An access control technique to limit access to information content such as available on the Internet. The technique is implemented within a network device such as a proxy server, router, switch, firewall, bridge or other network gateway. The access control process analyzes data in each request from the clients and determines if the request should be forwarded for processing by a server to which it is destined. access control may be determined by comparing client source information against a database of uniform resource locators (URLs), IP addresses, or other resource identification data specifying the data requested by the client. The invention therefore provides access control not based only upon content, but rather, based primarily upon the identity of the computers or users making the requests. The technique further avoids the problems of the prior art which categories or filters the content of only web pages based solely upon objectionable words. This is because a category database is used by the network device to control access and is created via a process involving human editors who assist in the creation and maintenance of the category database.

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE41168
Priority
Mar 31 1998
Filed
Oct 14 2004
Issued
Mar 23 2010
Expiry
Mar 31 2018
Inventors
Shannon, S…
Assg.orig
Content Ad…
Assg.curr
Content Ad…
Entity
Small
Referenced by
35
References
17
Maint.:
all paid
1. A hardware network device for controlling access by clients on a private network to a data file data files stored at servers in a public network, the hardware network device being interconnected between the private network and the public networks network, the hardware network device comprising:
a first interface receiving a request from a client one of the clients on the private network to access a data file one of the data files stored at servers on in the public network;
an access control processor coupled to the first interface, the access control processor analyzing data in the request from the client one of the clients and determining if the request should be forwarded to the public network for processing by a server, of the servers in the public network, to which it the request is destined, the determination being made by cross referencing resource identifier information in the request with access control data in at least one access control database, the access control data containing categorized resource identifier information, the categorized resource identifier information specifying a content subject matter category to which the data file one of the data files is assigned, and the categorized resource identifier information associated with each data file so categorized being assigned by prior locating of each data file, storing data file information comprising a uniform resource locator for each data file in a first database, reading the data file information for each data file from the first database, human interpretation of the content in the each data file, and then, as a result of such human interpretation, determining a subject matter category to which the each data file is to be assigned, the data file stored at the servers on the public network and storing said data file information and said subject matter category in the access control database;
a second interface coupled between the first interface and the public network and coupled to the access control processor, the second interface forwarding the requests request from the first interface to the servers on in the public network if the access control processor determines the request should be forwarded to the public network for processing by a the server to which it the request is destined; and
means for permitting a network administrator of the public network to control the operation of the hardware network device.
18. A method executing on a first client computer connected to a public network and on an access controller connected to a private network, the method being for controlling access by clients of a the private network to data files stored on servers connected in a the public network, the method comprising the steps of:
at a the first client computer connected to the public network, using the first client computer to:
searching search for uncategorized data files being stored on servers connected in the public network, the uncategorized data files being available on demand;
store data file information comprising at least a uniform resource locator (URL) for each of the uncategorized data files in at least one initial database;
retrieve one or more selected data files from the initial database, at a time after the step of using the first client computer to store data file information in the at least one initial database;
presenting present a view of each selected data file in human readable form on the first client computer connected to the public network;
permitting permit a human being to review the contents of each selected data file so presented;
determining a associate, with each selected data file, a determined content rating for each selected data file in response to presenting the contents of the selected data file to a human being, the content rating being determined as a result of the human being assigning the selected data file to at least one content subject matter category; and
storing store a uniform resource locator (URL) of each selected data file together with the associated content subject matter categories category in a category-destination database;
at an access controller connected to the private network, using the access controller to:
downloading download the category-destination database;
receiving receive requests from second client computers connected to the private network, the requests from the second client computers indicating requested data files stored on the servers of connected in the public network;
analyzing analyze the data in each request from a client computer of the second client computers against the data from the category-destination database; and
determining determine whether to forward the request from the client computer of the second client computers to a server of the servers connected in the public network for processing, the determination being made based upon the content rating of the requested data file.
2. The hardware network device of claim 1, wherein the access control database is stored locally on a storage medium within the hardware network device.
3. The hardware network device of claim 2, wherein the access control database is downloaded by a download process on the hardware network device onto the storage medium from an access control server.
4. The hardware network device of claim 3, wherein the download process is automatically performed at regular intervals.
5. The hardware network device of claim 3, wherein the download process is a subscription service to with which the hardware network device must be registered with so that the download process can be performed.
6. The hardware network device of claim 1, wherein the access control database is stored remotely on at least one access control server on the private network and access to the access control data in the access control database by the hardware network device is performed by accessing the access control server.
7. The hardware network device of claim 1, wherein the access control database is stored remotely on at least one access control server on the public network and access to the access control data in the access control database by the hardware network device is performed by accessing the access control server.
8. The hardware network device of claim 6, wherein access to the access control data is a subscription service to with which the hardware network device must be registered with in order to be allowed access to the access control data.
9. The hardware network device of claim 1, wherein:
the request includes a source designation and the resource identifier information of the request specifies a destination of the request;
the categorized resource identifier information in the access control data is categorized by associating predetermined destinations to specific categories of content; and
the access control processor determines if the client one of the clients making the request is associated with a category of content which contains a predetermined destination having a portion that is equal to the destination specified in the resource identifier information of the request.
10. The hardware network device of claim 9, wherein the portion that is equal to the destination specified in the resource identifier information of the request is a segment of the resource identifier information.
