxy server may be implemented to prevent internet communications from a desktop computer of the browsing application. In particular, a user of the proxy server 165 (whether or not a participant) may configure a browser running on a desktop computer to use the proxy server 165. To prevent internet activity from a browser running on the desktop computer from affecting the results of the monitoring system, the proxy server 165 may block internet content requests when the user agent identifier matches a user agent identifier in a blocked user agent list.

FIG. 6 is a flow diagram representative of example machine readable instructions that may be executed to implement the example registrar 155 of FIG. 1. The example machine readable instructions 600 of fig. 6 begin execution at block 603, where the enrollee 115, 135 submits registration data to the registrar 155 (block 603). In the illustrated example, the enrollment data is received by the enroller 155 over an electrical interface (e.g., a website) (block 605). However, the registrar may receive the registration data in any other manner. For example, the registrar may receive registration data through a telephone interface, direct mailbox, predefined list, and so on.

Next, the registrar 155 assigns a participant certificate (block 610). In the illustrated example, once registered with the group, the participants enter their desired credentials. Some example credentials are a username and password. If some or all of the desired credentials (e.g., username) are unique to the participant (e.g., the username is not already associated with another participant on the group), then the credentials are associated with the participant. The certificate is then sent to the participant via the configuration document. Alternatively, the certificate may be randomly assigned to the participant. For example, the username may be an initial capitalization of the participant followed by the last name of the participant, and the password may be a random string. Also, the enrollee can change their password by contacting the registrar 155 (e.g., by accessing a web page hosted by the registrar 155).

Registrar 155 generates a configuration document (block 615). The configuration document includes a certificate assigned to the participant client device and an internet proxy server address. The internet proxy address is the address of the proxy 165. In the illustrated example, the configuration document is an instruction document that instructs the participant how to configure the client device and is formatted as an email that is sent to the participant. However, any other type of document may be generated, for example, Comma Separated (CSV) documents, Portable Document Format (PDF),Documents, and the like.

Next, registrar 155 sends the configuration document to the client device (block 620). In the illustrated example, the configuration document is sent via an electronic mail (email) message. The email message includes a hypertext link that may be selected to download the configuration document. However, any other method of sending a profile may additionally or alternatively be used. For example, the configuration document may be sent as an attachment to an email message, registrar 155 may send a Short Message Service (SMS) message that includes an internet address at which the client device may download the configuration document, may send a direct mail to the participant that includes an instruction document and/or otherwise includes an electronic medium containing the configuration document, may initiate a telephone call to verbally instruct the participant how to configure the client device, and so on. The participant and/or client device then receives the configuration document (block 623).

The client devices 110, 130 are then configured by the participants (block 625). Since the configuration document is an instruction document that may instruct the participant on how to configure the client device, the participant may then configure the credentials, internet proxy address, and proxy port defined in the configuration document to the client device. The instruction document may therefore instruct the participant how to apply the configuration file or may instruct the participant how to manually apply the data in the configuration file. However, the configuration file may additionally or alternatively include an electronic document that may be translated by the client device. In this way, the participant may be provided with instructions on how to apply the electronic profile.

Once the application of the data is contained in the profile, subsequent requests for internet content generated by the client devices 110, 130 are sent according to the profile. Specifically, since the profile includes a proxy address, a proxy port number, and a certificate, the request is proxied through the internet proxy address via the proxy port number, and the certificate is used for an application supporting the certificate.

FIG. 7 is a block diagram of an example computer 700 that may execute the instructions of FIGS. 5 and 6 to implement the monitoring system of FIG. 1. The computer 700 may be, for example, a server, a personal computer, or any other type of computing device.

The system 700 of the present example includes a processor 712. For example, the processor 712 may be implemented by software fromFamily, formula (I),Family orOf familyOne or more microprocessors. Of course, other processors from other families are also suitable.

The processor 712 communicates with a main memory including a volatile memory 718 and a non-volatile memory 720 via a bus 722. Volatile memory 718 may be implemented by Synchronous Dynamic Random Access Memory (SDRAM), Dynamic Random Access Memory (DRAM), RAMBUS Dynamic Random Access Memory (RDRAM), and/or any other type of random access memory device. The non-volatile memory 720 may be implemented by flash memory and/or any other desired type of memory device. Access to the main memory 714 is typically controlled by a memory controller (not shown).