11. The hardware network device of claim 9, wherein the resource identifier information of the request is an internet protocol address.
12. The hardware network device of claim 9, wherein the categorized resource identifier information in the access control database is categorized by searching for uncategorized content provided by the servers located on in the public network and presenting the uncategorized content of the data files to humans for evaluation and categorization to produce categorized content, the categorized content being represented in the access control database by an identification of a location of the categorized content on the servers of in the public network.
13. The hardware network device of claim 12, wherein the uncategorized content provided by the servers on in the public network is discovered by a network walker process which records new content destinations as they are discovered.
14. The hardware network device of claim 1, wherein:
the request includes a source designation and the resource identifier information of the request specifies a destination of the request and the at least one access control database includes a group-source database and the access control processor, in determining if the request should be forwarded to the public network, matches the source designation of the request to the group-source database to determine the group of the client one of the clients making the request.
15. The hardware network device of claim 14, wherein:
the at least one access control database further includes a group-category database and the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client one of the clients making the request to at least one category to determine which categories of content may be accessed by that group.
16. The hardware network device of claim 14, wherein:
at least one access control database further includes a category-destination database and the access control processor, in determining if the request should be forwarded to the public network, attempts to match the destination specified in the resource identifier information to at least one resource identifier destination listed within categories in the category-destination database, and if a match is made, the access control processor denies access to the server to which the request is destined.
17. The hardware network device of claim 16, wherein the access control processor, in determining if the request should be forwarded to the public network, matches the group of the client one of the clients making the request to at least one category having an associated block of allowed access times, to determine which categories of content may be accessed by that group and at which times.
19. The method of claim 18, wherein the step of analyzing using the access controller to analyze the data in each request further comprises the steps of using the access controller to:
examining examine a source of the request against a group-source database to determine a group associated with the client making the request;
examining examine the group associated with the client making the request against a group-category database to determine the content ratings that the group may access;
obtaining obtain URL information from the request; and
determining determine if the URL information has been assigned a content rating that the group may access, and if so, allowing using the access controller to allow the request, and if not, denying using the access controller to deny the request.
20. The method of claim 18, further comprising the step of filtering using the access controller to filter contents of return data sent from servers on connected in the public network in response to a request which is allowed.
21. The method of claim 18, wherein the URL information is an Internet Protocol (IP) address.
22. The method of claim 18, wherein the URL information is a world wide web page address.
23. The method of claim 18, wherein the URL information is a portion of a world wide web page address.
24. The method of claim 18, wherein the downloading using the access controller to download is automatically performed at regular intervals.
25. The method of claim 24, wherein the downloading using the access controller to download is a subscription service to which the access controller must be registered so that the downloading using the access controller to download can be performed.
26. The method of claim 18, wherein the step of searching using the first client computer to search for new uncategorized data files on the public network is performed by a network walker process.
27. The method of claim 19, wherein the group-category database includes at least one group that is associated with different content ratings depending on the time of day of the request.
0. 28. A hardware network device according to claim 1, the hardware network device comprising one or more processors and one or more memories operable to store program instructions executable by the one or more processors to implement:
the first interface, the access control processor, the second interface, and the means for permitting the network administrator of the private network to control the operation of the hardware network device.
0. 29. A hardware network device according to claim 28, wherein:
the request includes a source designation and the resource identifier information of the request specifies a destination of the request and the at least one access control database includes a group-source database and the access control processor, in determining if the request should be forwarded to the public network, matches the source designation of the request to the group-source database to determine the group of the one of the clients making the request.
0. 30. A hardware network device according to claim 29, wherein:
the at least one access control database further includes a group-category database and the access control processor, in determining if the request should be forwarded to the public network, matches the group of the one of the clients making the request to at least one category to determine which categories of content may be accessed by that group.
0. 31. A hardware network device according to claim 28, wherein the access control database is stored remotely on at least one access control server on the public network and access to the access control data in the access control database by the hardware network device is performed by accessing the access control server.
0. 32. A hardware network device according to claim 1, the categorized resource identifier information associated with each data file so categorized being further assigned by, prior to storing the data file information comprising the uniform resource locator for each data file in the first database, determining whether the data file information comprising the uniform resource locator is already stored in either a queue database, the first database or the access control database and, if not, initially storing the data file information comprising the uniform resource locator in the queue database.
0. 33. A method according to claim 18, wherein the at least one initial database comprises (i) a queue database for holding the URLs associated with the uncategorized data files and (ii) an uncategorized database, wherein the using the first client computer to retrieve one or more selected data files retrieves such files from the uncategorized database, and wherein the using the first client computer to store data file information further comprises:
if the data file information located in the using the first client computer to search for uncategorized data files is not already stored in either the queue database, the uncategorized database, or the category-destination database, then using the first client computer to store the data file information in the queue database.
0. 34. A method according to claim 33, further comprising:
using the first client computer to obtain further information for the data file information located in the using the first client computer to search for uncategorized data files, the further information including information other than the URL, and using the first client computer to store that information in the uncategorized database.
230tableSUNproduced by Netscape, Inc. entitled “Netscape Navigator” (TM)208 207 then matches the IP address, the URL, or any segment of the URL against each category obtained in step 205 in the category/restricted destination database 208. In step 206 then, each category specified as being active for the group of the client requesting the web page or data is consulted to see if the requested page or data is listed in any of the URL or IP data associated with that category.