The computer 700 also includes an interface circuit 724. The interface circuit 724 may be implemented by any type of interface standard such as an ethernet interface, a Universal Serial Bus (USB), and/or a PCI express interface.

One or more input devices 726 are connected to the interface circuit 724. An input device 726 allows a user to enter data and commands into the processor 712. The input means may be implemented by, for example, a keyboard, a mouse, a touch screen, a track pad, a track ball, ISOPOINT, and/or a voice recognition system.

One or more output devices 728 are also connected to the interface circuit 724. The output device 728 may be implemented, for example, by a display device (e.g., a liquid crystal display, a cathode ray tube display (CRT), a printer and/or speakers). Thus, the interface circuit 724 typically includes a graphics driver card.

The interface circuit 724 also includes a communication device (e.g., the request server 310) such as a modem or network interface card to facilitate exchange of data with external computers via a network (e.g., an ethernet connection, a Digital Subscriber Line (DSL), a telephone line, coaxial cable, a cellular telephone system, etc.).

The computer 700 also includes one or more mass storage specialties 730 for storing software and data. Such exemplary mass storage devices 730 include floppy disk drives, hard disk drives, compact disk drives, and Digital Versatile Disk (DVD) drives. Mass storage 730 may implement storage database 160.

The encoded instructions of fig. 5 and 6 may be stored in mass storage 730, volatile memory 718, non-volatile memory 720, local memory 714, and/or a removable storage medium such as a CD or DVD.

It will be appreciated from the foregoing that example methods, apparatus, and articles of manufacture have been disclosed which allow for monitoring internet content requests from any application on a mobile device that accesses internet content through an authenticated proxy server, while uniquely identifying the requesting device and/or participant when the application accessing internet content responds to the request for proxy server authentication.

Although certain example methods, apparatus, and articles of manufacture have been disclosed herein, the scope of coverage of this patent is not limited thereto. On the contrary, this patent covers all methods, apparatus, and articles of manufacture fairly falling within the scope of the appended claims either literally or under the doctrine of equivalents.

Claims

1. A method of monitoring internet activity, the method comprising the steps of:

determining whether an application identified by an identifier of a content request from a client device supports authentication;

sending content identified by the content request to the client device if the identifier of the content request identifies an application that supports authentication; and

storing an identifier of content requested by the content request in association with the client device.

2. The method of claim 1, further comprising the steps of: storing a portion of the content in association with the client device.

3. The method of claim 1, wherein the identifier of the content request comprises a user agent identifier.

4. The method of claim 3, further comprising the steps of:

determining whether a valid credential is provided in association with the content request;

sending a credential request to the client device if the user agent identifier substantially matches a model of an application that supports authentication and a valid credential is not provided in association with the content request; and

if the user agent identifier substantially matches a model of an application that supports authentication and a valid credential is provided in association with the content request, then content identified by the content request is sent to the client device.

5. The method of claim 4, further comprising the steps of: associating a participant identifier associated with the certificate with the identifier.

6. The method of claim 5, wherein the participant identifier is a certificate provided in association with the content request.

7. The method of claim 1, further comprising the steps of: a client device is designated to send a content request via a proxy server.

8. The method of claim 7, wherein the step of designating the client device to send the content request via the proxy server further comprises the steps of: sending the certificate and the internet proxy server address of the proxy server; and causing the client device to send all subsequent content requests to the proxy server.

9. The method of claim 8, wherein the step of sending the certificate and the internet proxy address further comprises the steps of: generating a configuration document comprising the certificate and the internet proxy server address.

10. The method of claim 9, wherein the configuration document further comprises instructions instructing a participant associated with the client device to configure the client device to send all subsequent content requests to the proxy server.

11. A method of monitoring internet activity, the method comprising the steps of:

receiving registration data from the participant;

assigning a certificate to a client device of the participant;

generating a configuration document identifying credentials associated with the client device and a proxy server address, the configuration document instructing the participant to have subsequent content requests via the proxy server address; and

sending the configuration document to the client device.

12. The method of claim 11, wherein the registration data received from the participant includes an email address associated with the participant; and sending the configuration document comprises emailing the configuration document to an email address associated with the participant.

13. The method of claim 12, further comprising the steps of: providing a hyperlink to the participant to download the configuration document.

14. The method of claim 11, wherein the registration data received from the participant includes a telephone number associated with the participant; and the step of sending the profile comprises sending a link to the profile in a text message to a telephone number associated with the participant.

15. The method of claim 11, wherein the registration data received from the participant includes a unique identifier associated with the participant; and the step of sending the profile comprises sending a link to the profile to the participant.

16. The method of claim 11, wherein the registration data received from the participant includes a mailing address associated with the participant; and sending the configuration document includes mailing the configuration document to a mailing address associated with the participant.

17. The method of claim 16, wherein the configuration document comprises an instruction document instructing the participant to input the credentials and the internet proxy address as configuration settings to the client device.

18. The method of claim 11, wherein the configuration document is translated by the client device such that a certificate associated with the client device and the internet proxy server address can be applied to the client device.

19. The method of claim 18, wherein the registration data received from the participant includes a model number of a client device used by the participant; and specifically generating the profile to instruct the participant to apply the settings to the client device.

20. A method of monitoring internet activity, the method comprising the steps of:

receiving, at a proxy server, an internet content request, the request originating from a mobile device that sent the request via a wireless access point;

determining whether a user agent identifier of the internet content request identifies an application that supports proxy server authentication;

determining whether a valid credential is provided in association with the internet content request;

sending a credential request if the user agent identifier of the internet content request identifies an application that supports proxy server authentication and does not provide a valid credential in association with the internet content request;

associating the internet content request with a mobile device if the user agent identifier of the internet content request identifies an application that supports proxy server authentication and a valid credential is provided in association with the internet content request;

requesting content from an internet content provider identified in the internet content request, the internet content provider being different from the proxy server; and

transmitting the content to the mobile device.

21. The method of claim 20, further comprising the steps of: storing the internet content request in a database.

22. The method of claim 21, further comprising the steps of: storing an association between the internet content request and the mobile device in the database if the user agent identifier of the internet content request identifies an application that supports proxy server authentication and a valid credential is provided in association with the internet content request.

23. A system for monitoring internet activity, the system comprising:

a proxy server that services internet data requests for internet data from at least one client device, the proxy server comprising:

a request port that receives an internet data request;

an internet port to obtain internet data based on the internet data request;

a request server that determines whether a user agent identifier of a request received by the request port identifies an application that supports proxy server authentication and whether a valid certificate is provided in association with the request received by the first port; and

a database that stores an identification of internet data requested via the request port in association with a participant based on a certificate associated with the request if a valid certificate is provided in association with the request.

24. The system of claim 23, further comprising:

a registrar to register the client device, assign a unique certificate to the client device, and generate a configuration document to send the certificate and an internet proxy address to the client device.

25. The system of claim 24, wherein the registrar stores the association between the certificate, the enrollee, and the client device in the database.

26. The system of claim 23, wherein the proxy server stores the internet data request from the client device in the database.

27. The system of claim 23, wherein the proxy server stores the retrieved internet data sent to the client device in the database.

28. The system of claim 23, wherein the proxy server receives internet data requests and transmits internet data via a wireless network.

29. The system of claim 28, wherein the wireless network is a WiFi network.

30. An apparatus for monitoring internet activity, the apparatus comprising:

a request and response port that receives an internet content request;

a request server that receives the internet content request via the request and response port and transmits internet content identified in the internet content request via the request and response port;

an internet content processor that stores the internet content request in a database;

an internet port; and

a content collector that receives, via the Internet port, Internet content identified in the Internet content request.

31. The device of claim 30, wherein the internet content processor stores a certificate associated with the request in the database.

32. The device of claim 30, wherein the internet content processor stores a portion of the internet content identified in the internet content request.