In step 209, if either the IP address, the URL or any segment of the URL matches to any restricted destination information (i.e., columns 2, 3 or 4 of Table 3) for any of the categories obtained in step 205, then step 210 is executed which denies access to the requested web page, data, service or content requested in the packet received rom the client at the network device 100. In other words, step 210 does not forward the packet on to the content server indicated in the destination field 303 of the packet if the client in the specific group was requesting a page or data or a service that existed in the category database 208 for one of the categories that was active for that group. Quite simply, the client was trying to access a restricted web site or URL or IP address or service and step 209 detects this information in one of the active categories in database 208 and step 209 can deny access.

In step 209 does detect an attempt at restricted access to a service, web site, data or other restricted content, step 214 is executed which uses the source address in field 302 of the packet 300 to send a return notification of denial to the user at the client computer requesting the restricted data. Step 215 may also be executed which logs the illegal attempted request to a log file.

However, if step 209 determines that neither the IP address, the URL, or any URL segments matched any of the restricted data for any of the active categories obtained in step 205, then step 211 allows the request to be forwarded to the content server through network device 100. In other words, the request was for legitimate non-restricted web pages, services, or data provided by a server on WAN 45. Once the request is received by the server to which it was destined, the server begins to return the requested data in the form of a web page, a file transfer, a news group, or other data.

Step 212 then begins to receive the web page or other content data packets and step 213, which may be optional, can filter the incoming data in the returned data packets for objectionable data, such as profanity occurring in the text of web pages or news groups or other objectionable content as may be defined. That is, content filtering may also be incorporated into the invention as data is returned from the servers. This is beneficial and overcomes the problems of the prior art content filtering systems since in this invention, the content filtering can be centralized at the network device 100, rather that administering many separate clients that each contain their own content filtering database.

In this manner, the present invention provides a robust data access filtering system that provides access control based on users, categories and times of use and not purely on content of data being accessed. This is beneficial since content filtering alone often overlooks objectionable material such as pornographic images, which contain no words to content filter upon.

Moreover, the present invention is centralized to offer ease of administration and configuration and is very flexible since times of day for restricted access may also be specified, if desired. By having a category database 208 that may be maintained offsite, by a third party for example, the invention allows the administrator to only have to worry about initial group/source configurations, and not worry about database maintenance. New client computers that suddenly appear or get installed on LAN 40, that are not yet listed in the group/source database, can be assigned a default group that has highly restricted access associated to it in this invention. In this manner, the invention can handle future LAN 40 client expansion without having to further configure the new clients for access control.

While this invention has been particularly shown and described with references to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Those skilled in the art will recognize or be able to ascertain using no more than routine experimentation, many equivalents to the specific embodiments of the invention described specifically herein. Such equivalents are intended to be encompassed in the scope of the claims.

INVENTORS:

Shannon, Steven

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
10044715, Dec 21 2012 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Method and apparatus for presence based resource management
10382595, Jan 29 2014 SMART SECURITY SYSTEMS LLC Systems and methods for protecting communications
10637839, May 24 2012 SMART SECURITY SYSTEMS LLC Systems and methods for protecting communications between nodes
10681142, Jan 09 2014 Comcast Cable Communications, LLC Network filter
10778659, May 24 2012 SMART SECURITY SYSTEMS LLC System and method for protecting communications
10783439, May 08 2015 FlowJo, LLC Plugin interface and framework for integrating a remote server with sample data analysis software
11457487, Apr 01 2016 Comcast Cable Communications, LLC Methods and systems for connecting to a wireless network
11489837, Jan 09 2014 Comcast Cable Communications, LLC Network filter
8015174, Feb 28 2007 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method of controlling access to the internet
8020206, Jul 10 2006 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method of analyzing web content
8024471, Sep 09 2004 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System, method and apparatus for use in monitoring or controlling internet access
8135831, Sep 09 2004 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System, method and apparatus for use in monitoring or controlling internet access
8214486, Jul 13 2007 FRONT PORCH, INC Method and apparatus for internet traffic monitoring by third parties using monitoring implements
8244817, May 18 2007 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Method and apparatus for electronic mail filtering
8250081, Jan 22 2007 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Resource access filtering system and database structure for use therewith
8510431, Jul 13 2007 FRONT PORCH, INC Method and apparatus for internet traffic monitoring by third parties using monitoring implements transmitted via piggybacking HTTP transactions
8615800, Jul 10 2006 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method for analyzing web content
8799388, May 18 2007 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Method and apparatus for electronic mail filtering
8881277, Jan 09 2007 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Method and systems for collecting addresses for remotely accessible information sources
8904557, Feb 15 2012 SAP SE Solution for continuous control and protection of enterprise data based on authorization projection
8978140, Jul 10 2006 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method of analyzing web content
9003524, Jul 10 2006 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method for analyzing web content
9117054, Dec 21 2012 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Method and aparatus for presence based resource management
9130972, May 26 2009 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Systems and methods for efficient detection of fingerprinted data and information
9325676, May 24 2012 TOLA, KENNETH; SMART SECURITY SYSTEMS LLC Systems and methods for protecting communications between nodes
9336408, Feb 15 2012 SAP SE Solution for continuous control and protection of enterprise data based on authorization projection
9348927, May 07 2012 TOLA, KENNETH; SMART SECURITY SYSTEMS LLC Systems and methods for detecting, identifying and categorizing intermediate nodes
9369438, May 20 2011 BAE SYSTEMS PLC Supervised data transfer
9378282, Jun 30 2008 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method for dynamic and real-time categorization of webpages
9473439, May 13 2008 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Method and apparatus for electronic mail filtering
9654495, Dec 01 2006 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method of analyzing web addresses
9680866, Jul 10 2006 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method for analyzing web content
9692762, May 26 2009 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC Systems and methods for efficient detection of fingerprinted data and information
9723018, Jul 10 2006 FORCEPOINT FEDERAL HOLDINGS LLC; Forcepoint LLC System and method of analyzing web content
9992180, May 24 2012 SMART SECURITY SYSTEMS LLC Systems and methods for protecting communications between nodes
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
5678041, Jun 06 1995 Cooper Union for the Advancement of Science and Art System and method for restricting user access rights on the internet based on rating information stored in a relational database
5696898, Jun 06 1995 THE CHASE MANHATTAN BANK, AS COLLATERAL AGENT System and method for database access control
5706507, Jul 05 1995 ACTIVISION PUBLISHING, INC System and method for controlling access to data located on a content server
5708780, Jun 07 1995 Soverain IP, LLC Internet server access control and monitoring systems
5710883, Mar 10 1995 IBM Corporation Hypertext document transport mechanism for firewall-compatible distributed world-wide web publishing
5835712, May 03 1996 Open Invention Network, LLC Client-server system using embedded hypertext tags for application and database development
5889958, Dec 20 1996 ASCEND COMMUNICATIONS, INC Network access control system and process
5933600, Dec 10 1996 International Business Machines Corporation Increased control for reduced delay in internet data transfers based on limitations established in a server system
5933827, Sep 25 1996 International Business Machines Corporation System for identifying new web pages of interest to a user
5941947, Aug 18 1995 Rovi Technologies Corporation System and method for controlling access to data entities in a computer network
5950195, Sep 18 1996 McAfee, LLC Generalized security policy management system and method
5953732, Dec 20 1994 Sun Microsystems, Inc. Hypertext information retrieval using profiles and topics
5983176, Apr 30 1997 INSOLVENCY SERVICES GROUP, INC ; Procter & Gamble Company, The Evaluation of media content in media files
5991810, Aug 01 1997 RPX Corporation User name authentication for gateway clients accessing a proxy cache server
6078924, Jan 30 1998 EOEXCHANGE, INC Method and apparatus for performing data collection, interpretation and analysis, in an information platform
6088717, Feb 29 1996 OneName Corporation Computer-based communication system and method using metadata defining a control-structure
6154775, Sep 12 1997 PALO ALTO NETWORKS, INC Methods and apparatus for a computer network firewall with dynamic rule processing with the ability to dynamically alter the operations of rules
ASSIGNMENT RECORDS    Assignment records on the USPTO
/
Executed onAssignorAssigneeConveyanceFrameReelDoc
Oct 14 2004Content Advisor, Inc.(assignment on the face of the patent)
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Dec 24 2012REM: Maintenance Fee Reminder Mailed.
May 13 2013M2553: Payment of Maintenance Fee, 12th Yr, Small Entity.
May 13 2013M2556: 11.5 yr surcharge- late pmt w/in 6 mo, Small Entity.


Date Maintenance Schedule
Mar 23 20134 years fee payment window open
Sep 23 20136 months grace period start (w surcharge)
Mar 23 2014patent expiry (for year 4)
Mar 23 20162 years to revive unintentionally abandoned end. (for year 4)
Mar 23 20178 years fee payment window open
Sep 23 20176 months grace period start (w surcharge)
Mar 23 2018patent expiry (for year 8)
Mar 23 20202 years to revive unintentionally abandoned end. (for year 8)
Mar 23 202112 years fee payment window open
Sep 23 20216 months grace period start (w surcharge)
Mar 23 2022patent expiry (for year 12)
Mar 23 20242 years to revive unintentionally abandoned end. (for year 12)